Encryption & Export Compliance

Encryption Use

CarBOS Pro uses industry-standard encryption to protect user data at rest and in transit:

• AES-256-GCM — used to encrypt generated PDF documents, buyer information, and electronic signature images before storage in our database. This is a symmetric encryption algorithm using 256-bit keys with Galois/Counter Mode for authenticated encryption.
• TLS 1.2 / 1.3 — all data transmitted between the app and our servers is encrypted in transit using Transport Layer Security.
• bcrypt / Argon2 — user passwords are hashed using industry-standard key derivation functions via Supabase Auth.

U.S. Export Compliance

This app is subject to U.S. Export Administration Regulations (EAR). The encryption used in CarBOS Pro qualifies for export under License Exception ENC (15 CFR § 740.17) for the following reasons:

• The encryption is used solely for data protection purposes — to protect user-generated documents and personal information at rest and in transit.
• The app does not provide general-purpose encryption functionality to users. Users cannot use the app to encrypt arbitrary data.
• The encryption implementation uses publicly available open-source libraries (Node.js built-in crypto module, which implements NIST-approved algorithms).
• The app is a consumer application (ECCN 5D992.c) and is available to the general public through the Apple App Store and Google Play Store.

Apple App Store Compliance

When submitting to the Apple App Store, we declare the use of encryption in our app. CarBOS Pro uses encryption that qualifies for the standard exemption provided in the App Store export compliance questionnaire:

• The app uses encryption — answer Yes
• The app qualifies for an exemption — answer Yes
• The exemption applies because the encryption is used to protect the integrity of the application and user data, using algorithms included in the iOS and macOS operating systems (pursuant to 15 CFR § 740.17(b)(3))

No annual self-classification report (CCATS) is required under these exemptions. However, we maintain this documentation in accordance with EAR recordkeeping requirements.

Google Play Compliance

Google Play similarly requires disclosure of encryption use. CarBOS Pro’s encryption qualifies as standard data protection encryption, not controlled cryptography, and does not require an export license for distribution through the Play Store.

Restricted Territories

CarBOS Pro is not available in countries subject to U.S. embargo or sanctions, including Cuba, Iran, North Korea, Syria, and the Crimea region. Distribution through the Apple App Store and Google Play Store enforces these geographic restrictions.

Contact

For questions about our encryption practices or export compliance, contact: carbillofsalepro@gmail.com