In a recent advisory opinion related to an exemption under the International Traffic In Arms Regulations, the State Department confirmed that a company could use a data security method called “tokenization” to protect export-controlled technical data stored in the cloud on servers located outside the United States, provided the company satisfied the conditions of the exemption and took “sufficient means” to prevent foreign persons from accessing such technical data. Although the advisory opinion is quite narrow in scope, it is the first publicly-available formal position from the State Department on the ITAR implications of cloud computing.