Yes, persons seeking to export items to Iran or conduct other activities in support of internet freedom in Iran that are not authorized by GL D-2 or other authorizations are encouraged to submit a specific license application to OFAC. 

A cloud-based service or software provider whose non-Iranian customers provide services or software to persons in Iran via the cloud may rely upon the authorization in GL D-2 to provide access to Iran, provided that such provider conducts due diligence based on information available to it in the ordinary course of business to confirm that the non-Iranian customer: (1) is not a person whose property and interests in property are blocked, except as authorized under paragraph (a)(6) of GL D-2; and (2) provides software and services that fall within one of the categories described in FAQ 1087, or otherwise involve activity authorized or exempt under the ITSR.

In instances where cloud-based services or software are used to support the exportation of services or software to Iran authorized under GL D-2, OFAC does not generally expect a cloud-based service or software provider to evaluate the ultimate end use or end user of the authorized software or services, provided the cloud-based provider conducts due diligence based on information available to it in the ordinary course of business.  For example, if a cloud-based service or software provider supports non-Iranian customers providing access in Iran to news websites or Virtual Private Networks (VPNs) that fall within one of the categories described in FAQ 1087, the cloud-based service or software provider need not evaluate whether the provision of access via the cloud involving Iranian end users is related to communication.  By contrast, if a U.S. cloud-based service or software provider supports non-Iranian customers providing certain enterprise management software to Iran, such as payroll management software, the cloud-based service or software provider would be expected to evaluate whether its support of the software is a prohibited export of software or services to Iran because payroll management software is not generally considered a qualifying software incident to communications. 

Please note that GL D-2 does not authorize the importation into the United States of Iranian-origin software or the dealing in such software, including the hosting of Iranian-origin software on a mobile application store.  Persons seeking to engage in such activity may submit applications for specific licenses to OFAC that describe the nature of the software and the Iranian developers involved.  
 

Yes.  Paragraph (a)(1) of GL D-2 authorizes the exportation to Iran of fee-based or no-cost cloud-based services incident to the exchange of communications over the Internet.  In addition, paragraph (a)(2) of GL D-2 authorizes the exportation to Iran of cloud-based software that is incident to, or enables services incident to, communications over the Internet.  Software exported under paragraph (a)(2) of GL D-2 either: (i) must be designated as EAR99 under the Export Administration Regulations, 15 CFR parts 730 through 774 (EAR), or classified under Export Control Classification Number (ECCN) 5D992.c; or (ii) if the software is not subject to the EAR because it is of foreign origin, must be the type of software that would be designated EAR99 or classified under ECCN 5D992.c if it were located in the United States.

For purposes of GL D-2, cloud-based services and software are determined to be incident to the exchange of communications over the Internet when they are used to support transactions authorized or exempt under the Iranian Transactions and Sanctions Regulations (ITSR), 31 CFR part 560, including the following categories of activities: 

• instant messaging, chat, email, social networking, sharing of photos and movies, web browsing, blogging, social media platforms, collaboration platforms, video conferencing, e-gaming platforms, e-learning platforms, automated translation, web maps, and user authentication services; 
• software and services listed in the categories (6) through (11) of the Annex of GL D-2, including anti-virus and anti-malware software, anti-tracking software, mobile operating systems and related software, anti-censorship tools and related software; Virtual Private Network (VPN) client software and related software; and provisioning and verification software for Secure Sockets Layers (SSL) certificates and related software, provided that the software meets the relevant conditions of GL D-2, including applicable export control classification-related criteria; 
• transactions that are exempt from the prohibitions of the ITSR, including news outlets and media websites covered by the exemption for information or informational materials in section 560.210(c) of the ITSR; and
• other transactions authorized under the ITSR, such as transactions necessary and ordinarily incident to publishing authorized pursuant to section 560.538, transactions for the conduct of the official business of certain international organizations pursuant to section 560.539, the sale and exportation of agricultural commodities, medicine, medical devices, and certain software and services pursuant to section 560.530, and transactions authorized pursuant to any general or specific licenses issued under the ITSR. 

Please note that paragraph (a)(1) of GL D-2 does not authorize the exportation of cloud-based services or software to the Government of Iran, except as specified in paragraph (a)(6) of GL D-2.