Dev Log 3 min read

ITAR, Self-Hosting, and Other Things Enterprise Will Ask About

itarcompliancedeploymententerprisesecurity

So you’re a space company founder who just saw a live lunar lander simulation running in your browser and thought “holy whack-a-mole, we need this for our Series A deck.”

Then your VP of Legal sends you a Slack message with one word: ITAR.

I get it. I’ve been there (as in, yes, I’ve been messaged by lawyers). Let me save you the awkward email exchange.

The Short Answer

Yes, Veenie Kit can be self-hosted. Your mission specs never touch my servers if you don’t want them to. The sim runs entirely client-side (browser), and you can deploy the whole stack inside your own infrastructure.

No, I’m not an ITAR expert. I’m a flyboy writer who got really into orbital mechanics and now writes TypeScript instead of landing page copy. But I did lead UX and writing teams through two iterations of Redocly.com, where I picked up a few things about enterprise compliance.

Turns out aerospace security and API platform security have similar vibes: “Can this leak our secret sauce?” and “Who can see what?”

What You’re Actually Worried About

When aerospace companies see browser-based simulations, three alarms go off:

  1. ITAR/EAR Export Control - “Is my SpaceX competitor in China going to reverse-engineer our thruster config?”
  2. IP Protection - “Our engine specs are worth $50M in R&D, we can’t just… put that online”
  3. Compliance Audit Trail - “When the ITAR inspector shows up, can we prove data never left the building?”

Fair. These are real concerns. Here’s how Veenie Kit handles them.

The Architecture (Or: Why This Works)

Veenie Kit isn’t a web app that phones home to my servers. It’s a static site generator + physics engine that you deploy wherever you want:

Your Infrastructure:
├── SvelteKit app (static build)
├── Threlte 3D renderer (client-side WebGL)
├── Physics engine (pure TypeScript, headless)
└── Your mission data (never leaves your network)

The Firefly Blue Ghost sim you see on veenie.space? That’s the demo version with public data. Your version lives behind your VPN with your actual specs. And by the way, I built it going obsessively scrapey with public data (see my research).

Key Security Features

1. Client-Side Execution

  • All physics calculations run in the browser (or your internal dashboards)
  • No data sent to external servers
  • No API calls to “Veenie Cloud” (there isn’t one; Venus clouds don’t count)

2. Deployment Flexibility

  • Private Cloud: AWS/GCP VPC with locked-down access
  • On-Premises: Your own data center, your own rules
  • Air-Gapped: Docker container that never touches the internet

3. Source Code Access

  • You get the full codebase (private GitHub repo)
  • Audit every line if your security team wants
  • Fork it, customize it, break it - it’s yours

The Pilot-Controller Pattern

Here’s where it gets interesting for the hardcore compliance folks.

The Veenie architecture uses a headless pilot-controller model - the same pattern aerospace companies use for flight computers. (Not to be confused with Pilot Comrade for ITAR purposes).

We separate:

  • Commands (high-level: “initiate descent burn”)
  • Control Logic (autopilot: PID loops, guidance)
  • Physics (engine: forces, trajectories, propulsion)
  • UI (what you see: 3D visualization, telemetry)

This means:

  • Your IP (thruster specs, flight profiles) lives in config files
  • The generic physics engine is open-source quality code
  • You can swap out sensitive bits without touching the core sim
  • Compliance auditors can see exactly what data flows where

It’s the same reason the ISS flight computer and SpaceX’s Crew Dragon can both use the same guidance algorithms - the interface is standard, the implementation is secret sauce.

What You Get (Enterprise Tier)

For companies that need the compliance documentation and hand-holding:

Included in Enterprise ($15K+):

  • Self-hosted deployment configs (Docker, K8s, bare metal)
  • ITAR compliance consultation (I’ll intro you to actual experts)
  • Private repo with access controls
  • SLA + support contract
  • White-label branding (no “Powered by Veenie” footer)
  • Architecture documentation for your security review

What I Don’t Include (Because I’m Not a Lawyer):

  • Actual ITAR classification determination
  • Export license applications
  • Legal opinions on your specific use case

For that, you’ll need to give Saul a call. But I can tell you exactly how the data flows so they can do their job.

The Redocly Connection

Why am I weirdly confident about enterprise deployment despite being a solo dev?

Because I used to write copy for Redocly Reef - a product that helps massive orgs like Cisco manage thousands of internal and external APIs without leaking secrets.

Same problem, different domain:

  • Redocly: “Can our partner see API X but not API Y?”
  • Veenie: “Can our investor demo show orbital mechanics but not thruster ISP?”

The answer in both cases: granular access control + self-hosting + audit logs.

I don’t build the compliance tools myself (there are better vendors for that), but I build the architecture that makes compliance possible.

Real Talk: What This Means for Your Purchase

If you’re a scrappy founder just trying to impress VCs:

  • Buy the standard Kit ($997)
  • We deploy to veenie.space with a custom subdomain
  • Your actual sensitive specs stay in your pitch deck
  • The sim uses “representative” (fake but realistic) data

If you’re an enterprise with ITAR concerns:

  • Book the Enterprise tier ($15K+)
  • I deploy to your infrastructure
  • You control access (password-protect, VPN-only, whatever)
  • Your security team reviews the code before it goes live
  • I document the data flow for your compliance review

If you’re not sure which category you’re in:

The Tracksuit Engineering Disclaimer

Look, I build simulations with honest-to-Newton physics because I think death-by-PDF is killing the space industry. I learned aerospace engineering by buzzing around an airfield with the world’s funniest ICAO code in a Piper Cherokee and grinding the flight dynamics in TypeScript.

I know about ITAR enough to ‘not today, FAA’, but not to write compliance paperwork. What I can do you for, though, is building you a simulation that your lawyers can actually evaluate. Because the code is there, in TypeScript, commented, with clear data flows.

No black boxes. No “proprietary algorithms we can’t disclose.” Just physics and good engineering and spacecraft go brrr vibes.

Fair enough?

Ivan Karaman is building atmospheric balloon simulations for Venus and overthinking everything. More at veenie.space

← Back to dev logs