The TestFlight export compliance question asks whether your app uses encryption, and you answer it permanently by adding the ITSAppUsesNonExemptEncryption key to your Info.plist. Set it to NO if your app only uses exempt encryption, which covers most apps that rely on standard HTTPS and the operating system's cryptography, and the prompt stops appearing on every build. Set it to YES only if your app uses non-exempt or custom encryption, in which case you may need export documentation and, if your app is available in France, to address French encryption declaration rules. Most apps qualify for the exemption and set the key to NO.
Short answer
Add the Boolean ITSAppUsesNonExemptEncryption key to your Info.plist to answer the export compliance question once rather than on every upload. Per Apple's encryption export documentation, set it to NO if your app uses only exempt encryption, such as standard HTTPS through the system APIs, which is true for most apps. Set it to YES if you use non-exempt or custom encryption, which may require export documentation and annual reports. If your app uses non-exempt encryption and is available in France, you may also need to satisfy French encryption declaration requirements, which Apple asks about in the compliance flow. When unsure, confirm your app relies only on standard encryption before setting NO.
What the export compliance question is
The export compliance prompt appears because apps are subject to encryption export regulations, and Apple has to record whether your app uses encryption before it can be distributed, including through TestFlight. Each time you upload a build, App Store Connect asks whether your app uses encryption, and until you answer it permanently, it keeps asking on every submission.
The prompt is not about your app's quality or security; it is a regulatory declaration. Governments regulate the export of encryption, so Apple collects this answer to comply on your behalf and, where needed, to point you at the documentation you must provide. Understanding that it is a compliance question, not a technical one, is why the clean way to handle it is to declare the answer once in your project rather than clicking through it each time.
Which Info.plist key to use
The key is ITSAppUsesNonExemptEncryption, a Boolean you add to your Info.plist. Setting it pre-answers the export compliance question so App Store Connect stops prompting you on each upload. A value of NO declares that your app does not use non-exempt encryption, and a value of YES declares that it does.
Add it as a single entry: the key ITSAppUsesNonExemptEncryption with a Boolean value. For most apps the correct value is NO, because they rely only on exempt encryption. Once the key is in your Info.plist and the build is uploaded, the repetitive prompt disappears, which is the main practical benefit of setting it rather than answering interactively every time.
Do you qualify for the exemption?
Most apps qualify to set the key to NO, because they use only encryption that is exempt under the regulations. Standard HTTPS and TLS provided through the operating system, encryption used only for authentication, and the platform's built-in cryptography generally fall within the exemptions, so an app that just talks to its backend over HTTPS and does not implement its own cryptography typically qualifies.
You do not qualify for the simple NO if your app implements or uses non-exempt encryption, such as proprietary or custom cryptographic algorithms, or certain uses beyond the standard exemptions. The line can be subtle, so if your app does anything with encryption beyond relying on the system's standard secure networking, confirm your specific case against Apple's guidance, and where it is genuinely unclear, seek qualified advice rather than guessing at a legal declaration.
What YES means: documentation and reports
If your app does use non-exempt encryption, setting the key to YES is only the start, because you may then owe export documentation. Depending on your situation, this can include obtaining the appropriate authorization from the relevant export authority and filing annual self-classification reports. Apple's export compliance flow guides you toward what is required, but the obligation is yours.
This is why you should not casually declare YES to be safe; the honest answer determines real obligations, and declaring encryption you do not use creates paperwork you do not need, while declaring NO when you should have said YES misstates a regulatory answer. Determine your actual encryption use, set the key to match, and if it is YES, follow through on the documentation the regulations require rather than treating the declaration as the end of it.
French encryption laws
France has specific rules for apps that use encryption, and Apple's export compliance workflow asks whether your app is available there for that reason. If your app uses non-exempt encryption and is offered in France, you may need to comply with French encryption declaration requirements, which are separate from the United States export rules and involve a declaration to the relevant French authority.
For most apps that qualify for the exemption and set the key to NO, this does not apply, because the France question is tied to non-exempt encryption. But if you answered YES and distribute in France, treat the French requirement as a real step to check rather than skip. As with the rest of export compliance, this is a legal matter, so confirm your obligations against current guidance and, where the situation is unclear, get advice specific to your app.
Values compared
The key has a small set of choices with clear meanings. The table below lays them out.
| Value | What it declares | Typical use |
|---|---|---|
| NO | The app uses only exempt encryption | Most apps, standard HTTPS |
| YES | The app uses non-exempt encryption | Custom or proprietary cryptography |
| Not set | No permanent answer, prompts each upload | Not recommended |
Read the table to place your app. If it relies only on standard secure networking, NO is the value and the prompt goes away; if it uses non-exempt encryption, YES is the honest value and it brings additional obligations; and leaving the key unset just means answering the prompt on every build.
Setup checklist
A short sequence handles export compliance cleanly. The checklist below covers it.
| Check | Action | Done? |
|---|---|---|
| Assess your crypto | Determine whether you use only exempt encryption | [ ] |
| Set the key | Add ITSAppUsesNonExemptEncryption with the honest value | [ ] |
| Documentation | Obtain export documentation if you declared YES | [ ] |
| France | Address the French declaration if it applies | [ ] |
| Verify | Confirm the prompt no longer appears on upload | [ ] |
The step that matters most is assessing your actual encryption use honestly before setting the value, since the key is a regulatory declaration rather than a convenience toggle. Once it is set correctly, the repetitive prompt is gone and your compliance answer is recorded consistently for every build, which also removes a small but recurring source of friction from your release process.
Scan before you submit
Export compliance answers a legal question about encryption, but it says nothing about whether your app is otherwise secure, and the two are easy to conflate. An app can be perfectly compliant on export and still have security issues, such as cleartext traffic that undermines the very encryption the declaration assumes, unjustified permissions, or an embedded secret.
A scanner like PTKD.com analyzes your .ipa and reports findings ordered by severity and mapped to OWASP MASVS, so you catch those issues before submission. To be clear about the boundary: PTKD does not make your export compliance declaration or file French paperwork. It checks the build's actual security posture, which is a separate concern from the regulatory question the ITSAppUsesNonExemptEncryption key answers.
What to take away
- Answer the export compliance question once by adding the Boolean ITSAppUsesNonExemptEncryption key to your Info.plist.
- Set it to NO if your app uses only exempt encryption, such as standard HTTPS, which covers most apps and stops the prompt.
- Set it to YES only if you use non-exempt or custom encryption, which may require export documentation and annual reports.
- If you use non-exempt encryption and distribute in France, you may also need to satisfy French encryption declaration requirements.
- The key is a legal declaration, not a toggle; assess your encryption honestly, and scan your build with PTKD.com for the separate matter of app security.




