I started internal testing with TestFlight and I have the same concern. My app has an AWS backend, so yes it makes lot of calls to AWS through HTTPS. I get from the BIS site that mass-market or publicly available encryption tech should fall into EAR exemptions, but that is just what I kind of make out of it (I'm not a lawyer). I guess this setup (backend either on Google Cloud or AWS) is kind of common, not just for Apple ecosystem, it would really help just have a hint of how to proceed and play safe on the legal field.