And unlike some sales of questionable tools, Circinus wouldn't just wash its hands of responsibility the moment it clinched a deal. In a pitch to Cyprus, the contractor advertised the ongoing involvement of a US-based team that would hide Cyprus' use of the surveillance program. If anyone got nosy, they'd see the activity coming from the States.
It's not certain which of the named governments received presentations, which Circinus prepared between 2016 and 2017. It's also uncertain how many took them up on the offer, or whether the technology lived up to its billing. The New York Times observed in March that Broidy had been using his Trump connections to pitch government clients, but that wouldn't guarantee success. The company responded to Intercept's concerns with claims that it ran a "rigorous compliance program with continuous review," and that it focused on "external actors" like extremists and hostile foreign governments.
However, that's just the company's stated focus, not what it's willing to do. It's not certain what (if anything) the company might do to stop a government from targeting its own citizens, especially with phrasing that hints it would track down internal critics, not violent outsiders. There don't appear to be firm rules against selling surveillance tools to countries with seriously flawed human rights track records, and that by itself may be reason for concern.