Geo-Fenced Data Residency

Route requests from specific countries to designated origin servers, ensuring data stays within geographic boundaries for GDPR, CCPA, and other compliance requirements.

How It Works

At the origin selection step, EdgeWrap evaluates the client's geographical location (derived from their connection IP address) against your geo-residency rules. If a matching rule is found, the request is forwarded to the rule's designated target origin instead of the default origin.

Geo Routing Flow
Client Request (Location: Germany)
  │
  ▼
Check geo-residency rules:
  │
  ├── Rule: ["DE", "FR", "IT"] → route to target: orig_eu_central  →  Route to EU origin
  ├── Rule: ["US", "CA"]       → route to target: orig_us_east     →  Route to US origin
  └── No match                 →  Route to default project origin

Dashboard Setup & Configuration

Configure Geo-Residency routing rules directly in the EdgeWrap Dashboard:

  1. Navigate to your project in the dashboard at https://app.edgewrap.pro.
  2. Go to the Data & Privacy page and select the Geo-Residency tab.
  3. Click the Add Geo-Routing Rule button.
  4. Select the target country codes (ISO-3166-1 alpha-2) that trigger the rule.
  5. Select the target destination server from your configured origins list.
  6. Toggle the rule to Enabled and click Save Rule.

API Configuration

Alternatively, you can manage Geo-Routing rules programmatically:

ParamTypeDescription
countryCodesstring[] (ISO-3166-1 alpha-2)Country codes that trigger this rule (e.g. ['DE', 'FR', 'NL'])
targetOriginIdstringID of the origin to route matching requests to
isEnabledbooleanToggle rule active state(default: true)
Route EU traffic to EU origin via API
curl -X POST https://server.edgewrap.pro/v1/projects/prj_abc123/geo-residency/rules \
  -H "Authorization: Bearer <your_session_token>" \
  -H "Content-Type: application/json" \
  -d '{
    "countryCodes": ["DE", "FR", "NL", "BE", "AT", "CH", "IT", "ES", "PL"],
    "targetOriginId": "orig_eu_central",
    "isEnabled": true
  }'

GDPR Response Masking

In addition to routing, you can configure privacy masks to redact or hash sensitive fields in response bodies before they leave EdgeWrap.

ParamTypeDescription
pathPatternstringURL path pattern to apply masking on (e.g. /api/users/*)
jsonFieldNamestringJSON field name to mask in the response body (e.g. email, ssn)
maskTypeenumsha256_hash | redact_all | partial_reveal_ends | strip_field
isEnabledbooleanToggle mask active state(default: true)
maskTypeInputOutput
sha256_hash"ada@example.com""a1b2c3d4e5f6..."
redact_all"ada@example.com""[REDACTED]"
partial_reveal_ends"ada@example.com""ada@*****.com"
strip_field"ada@example.com"(field removed from JSON)
Mask email fields via API
curl -X POST https://server.edgewrap.pro/v1/projects/prj_abc123/geo-residency/masks \
  -H "Authorization: Bearer <your_session_token>" \
  -H "Content-Type: application/json" \
  -d '{
    "pathPattern": "/api/users/*",
    "jsonFieldName": "email",
    "maskType": "partial_reveal_ends",
    "isEnabled": true
  }'
Note: Privacy masks operate on response bodies up to 4 MB. Responses larger than this limit are passed through unmasked.