Overview of services
InCountry Data Residency-as-a-Service (DRaaS) bundles a variety of services designed for robust and easy integration of data residency capabilities into your web application. Below you can find the full list of such services, as well as their description and principles of operation.
Border
Find more details about the Border service.
InCountry’s Border service enables codeless redaction and re-insertion of regulated data for existing web services. Create, Read, Update, and Delete operations are all supported by the Web Services editor in the InCountry Portal. Each redacted field can be assigned a variety of tokenization and encryption techniques. Data can also be masked algorithmically for export outside a country.
An additional feature of the Web Services service is to enable data transformation with tokenization and masking without any storage, which is useful for use cases such as data pipeline and IoT.
This service implements data residency flows, as follows:
Redaction: The service redacts request payloads containing sensitive and regulated data, providing masked or redacted values to the application backend for saving. The sensitive and regulated data is then saved to the InCountry Vault, which resides in the country of origin.
Unredaction: The service unredacts a response body containing masked values, swapping them with clear-text values fetched from the InCountry Vault and returning them to the client browser in the same country of origin.
InCountry Border is the fastest and simplest way to implement data residency within your web application, helping you stay compliant in countries with stringent data regulations.
Search
Find more details about the Search service.
InCountry can match your existing web services search endpoint, and then perform the search locally within the InCountry Vault. The data stored within a country can also be extended with unregulated data that is replicated in order to perform more efficient searches. For example, if First Name and Last Name are regulated and stored within a country, but City is not, InCountry can still perform a search for Last Name = “Han” and City = “Beijing”.
The proposed results are then authorized by your application to ensure that the current user is authorized to view the records and the individual fields within each record. The results are then returned using the same JSON format your existing search web service uses to return search results.
Functions
Find more details about the Functions service.
InCountry Data Residency-as-a-Service has been engineered to meet the most comprehensive compliance scenarios, particularly those where regulated data cannot be transferred across borders due to legal restrictions. This can make processing regulated data outside of its country of origin extremely challenging.
InCountry provides resident functions (serverless) so that code can be executed on regulated data. Use cases include validating values and performing calculations. The code execution is fully sandboxed and isolated to prevent data loss. Currently, InCountry functions support JavaScript, and existing code can be easily translated using AI code transformation.
These resident functions are executed within the InCountry Vault and return the result to the application without revealing original regulated data. This solution greatly enhances the compliance of your application and extends the borders of its operability without setting up an additional operating server in the country with stringent data requirements. Usage of resident functions helps you adhere to local regulations and fully comply with data protection and localization laws in the country where the data originates.
Identity
Find more details about the Identity service.
While InCountry manages the application’s regulated data for a particular country, the source application continues to provide user authentication and authorizes all actions and data access. The source application and identity provider specify what countries a user can access and continue to provide Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Policy-Based Access Control (PBAC). Using the existing user model is critical as it can be very difficult to replicate and maintain cloned access policies, especially for applications with fine-grained access controls.
For highly regulated environments, user, employee, and customer PII can be managed within InCountry and the global Identity Provider contains masked user names and email addresses.
InCountry DRaaS provides robust mechanisms to integrate its services with your RBAC, ABAC, and PBAC policies, so the same user’s request authorization mechanics will be preserved within your web application, which the InCountry Vault will return only records and specific fields the current uses is allowed to view or process.
Encryption and Tokenization
Find more details about the Encryption & Tokenization service.
InCountry provides a variety of encryption, tokenization, hashing, and pseudonymization capabilities that are specified at the field level. Tokenization can be deterministic, where the same token is generated every time for a specific origin value. Pseudonymization features include modifying numerical values and flexible data masking using regular expressions..
The dedicated service allows you to properly safeguard sensitive data with a variety of techniques, as follows:
Encryption: This is the default method for securing data in the InCountry Vault. It uses the AES-256 symmetric encryption algorithm to encrypt the full record body.
Tokenization: This method always produces a unique token (a non-repeated set of alphanumeric characters) for the input value, even when tokenizing the same value several times. This token cannot be attributed to the original value, so your sensitive data cannot be revealed even if the token is exposed in your system. The deterministic tokenization is also included, so it can produce the same token for the same input value each time you request it.
Hashing: This method produces meaningless values containing a random sequence of alphanumeric characters for input values with the SHA-256 hashing algorithm. The produced hashes are irreversible and you can customize the hashing algorithm to produce redacted values matching common data patterns subject to validation (like URL, email, phone number, and so on).
Pseudonymization: This method lets you hide sensitive information from original values by applying different techniques and mechanics to process data, such as:
Nulling out: This replaces sensitive values with a null or blank value. For example,
John BlackbecomesREDACTED.Number and date variance: This changes sensitive values to other values, such as changing
5/15/1987to1/1/1777.Masking: This replaces sensitive values with masked values, such as
4886 1456 4589 4221becoming4886 **** **** 4221or1-800-600-1234becoming1-800-************.
InCountry DRaaS encrypts and redacts original values so output values cannot be traced back to original values. The full record in the encrypted form is saved to the InCountry Vault, while redacted values are returned back to your application, so you can save them in your application database along with non-regulated data. When retrieving a specific record or a subset of records, the InCountry Vault queries the requested records and decrypts them, returning clear-text values to your application frontend.
Reporting
Find more details about the Reporting service.
InCountry provides two reporting use cases. Reporting of detailed regulated data within a country, and reporting of aggregated and anonymized data outside a country.
Detailed reporting within a country can combine regulated data and unregulated data, with filtering, grouping, and aggregation. Your application can continue to provide drill down functionality and users can use data they are authorized to see. For example, a Sales Manager can see the total pipeline amount by city and drill down and see each prospect.
Aggregate reporting outside a country uses InCountry’s aggregation functions so that reports running outside a country can provide aggregates of regulated data. For example, a Sales Manager can see the total pipeline amount by city, but can not drill down and see each prospect.
Files
Find more details about the Files service.
In most cases, businesses need to store supporting documents alongside regulated data records in their systems. If you localize a piece of regulated data, you need to keep the related documents in the country of origin as well, or you may face compliance problems.
The InCountry Files service supports small files <15MB as standard HTTP attachments and large files with the REST API similar to S3. Files must be attached to a primary record in order to prevent orphaned data and support compliance requests.
Stored files are mapped to parent data records, so you can quickly and easily query the required records and all their related files from the InCountry DRaaS.
E-Mail
Find more details about the E-Mail service.
Email has become an essential communication channel for businesses of all sizes. It is used to interact with customers, send updates and promotions, and notify about important events. However, compliance requirements can make it difficult to use email effectively.
InCountry’s e-mail service makes is possible to run global applications that do not have visibility into user e-mail addresses, names and other PII. The InCountry e-mail server can redact and unredact sensitive data from both outbound and inbound e-mails.
For outbound e-mails, e-mails with hashed e-mail addresses are sent to the InCountry SMTP with the target country, where actual e-mail addresses and other PII are inserted into the e-mail, and then it is sent on within the country. For inbound emails, the service captures e-mails and can redact e-mail addresses and other PII and replaces the values with hashed values, so regulated data does not leave a country.
InCountry Data Residency-as-a-Service also supports mass email campaigns to recipients living in countries with stringent data regulations. This allows you to send email campaigns through the most popular marketing automation platforms and stay compliant with minimal changes to your regular workflows.
Payments
Find more details about the Payments service.
The InCountry Payments service is a fully PCI DSS compliant solution that is fully localized in each country and can work with a different designated payment processor for each country. Your application does not need to attain PCI DSS compliance but can still maintain independence from payment processors and switch processors as needed by business requirements, without disrupting customer saved credit card numbers or recurring payments.
Payment Vault captures payment card data and stores it in the InCountry Vault. Your application only receives non-identifiable tokens that cannot be traced back to the original payment card.
In addition to securing payment card data, Payment Vault also localizes sensitive payment data in its country of origin, so you no longer need to worry about violating financial compliance requirements like in India. Payment Vault allows you to handle payment card data effectively, secure it in a highly-protected data vault, and query it when processing single or recurring payments from your customers.
