InCountry overview for developers and DevOps - InCountry

Developers overview

Fully isolate regulated data in separate countries and manage anonymized cross-border data transfers

Developers and developer operations (DevOps) can fully isolate regulated data InCountry’s no-code Web Services Proxy, REST APIs, and deep edge services:

Transform web services on the fly with no code
Transform web services on the fly with no code
Direct existing REST web services through InCountry’s Web Services Proxy in a country to dynamically redact, anonymize, and reinsert regulated data for CRUD operations, search, and more. Easily anonymize cross-border data transfers to central data stores and applications.
Use a REST API to directly manage regulated data
Use a REST API to directly manage regulated data
Call InCountry’s REST API from either clients or servers to directly manage regulated data in a country for CRUD operations, search, reporting, and more. Then use your existing APIs to send anonymized data to central data stores and applications.
Isolate regulated data globally with vaults and deep edge services
Isolate regulated data globally with vaults and deep edge services
InCountry’s secure vaults manage regulated data with two active-active points of presence in each country and deep edge services for file management, reporting, threaded e-mail, and more.


Each InCountry point-of-presence offers secure infrastructure for an application front-end and back-end to fully isolate data within a country:
  •  InCountry Vault securely stores regulated data within a country with access policies and full audit logs.
  • Web Services Proxy and REST API provide developers and developer operations with easy-to-use interfaces to manage data and invoke deep edge services.
  • Data Firewall governs data access and uses AI data loss preventions to ensure regulated data does not leave a country.


Web Services


The InCountry Vault is the core of InCountry’s data residency solution. The vault offers:

  • A flexible schema with multiple tables, fields, and indices.
  • Policy-based access control with query filters and field masks.
  • Fine-grained access control by querying a system of record back-end application for the rows and fields a user can access.
  • Flexible field masking, tokenization, and hashing.
  • Queryable encryption using NIST standards.

Web Services Proxy

InCountry’s Web Services service enables codeless redaction and re-insertion of regulated data for existing web services. Create, Read, Update, and Delete operations are all supported by the Web Services editor in the InCountry Portal. Each redacted field can be assigned a variety of tokenization and encryption techniques. Data can also be masked algorithmically for export outside a country.

The Web Services Proxy can also perform and respond to a typical Search URL and match the format of an app’s existing search results.

An additional feature of the Web Services Proxy is anonymized cross-border data transfers that do not require storage. This is useful for use cases such as ETL and syncing between the local instance of an app and the global instance of an app.

Web Services


InCountry’s REST API is a straightforward API that can be called from either an application front-end or back-end. The REST API is familiar and easy-to-use and supports Create, Read, Update, and Delete (CRUD) operations. In addition the REST API supports detailed search, aggregate analytics, file management, and calling resident functions.

The REST API supports policy-based access control with query filters and field masks, as well as fine-grained access control by querying a system of record back-end application for the rows and fields a user can access.

Data Firewall

The InCountry Data Firewall ensures that data remains within a geographic boundary and only encrypted data or aggregate data can cross borders. The solution verifies IP addresses are within a country, invalidates existing VPN IP addresses, and confirms user permissions.

The Data Firewall also performs data loss prevention with an AI model for each source country to detect PII in the country’s native language(s), including names, addresses, and identity numbers.

Encryption & Tokenization

InCountry provides a variety of masking, tokenization, and hashing options so that cross-border data can be anonymized. Masking is accomplished with both templates and regular expressions for complex masking requirements. Generated tokens can match existing data structures and also be deterministic, where the same token is generated every time for a specific origin value. A variety of hashing options are also available.

Within the InCountry Vault, fields can be stored as a deterministic SHA-256 hash that is fully searchable, while corresponding values are stored with AES-256 encryption.

Encryption Tokenization

Identity & Authorization

For highly regulated environments, user, employee, and customer PII can be managed within InCountry and the global Identity Provider contains masked user names and e-mail addresses. The source application and identity provider specify what countries a user can access.

User authorization to data can be both policy-based and fine-grained. InCountry access policies can contain query filters, control over read/write/delete functions, and limit fields accessed. In addition, masking templates can be set at the field level. For example, an access policy for a marketing team outside of a country can be set to records less than 30 days old, read only access, and identifying fields masked with asterisks.

Fine-grained authorization for individual record and fields is enabled by using an API to an existing back-end application to filter result sets.



With records at its core, InCountry provides comprehensive support for (CRUD) Create, Read, Update, and Delete operations. CRUD operations can be performed by developers with the InCountry REST API from the front-end or back-end. Developer operations (DevOps) can implement the Web Services Proxy to dynamically redact, anonymize, and reinsert regulated data for CRUD operations.

Creating and updating records automatically returns anonymized values that can be used by an application. The anonymized values can be masked values, format-preserving, hashes, or deterministic tokens.


InCountry can match your existing web services search endpoint, and then perform the search locally within the InCountry Vault. The data stored within a country can also be extended with unregulated data that is replicated in order to perform more efficient searches. For example, if First Name and Last Name are regulated and stored within a country, but City is not, InCountry can still perform a search for Last Name = “Han” and City = “Beijing”.

The proposed results are then authorized by your application to ensure that the current user is authorized to view the records and the individual fields within each record. The results are then returned using the same JSON format your existing search web service uses to return search results.



InCountry supports both reporting of detailed regulated data within a country, and reporting of aggregated and anonymized data outside a country.

Detailed analytics within a country can combine regulated data and unregulated data, with filtering, grouping, and aggregation. Your application can continue to provide drill down functionality and users can use data they are authorized to see. For example, a Sales Manager can see the total pipeline amount by city and drill down and see each prospect.

Aggregate analytics outside a country uses InCountry’s aggregation functions so that reports running outside a country can provide aggregates of regulated data. For example, a Sales Manager can see the total pipeline amount by city, but can not drill down and see each prospect.


Data from InCountry vaults in multiple countries can be fed into a single global LLM using field-level anonymization techniques. Data fields like first and last names can be anonymized, and the LLM subsequently tokenizes the anonymized data. The LLM can then perform on a global data set, and LLM users do not have visibility into regulated data fields.
For AI insights operating directly on local data in a country, an LLM can be deployed fully within a country as a container and integrates data directly from the InCountry Vault in each country. To maintain data loss prevention in each country, the data fed into the LLM can be masked, or the container can be purged after performing its duties.

Global AI
Global AI insights from ingested anonymized local data


InCountry provides serverless functions so that code can be executed on regulated data. Use cases include validating values and performing calculations. The code execution is fully sandboxed and isolated to prevent data loss. Currently, InCountry functions support JavaScript, and existing code can be easily translated using AI code transformation.



InCountry’s e-mail service makes is possible to run global applications that do not have visibility into user e-mail addresses, names and other PII. The InCountry e-mail server can redact and unredact sensitive data from both outbound and inbound e-mails.

For outbound e-mails, e-mails with hashed e-mail addresses are sent to the InCountry SMTP with the target country, where actual e-mail addresses and other PII are inserted into the e-mail, and then it is sent on within the country. For inbound emails, the service captures e-mails and can redacts e-mail addresses and other PII and replaces the values with hashed values, so regulated data does not leave a country.



The InCountry Files service supports small files <15MB as standard HTTP attachments and large files with a REST API similar to S3. Files must be attached to a primary record in order to prevent orphaned data and support compliance requests.



The InCountry Payments service is a fully PCI DSS compliant solution that is fully localized in each country and can work with a different designated payment processor for each country. Your application does not need to attain PCI DSS compliance but can still maintain independence from payment processors and switch processors as needed by business requirements, without disrupting customer saved credit card numbers or recurring payments.


The turnkey, enterprise-grade solution for data residency

Enterprise Ready
Enterprise Ready
  • Two points-of-presence in each country with active-active failover
  • SaaS, single-tenant anywhere, AWS Outposts, and sovereign cloud options
  • Guaranteed messaging across unpredictable networks
Bank-Grade Security
Bank-Grade Security
  • Policy-based authorization and fine-grained authorization from apps
  • Secure SDLC and operations with active threat monitoring
  • Flexible masking, tokenization, and hashing, with searchable encryption using NIST standards
Global Compliance
Global Compliance
  • Data loss prevention across borders with data firewall and AI PII detection
  • Detailed support for regulatory approval in complex jurisdictions
  • Downloadable audit logs track every event