Entities utilizing cloud applications face the challenge of complying with data residency laws and/or requirements. A data residency law restricts certain data, such as personal information, from being transmitted outside of a particular authorized jurisdiction. An authorized jurisdiction may be, for example, a particular organization and/or a particular country. Meanwhile, cloud applications that process such restricted data may utilize hardware that resides outside of the authorized jurisdiction.
Data residency proxies (DRPs) may be used to prevent restricted data from being transmitted outside of an authorized jurisdiction. A client device within an authorized jurisdiction obtains a particular set of restricted data. The client device transmits the restricted data towards a cloud application. A DRP intercepts the transmission and replaces the restricted data with one or more tokens. The DRP transmits the tokens, rather than the restricted data, to the cloud application for processing and/or storage. A token serves as a temporary replacement value for the original value of the restricted data. A token may be, for example, an arbitrary set of characteristics and/or an encrypted value of the original value of the restricted data.
DRPs ensure that client devices within an authorized jurisdiction receive the original value of the restricted data, while client devices outside of the authorized jurisdiction do not receive the original value of the restricted data. A client device within an authorized jurisdiction transmits a request for a particular set of restricted data from a cloud application. The cloud application transmits a token, corresponding to the restricted data, to a DRP. Responsive to determining that the client device is within the authorized jurisdiction, the DRP maps the token to the original value of the restricted data. The DRP transmits the original value of the restricted data to the client device. The client device may display the original value of the restricted data at an interface. Meanwhile, a client device outside of the authorized jurisdiction transmits a request for a particular set of restricted data from the cloud application. The cloud application transmits a token, corresponding to the restricted data, to the client device. The transmission may but is not necessarily intercepted by a DRP. If the DRP intercepts the transmission, the DRP does not map the token to the original value of the restricted data. The client device, which is outside of the authorized jurisdiction, receives the token, rather than the original value of the restricted data. The client device may display the token at an interface.
The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.