IP Geolocation for SaaS Monetization — Geo-Pricing, Tax-Routing, and Trial-Abuse Defence

Why SaaS monetization is its own axis: a modern B2B/B2C SaaS stack collects revenue across 30-60 tax jurisdictions, prices the same SKU at 4×-6× spread by purchasing-power parity (PPP), and absorbs a single-digit-percent gross-margin haircut every quarter from credit-card-testing rings, multi-trial abuse, and refund-fraud bots — all of which route through residential-proxy and datacenter IPs. The IP layer is where geo-pricing tiering, VAT/sales-tax nexus routing, and abuse-vector filtering all originate. A wrong country resolve in checkout is a tax-filing error in 90 days and a lost €60-€600/seat/year price discrimination in the meantime.

The country an IP resolves to, the ASN it belongs to, and whether it’s a known datacenter, VPN, residential-proxy, or Tor exit are inputs to four separate SaaS-monetization control surfaces:

1. Geo-pricing (PPP-adjusted price discrimination) — the same Pro tier billed €99/mo in DE/NL/FR may be €49 in PL/PT, €29 in BR/IN/ID, $79 in US, and £79 in UK. The pricing call resolves on the checkout-page first paint from country_code + currency. A residential-proxy hop from DE → BR is a €70/seat/month margin leak.
2. Tax-jurisdiction routing (VAT/GST/sales-tax) — EU OSS / IOSS for B2C ≤ €150 imports, reverse-charge for B2B with valid VIES VAT-ID, UK VAT post-Brexit, AU/SG/IN GST on digital services, and US state-level sales-tax nexus (45 states + DC have economic-nexus thresholds since Wayfair 2018). The IP-country + billing-country reconciliation is the audit trail.
3. Trial-abuse + card-testing defence — the canonical SaaS-stack pattern: a residential-proxy network rents one card across thousands of $0 free trials, then chains to a second card-testing wave at $0.01-$1 once the first trial converts. ASN + is_proxy + is_relay + risk-score catches > 80 % of these at signup.
4. Compliance feature-gates (export controls + embargo) — US BIS Entity-List + EU dual-use Annex IV + OFAC SDN + EU restrictive measures (RU/BY/IR/KP/SY etc.) all require operators to demonstrate IP-country + ASN + threat-flag screening on every new account and every feature-flag activation. “We didn’t check” is not a defence in an OFAC matter.

A single REST call to IP Geo API returns all four signal classes — country/region/currency, ASN, threat-flags (VPN/proxy/Tor/hosting/relay), risk score — on every plan, no add-on SKU, ≤40 ms median in EU.

What SaaS-monetization buyers care about (in order)

1. Checkout-latency budget ≤ 40 ms. Stripe, Adyen, and Braintree all expose < 100 ms total page-paint budgets for the checkout-route; the IP-resolve must finish in ≤ 40 ms or the geo-pricing tier renders late and conversion drops measurably (Baymard 2025 — 7-12 % checkout-abandon delta on > 200 ms first paint). IP Geo API runs on EU edges (Hetzner Frankfurt) for ≤ 30-40 ms median across DE/NL/FR/IE/ES/IT/UK, ≤ 60 ms US-EU round-trip.
2. EU residency + GDPR + DAC7 posture. DAC7 (EU Directive 2021/514) requires digital-platform operators to report seller-country + transaction-country to the relevant tax authority annually. The IP-country signal feeds both the live geo-pricing call AND the year-end DAC7 export. Customer IPs cannot be transferred to a US vendor without GDPR §28 DPA + SCCs + TIA. IP Geo API is EU-only data-flow, signed DPA in 24h, no SCCs required, DAC7-export-ready.
3. Threat fields on every plan, not a paid add-on. Most US incumbents (MaxMind, ipinfo.io, ipstack) split datacenter/VPN/proxy classification into a paid Security Module or Privacy add-on. IP Geo API ships is_vpn, is_proxy, is_tor, is_hosting, is_relay, and a numeric risk_score on the free tier — critical for catching the > 80 % of trial-abuse + card-testing traffic that originates from datacenter or residential-proxy ASNs.
4. ASN-level granularity for residential-proxy detection. The dominant SaaS-monetization fraud vector in 2025-2026 is residential-proxy networks (Bright Data, Oxylabs, Smartproxy, IPRoyal) renting consumer IPs from compromised home routers. Country-only checks pass these through; ASN + is_proxy flag catches them. We expose asn, asn_org, and is_proxy as first-class fields so your billing + signup-funnel filters can reject at ASN granularity without maintaining a list yourself.
5. Predictable EUR billing + transparent rate-limits. SaaS finance teams need a per-month EUR line-item that does not move with USD-FX. IP Geo API is monthly EUR, no annual prepay, no FX line item, rate-limits stated in req/day and req/sec with no surprise overage on the bill.

The four SaaS-monetization control surfaces, in code

1. Geo-pricing (PPP-adjusted) at checkout-page first paint

// /api/checkout/pricing.js — Node 20 / Express
// Called on every checkout-page render BEFORE the SKU + price block paints.
// Fail-soft: on classification error, fall back to USD/global default tier.
const fetch = require('undici').fetch;

const PRICING_TIERS = {
  // PPP-adjusted tier → ISO-2 country list (verified vs IMF PPP 2025)
  tier1: { price: 99, currency: 'EUR', countries: ['DE','NL','FR','BE','LU','AT','FI','SE','DK','IE','IT','ES'] },
  tier2: { price: 79, currency: 'EUR', countries: ['PT','GR','EE','SI','SK','CZ','HU','PL','HR','RO','BG','LT','LV'] },
  tier3: { price: 49, currency: 'EUR', countries: ['TR','ZA','MX','AR','CL','UY','MA','TN','RS','MK','ME','BA','AL'] },
  tier4: { price: 29, currency: 'EUR', countries: ['BR','IN','ID','PH','VN','TH','EG','NG','KE','GH','BD','PK','LK'] },
  usa:   { price: 79, currency: 'USD', countries: ['US','PR','VI','GU','MP','AS'] },
  uk:    { price: 79, currency: 'GBP', countries: ['GB','JE','GG','IM','GI'] }
};

async function resolveCheckoutPricing(req, res) {
  const ip = req.ip;
  const geo = await fetch(`https://api.ipgeo.10b.app/v1/lookup/${ip}`, {
    headers: { Authorization: `Bearer ${process.env.IPGEO_KEY}` },
    signal: AbortSignal.timeout(40)
  }).then(r => r.json()).catch(() => null);

  // Fail-soft: missing geo → USD global default
  if (!geo) return { tier: 'usa', ...PRICING_TIERS.usa, reason: 'ipgeo_unavailable' };

  // Reject PPP-tier hop via residential-proxy / VPN — fall back to billing-country
  // (set later by Stripe card-country) instead of awarding the cheap tier.
  if (geo.is_vpn || geo.is_proxy || geo.is_hosting) {
    return { tier: 'usa', ...PRICING_TIERS.usa, reason: 'circumvention_flag_fall_back_to_billing_country' };
  }

  const cc = geo.country_code;
  for (const [tier, def] of Object.entries(PRICING_TIERS)) {
    if (def.countries.includes(cc)) {
      return { tier, ...def, reason: 'country_match', countryCode: cc, asn: geo.asn };
    }
  }
  return { tier: 'usa', ...PRICING_TIERS.usa, reason: 'no_tier_match_default_usd' };
}

Why VPN/proxy/hosting fail-back to billing-country instead of awarding the cheap tier: Bright Data + Oxylabs residential proxies in BR/IN cost $4-8/GB; the price differential between EUR-tier1 (€99) and EUR-tier4 (€29) is €70/seat/month. A seat held for 12 months = €840 margin loss against $50-80 in proxy cost. Fail-back to billing-country lets Stripe’s card-issuer-country be the authoritative second signal.

2. Tax-jurisdiction routing at invoice-generation

# /billing/tax-routing.py — invoked at every subscription renewal / one-off invoice
EU_27 = {'AT','BE','BG','HR','CY','CZ','DK','EE','FI','FR','DE','GR','HU','IE','IT',
        'LV','LT','LU','MT','NL','PL','PT','RO','SK','SI','ES','SE'}
US_NEXUS = {  # 45 states + DC with economic-nexus thresholds (post-Wayfair 2018)
    'AL','AR','AZ','CA','CO','CT','DC','FL','GA','HI','IA','ID','IL','IN','KS','KY',
    'LA','MA','MD','ME','MI','MN','MO','MS','NC','ND','NE','NJ','NM','NV','NY','OH',
    'OK','PA','RI','SC','SD','TN','TX','UT','VA','VT','WA','WI','WV','WY'
}
# OFAC SDN + EU restrictive-measures embargoed (live as of 2026-Q2)
EMBARGOED = {'IR','KP','SY','CU','RU','BY'}

def route_tax_jurisdiction(geo, billing_country, vat_id_valid, region_code, sale_eur):
    # 1. Embargo hard-stop
    if geo['country_code'] in EMBARGOED or billing_country in EMBARGOED:
        return ('refuse_sale', 'embargo_match', None)

    # 2. Reconcile IP-country vs billing-country (EU OSS 2-evidence rule)
    countries = {geo['country_code'], billing_country}

    # 3. EU OSS / IOSS / reverse-charge routing
    if countries & EU_27:
        if vat_id_valid:
            return ('zero_rate_reverse_charge', 'b2b_intra_eu', countries)
        # B2C — apply destination country's VAT rate
        return ('eu_oss', 'b2c_destination_country', billing_country)

    # 4. UK post-Brexit — 20 % VAT < £8 818 / yr or registered
    if billing_country == 'GB':
        return ('uk_vat', '20_percent_post_brexit', 'GB')

    # 5. US state-level sales tax (Wayfair economic-nexus)
    if billing_country in {'US','PR','VI'}:
        if region_code in US_NEXUS:
            return ('us_sales_tax', f'nexus_state_{region_code}', region_code)
        return ('us_no_nexus', f'non_nexus_state_{region_code}', region_code)

    # 6. Other digital-service-tax jurisdictions
    if billing_country == 'AU':  return ('au_gst',  '10_percent_digital_services', 'AU')
    if billing_country == 'SG':  return ('sg_gst',  '9_percent_overseas_vendor',   'SG')
    if billing_country == 'IN':  return ('in_gst',  '18_percent_equalisation_levy','IN')
    if billing_country == 'CA':  return ('ca_gst',  '5_to_15_provincial_split',    region_code)
    if billing_country == 'NZ':  return ('nz_gst',  '15_percent_remote_services',  'NZ')
    return ('out_of_scope', 'no_jurisdiction_match', billing_country)

Why IP-country and billing-country, not either alone: EU OSS reporting (EC Regulation 282/2011 art 24f) requires two non-contradictory pieces of evidence for the customer location — IP-country, billing-address-country, card-issuer-country, SIM-MCC, or bank-account country count as valid evidence. Use just one and you fail the OSS audit; use two that disagree (IP=BR, billing=DE) and you have a circumvention indicator the tax authority will want explained.

3. Trial-abuse + card-testing defence at signup

// /signup/abuse-scoring.js — fires synchronously on POST /signup BEFORE provisioning
const RESIDENTIAL_PROXY_ASNS = new Set([
  212238, 401116,  // Bright Data / Luminati
  396982, 60068,   // Oxylabs / Cyberghost
  62240, 16276,    // Smartproxy / OVH-mixed
  35916, 174,      // IPRoyal / Cogent-mixed
  21859, 32475,    // Tier3 / Choopa-mixed (commonly residential-proxy upstream)
]);

async function scoreSignup({ email, ip, fingerprint, marketingChannel }) {
  const geo = await ipgeoLookup(ip);
  let risk = geo.risk_score;            // 0-100 baseline from IP Geo API
  const reasons = [];

  // Hard rejects
  if (geo.is_tor)                                { return { decision: 'block', risk: 100, reasons: ['tor_exit'] }; }
  if (geo.is_hosting)                            { return { decision: 'block', risk: 100, reasons: ['datacenter_ip'] }; }
  if (RESIDENTIAL_PROXY_ASNS.has(geo.asn))       { return { decision: 'block', risk: 95,  reasons: ['known_residential_proxy_asn'] }; }

  // Soft signals
  if (geo.is_vpn)                                { risk += 25; reasons.push('vpn_flag'); }
  if (geo.is_proxy)                              { risk += 30; reasons.push('proxy_flag'); }
  if (geo.is_relay)                              { risk += 10; reasons.push('relay_flag'); }

  // Velocity / device-fingerprint correlation (handled elsewhere, mentioned here for completeness)
  const trialCountForFingerprint = await trials.countByFingerprint(fingerprint, '30d');
  if (trialCountForFingerprint >= 3)             { risk += 25; reasons.push('trial_velocity_30d'); }

  // Disposable-email correlation
  if (await emails.isDisposable(email))          { risk += 20; reasons.push('disposable_email'); }

  // Marketing-channel adversarial weight (paid affiliates have higher abuse base-rate)
  if (marketingChannel && marketingChannel.startsWith('aff_'))  { risk += 5; reasons.push('affiliate_channel'); }

  if   (risk >= 80) return { decision: 'block',           risk, reasons };
  else if (risk >= 60) return { decision: 'step_up_kyc',  risk, reasons };
  else if (risk >= 40) return { decision: 'flag_for_audit', risk, reasons };
  else                 return { decision: 'allow',        risk, reasons };
}

Why ASN-block at signup, not just at first payment: card-testing rings cycle through 50-500 stolen card numbers per minute. By the time the first failed-auth fires at the PSP, the ring has consumed your free trial provisioning budget (compute, mail, SMS, free-tier API credits). Blocking at the residential-proxy ASN at the signup form (before any paid resource activates) is 100×-1000× cheaper than blocking at the PSP layer downstream.

4. Compliance feature-gates (export controls + embargo)

# /compliance/feature-gate.py — invoked on every feature-flag check + every new account
OFAC_EMBARGOED = {'IR','KP','SY','CU'}                      # OFAC comprehensive
EU_RESTRICTIVE = {'RU','BY','IR','KP','SY','MM'}            # EU CFSP measures
US_BIS_ENTITY  = {'CN','HK','MO'}                           # tightened export-control class
DUAL_USE_EU_4  = {'CN','HK','RU','BY','IR','KP','SY','MM'}  # Annex IV dual-use class

def gate_feature(account_id, feature, geo, billing_country):
    countries = {geo['country_code'], billing_country}

    if countries & OFAC_EMBARGOED:
        audit.write(account_id, feature, 'denied_ofac_embargo', countries)
        return ('deny', 'ofac_embargo_match')

    if countries & EU_RESTRICTIVE:
        audit.write(account_id, feature, 'denied_eu_restrictive', countries)
        return ('deny', 'eu_restrictive_measure_match')

    # Feature-specific tightening: encryption / AI / dual-use features need
    # extra screening for BIS Entity-List + EU Annex IV
    if feature in {'e2e_encryption', 'ai_model_export', 'data_residency_outside_eu'}:
        if countries & DUAL_USE_EU_4:
            audit.write(account_id, feature, 'denied_dual_use_annex_iv', countries)
            return ('deny', 'dual_use_annex_iv_match')

    # Datacenter / VPN traffic to high-risk feature → step-up KYC
    if (geo['is_hosting'] or geo['is_vpn']) and feature in {'admin_console','export_user_data'}:
        return ('step_up_kyc', 'high_risk_feature_via_proxy')

    return ('allow', 'pass')

Why IP-country AND billing-country for export controls: a Russian operator signing up via a German VPN with a EE-issued Wise debit card is the canonical sanctions-circumvention vector since 2022-Q1. OFAC and the EU CFSP both expect operators to screen all available country signals, not just billing-country. Failing to screen IP-country is the most-cited deficiency in OFAC enforcement actions against SaaS operators since 2023.

Pricing math for a typical SaaS monetization stack

A SaaS operator running 2 M checkout + signup + feature-gate calls/mo with an average revenue per blocked PPP-tier-hop of €70/seat/month recovers the entire Business tier (€ 99) by blocking ~2 such PPP-tier-hops per month — and that is before counting trial-abuse + card-testing cost-avoidance, which typically dwarfs the SaaS fee by 2-3 orders of magnitude.

Honest limits — what IP geolocation is not for in SaaS monetization

• It is not the primary tax-jurisdiction signal. Billing-country (Stripe customer.address.country / card-issuer BIN-country / VAT-ID country) is the authoritative tax-jurisdiction input for the EU OSS audit trail. IP-country is the second piece of evidence in the OSS 2-evidence rule, never the only one. Using IP-country alone for a VAT-rate decision is a routine OSS-audit fail.
• PPP-tier pricing must respect billing-country at conversion. It is fine to render PPP-tier-4 (€29) on the BR checkout page; it is not fine to bill a US-card-issuer customer at the BR rate just because their first checkout-page paint resolved BR. Always reconcile IP-tier vs Stripe card-issuer-country at conversion and downgrade silently or step-up KYC — do not bill the cheaper tier on a US/UK/DE-issued card.
• Mobile carrier-grade NAT (CG-NAT) blurs city/region resolution. ~15-20 % of mobile traffic in DE/IT/FR/NL resolves to the carrier hub, not the subscriber location. Country + ASN are reliable; city/region/postal granularity is not. For US-state sales-tax-nexus determination, supplement IP region with billing-address ZIP + card-issuer BIN-state.
• Apple iCloud Private Relay and Google Privacy Proxy can look residential but obscure origin country. We classify these as is_relay = true separately from is_vpn. EU OSS treats relays as opt-in privacy not circumvention; most SaaS operators apply geo-pricing fall-back to billing-country on is_relay but do not block trial signup on it.
• The MaxMind GeoIP2 traits.is_anonymous_proxy field is deprecated. If your existing tax-routing or geo-pricing logic still fires on it, your filter has been stale since 2022. The replacement is traits.is_anonymous_vpn + traits.is_hosting_provider + traits.is_tor_exit_node — IP Geo API maps these to flat is_vpn / is_hosting / is_tor fields and adds a residential-proxy is_proxy flag that MaxMind does not surface on the standard tier.

IP geolocation’s job in a SaaS-monetization stack is to cheaply route, gate, and tier so the expensive verifications (3DS2 step-up, document-KYC, dual-control export-control review, sanctions-screening provider calls) only activate for the small fraction of traffic the IP layer has already flagged as ambiguous or hostile.

Related use-cases

The SaaS-monetization surface composes from these IP Geo API use-case patterns:

• Geo pricing — ../use-cases/geo-pricing/ — PPP-adjusted tier selection, currency rendering, decoy-tier suppression, billing-country reconciliation at conversion.
• Fraud detection — ../use-cases/fraud-detection/ — trial-abuse, card-testing, refund-fraud risk scoring, residential-proxy ASN matching, disposable-email + velocity composition.
• Geoblocking & compliance — ../use-cases/geoblocking-compliance/ — OFAC SDN, EU restrictive measures, BIS Entity-List, dual-use Annex IV feature-gating with audit-grade logs.
• Visitor analytics — ../use-cases/visitor-analytics/ — cookieless attribution, country-of-revenue breakdown, channel-mix telemetry, DAC7 export prep.
• Geo personalization — ../use-cases/geo-personalization/ — language defaults, currency rendering, regional landing-page routing, locale-aware help-content.
• Bot / WAF security — ../use-cases/bot-security/ — scraper, pricing-scraper, support-impersonation-bot filtering at the IP layer before auth pipeline.

Compare IP Geo API to the providers SaaS-monetization teams evaluate

If you’re shortlisting vendors for a checkout-stack refactor, a tax-routing rebuild, or a fraud-and-abuse program audit, these head-to-heads cover the providers most often shortlisted in the IP-geolocation market:

• IP Geo API vs MaxMind — ../compare/maxmind/ — REST SaaS vs MMDB-download licensing, traits-field deprecation pain, when the binary still wins.
• IP Geo API vs ipinfo.io — ../compare/ipinfo-io/ — EU residency, EUR billing, Privacy Detection add-on vs bundled threat fields.
• IP Geo API vs ipstack — ../compare/ipstack-com/ — HTTPS-on-free, EU hosting, Security Module bundling.
• IP Geo API vs ipapi.co — ../compare/ipapi-co/ — bundled-everything pricing, attribution-backlink obligations.
• IP Geo API vs ipgeolocation.io — ../compare/ipgeolocation-io/ — separately-priced Security API SKU vs bundled threat block, USD vs EUR billing.
• IP Geo API vs IP2Location — ../compare/ip2location-com/ — REST-only managed API vs annual BIN/CSV/MMDB licensing, IP2Proxy bundling cost.
• IP Geo API vs DB-IP — ../compare/db-ip-com/ — attribution-free free tier, EU-edges-only, bundled threat detection.

Read also — narrative deep-dives

Seven 2026-dated comparison articles with code-level migration sketches and latency / pricing math at 100K / 1M / 10M req/mo:

• IP Geo API vs ipinfo.io in 2026: When the EU Alternative Wins (and When It Doesn’t) →
• IP Geo API vs MaxMind in 2026: SaaS vs DB Download — Which Stack Wins? →
• IP Geo API vs ipstack in 2026: HTTPS-on-Free, EU Hosting, and the Security Module Question →
• IP Geo API vs ipapi.co in 2026: Free-Tier Generosity vs Predictable Latency →
• IP Geo API vs ipgeolocation.io in 2026: Bundled Endpoints, Bundled Threat-Detection, and the EU-Residency Question →
• IP Geo API vs IP2Location in 2026: REST-First vs Database-Download — Which Model Wins for Your Stack? →
• IP Geo API vs DB-IP in 2026: REST-First vs DB-Download — Which EU Vendor Wins for Your Stack? →

Migration walkthroughs — drop-in code-level guides

Already on an incumbent? These step-by-step migration guides ship with field-by-field maps, code diffs, shadow-mode validation, and rollback notes:

• Migrate from MaxMind GeoIP2 to IP Geo API (2026) → — drop the weekly .mmdb sync, swap to a REST call with the same field shape.
• Migrate from ipinfo.io to IP Geo API (2026) → — loc-string parsing, org ASN+name regex split, Authorization-header edge-stripping.
• Migrate from ipstack to IP Geo API (2026) → — HTTP→HTTPS scheme flip, security.* empty-vs-populated branch behaviour.
• Migrate from ipapi.co to IP Geo API (2026) → — per-day rate-limit fragmentation, attribution-backlink scrub.
• Migrate from ipgeolocation.io to IP Geo API (2026) → — Security API SKU consolidation, apiKey-in-URL log-leak hardening.
• Migrate from IP2Location to IP Geo API (2026) → — BIN/CSV/MMDB-download decommission, IP2Proxy SKU consolidation, USD-annual-to-EUR-monthly billing migration.
• Migrate from DB-IP to IP Geo API (2026) → — MMDB/CSV-download decommission, CC-BY-4.0 attribution-backlink scrub, countryCode3 ISO-3 vs ISO-2 gotchas.

Industry deep-dives

Other vertical-specific surfaces using the same IP Geo API primitives:

• Fintech — KYC, sanctions screening, and payment fraud → — country-of-origin + ASN + threat-fields for KYC + OFAC/EU-sanctions + per-transaction risk scoring.
• Ad-tech — RTB enrichment, IVT/SIVT filtering, click fraud → — sub-40 ms bid-enrichment, datacenter ASN blocking, IAB-TCF v2.2 vendor-list readiness.
• iGaming — Licence-jurisdiction enforcement, anti-circumvention, self-exclusion → — hard-fail-closed posture for MGA/UKGC/KSA/DGOJ/ANJ/ADM/DAS, residential-proxy ASN block-list, GamStop/CRUKS/ROFUS/Spelpaus/OASIS register routing by IP-country.
• Streaming media — geo-licensing enforcement, anti-circumvention, CDN POP steering, SSAI ad-insertion → — per-territory licensing with HTTP 451 hard-fail-closed at manifest stitch + per-event sports blackout via Haversine GPS-distance, residential-proxy ASN block-list at session-init, CDN POP steering across AMS/FRA/LON/CDG/MIL/IAD/GRU + 3-tier adaptive-bitrate ladder, SSAI ad-insertion targeting with regionalised ad-pools and per-event blackout enforcement.
• E-commerce — EU OSS / UK VAT / US Wayfair tax routing, BIN-vs-IP carding, PPP-adjusted pricebook, fulfilment routing → — checkout-time tax-jurisdiction routing across EU OSS 27 destination-VAT + UK VAT 20% + US Wayfair 13-state nexus + CA per-province GST/HST + AU/SG/IN/BR/JP GST/ICMS/JCT with sanctions hard-stop on IR/KP/SY/CU/BY/RU/MM/VE, BIN-vs-IP carding + refund-fraud 6-factor weighted scoring with residential-proxy ASN block-list, PPP-adjusted 7-tier pricebook on first paint with VPN/proxy fall-back to BIN-billing-country, 9-warehouse fulfilment routing FRA/AMS/MAD/MIL/DOV/IAD/LAX/DEL/SIN with DDP/DDU duty pre-calc and lithium/aerosol/prescription destination-gates.
• Healthcare — Cross-Border Telehealth Licensing, HIPAA PHI/EPHI Access Geofencing, EU Patient-Data Residency w/ Schrems II Routing, Cross-Border Pharma + DEA Schedule Gating → — consult-init telehealth licensure match across US IMLC 41-state partial + CA/FL/NY/TX independent + EU MRPQ Directive 2005/36/EC + DE Bundesärztekammer + NL BIG + FR ONM + UK GMC w/ HTTP 451 hard-fail-closed on jurisdiction-mismatch + NO_RECIPROCITY hard-stop on IR/KP/SY/CU/BY/RU/MM/VE/AF/SO, HIPAA 45 CFR §164.308(a)(4) PHI/EPHI access geofencing w/ clinical-ASN allowlist Epic/Cerner/Allscripts/Mayo/MGH/Cleveland/Kaiser + residential-proxy ASN reject Bright Data/Oxylabs/Smartproxy/IPRoyal/Tier3 + home-office BAA-attested workstation allowlist + risk_score < 30 soft-allow, EU patient-data residency w/ GDPR Art. 9 special-category + EDPB Recommendations 01/2020 supplementary technical measures + Schrems II SCC flag for US-shard + routing to 6 EHR shards EU-FRA/EU-AMS/UK-LON/US-IAD/CA-YYZ/AU-SYD w/ VPN/proxy fall-back to EU-FRA highest protection, cross-border pharma + controlled-substance gating w/ DEA Schedules I-V + Ryan Haight Act §3 in-person-eval for telemed Rx + EU Falsified Medicines Directive 2011/62/EU originator-country audit + per-country bans for cannabis/CBD/psilocybin/MDMA/kratom.

Get started — SaaS-monetization-friendly procurement

• Free tier: 1 000 lookups / day, no credit card. Useful for pilot integration in dev / staging checkout + signup flow.
• Starter €29/mo: 33 K lookups / day, all threat fields, EU residency, ≤40 ms median latency. Sufficient for SMB SaaS in a single region.
• Business €99/mo: 500 K lookups / day, SLA-backed, priority queue, full circumvention-classification fields. Multi-region B2B SaaS coverage.
• DPA + SCCs: one-page artifact, EU-only data flows, signed in 24h — drop into your SOC 2 / ISO 27001 / GDPR Article 30 RoPA without legal review.

Sign up at https://ipgeo.10b.app/pricing and start with a sandbox key today.