Geoblocking & Compliance (GDPR, OFAC, Export Controls)

Block, allow, or warn — legally, auditably, and with a paper trail.

If you handle regulated data (healthcare, finance, defense), operate under export controls, or need to honour EU digital-services rules, you must be able to prove which jurisdiction each request came from. IP geolocation is the cheapest, fastest first-layer check for all of this.

The business problem

Four compliance regimes commonly force geoblocking:

• OFAC / sanctions lists — Cuba, Iran, North Korea, Syria, occupied regions of Ukraine, etc. US-incorporated companies risk secondary sanctions for serving these regions.
• GDPR / NIS2 — data-localization or EU-only cohorts of personal data.
• US export controls (EAR, ITAR) — crypto libraries, defense tech, dual-use goods.
• Content licensing — streaming, gambling, and content platforms with per-country licenses.

Missing the block = fines, license revocation, or criminal liability. Blocking incorrectly = lost revenue and reputational damage. IP geolocation gives you a defensible, logged decision at request time.

Implementation

Express / Node.js middleware

import { ipgeoLookup } from "./lib/ipgeo.js";

const OFAC_BLOCKED = new Set(["CU", "IR", "KP", "SY"]);
const EU_ONLY_ROUTES = ["/eu/patients", "/eu/finance"];

export async function complianceMiddleware(req, res, next) {
  const ip = req.headers["x-forwarded-for"]?.split(",")[0] || req.socket.remoteAddress;
  const geo = await ipgeoLookup(ip);

  // Log every compliance decision for audit
  req.log.info({ ip, country: geo.country_code, is_eu: geo.is_eu, path: req.path }, "geo_check");

  if (OFAC_BLOCKED.has(geo.country_code)) {
    res.status(451).json({ error: "Service unavailable in your region" });
    return;
  }

  if (EU_ONLY_ROUTES.some(p => req.path.startsWith(p)) && !geo.is_eu) {
    res.status(403).json({ error: "EU residents only" });
    return;
  }

  req.geo = geo;
  next();
}

Python / Flask

from flask import request, abort
import requests, os

BLOCKED = {"CU", "IR", "KP", "SY"}

@app.before_request
def geoblock():
    ip = request.headers.get("X-Forwarded-For", request.remote_addr).split(",")[0]
    geo = requests.get(
        f"https://api.ipgeo.10b.app/v1/lookup/{ip}",
        headers={"Authorization": f"Bearer {os.environ['IPGEO_API_KEY']}"},
        timeout=2
    ).json()

    app.logger.info("geo_check ip=%s country=%s path=%s", ip, geo["country_code"], request.path)

    if geo["country_code"] in BLOCKED:
        abort(451)  # 451 Unavailable For Legal Reasons — RFC 7725

Return HTTP 451 Unavailable For Legal Reasons for regulated blocks — it’s the RFC-7725 status code explicitly designed for legal blocks and search engines respect it.

Why IP Geo API for this use case

• ISO-3166 country codes — match the codes used in OFAC, EU sanctions lists, and export-control regs verbatim.
• EU membership flag (is_eu) — single field, no maintenance of your own member-state list (removes Brexit-style bugs).
• Continent, subdivision, and timezone included — covers more than half of geoblocking policies (“EU except UK”, “EMEA”, “APAC”) with one lookup.
• Logged responses — every API call is logged server-side for 90 days; your compliance auditor can request a raw-response audit trail.
• No third-country data transfer — all lookups processed on EU infrastructure (Hetzner Nürnberg + Cloudflare EU edge). No US processor = no Standard Contractual Clauses required.

Pricing math

A compliance check at the edge (Cloudflare Workers, Vercel Edge, Netlify Edge) is cached aggressively, so 10 M requests/mo may only translate to ~100 K IP lookups. Most compliance deployments fit in Starter.

Honest trade-offs

• IP geolocation is not a sanctions-grade identity check. A user in a blocked country can use a VPN; a user in a clean country can still be on the sanctions list by name. Use IP geo as a layered control, not the only control. For KYC/AML, combine with name-screening (OFAC SDN list) and document verification.
• Maps are subject to political change. Disputed territories (Crimea, Western Sahara, Taiwan) have politically-loaded codes. If your counsel has an opinion, document the mapping rule in your compliance manual.
• IPv6 coverage. Ensure your provider resolves IPv6 — IP Geo API does, but some legacy providers fall back to country-only for IPv6.
• The right tool for streaming/content licensing is a dedicated anti-VPN provider. IP geolocation alone will leak ~1-3% of determined users through residential proxies. For DRM-grade enforcement, add a residential-proxy detection layer.

Related use cases

• Bot / WAF security — ./bot-security.md
• Fraud detection — ./fraud-detection.md
• Geo-pricing / localization — ./geo-pricing.md

Related comparisons

• ../seo-pages/vs-maxmind.md — many compliance teams use MaxMind; our TCO comparison shows when we win.
• ../seo-pages/vs-ipinfo-io.md — ipinfo’s US processing may require SCC paperwork for EU customers; our EU-only processing removes that.

Read also

Five narrative deep-dives comparing IP Geo API to the providers most often shortlisted in the IP-geolocation market:

• IP Geo API vs ipinfo.io in 2026: When the EU Alternative Wins (and When It Doesn’t) → — code-level migration sketch + 2026 pricing math at 100K / 1M / 10M req/mo.
• IP Geo API vs MaxMind in 2026: SaaS vs DB Download — Which Stack Wins? → — when GeoIP2 binary still wins, when EU-hosted SaaS wins, and how the math changes at 1M+ req/mo.
• IP Geo API vs ipstack in 2026: HTTPS-on-Free, EU Hosting, and the Security Module Question → — why HTTP-only free tiers break browser-side calls, bundled threat-detection vs add-on Security Module.
• IP Geo API vs ipapi.co in 2026: Free-Tier Generosity vs Predictable Latency → — how the bundled-everything pricing model plays out at 100K / 1M req/mo.
• IP Geo API vs ipgeolocation.io in 2026: Bundled Endpoints, Bundled Threat-Detection, and the EU-Residency Question → — separately-priced Security API vs bundled threat block, USD vs EUR billing, ~600B vs ~1.4KB payload.
• IP Geo API vs IP2Location in 2026: REST-First vs Database-Download — Which Model Wins for Your Stack? → — REST-only managed API vs annual BIN/CSV/MMDB licensing, IP2Proxy bundling cost, EU residency.
• IP Geo API vs DB-IP in 2026: REST-First vs DB-Download — Which EU Vendor Wins for Your Stack? → — attribution-free free tier, EU-edges-only, bundled threat detection vs per-axis subscription stack.

Plus seven hands-on migration guides for teams switching from an incumbent provider — code-level field-shape walkthroughs, edge-cache patterns, and rollback notes:

• Migrate from MaxMind GeoIP2 to IP Geo API (2026 walkthrough) → — drop the weekly .mmdb sync, swap to a REST call with the same field shape, edge-cache patterns + CSV→JSON field map.
• Migrate from ipinfo.io to IP Geo API (2026 walkthrough) → — loc-string parsing, org ASN+name regex split, and Authorization-header edge-stripping gotchas.
• Migrate from ipstack to IP Geo API (2026 walkthrough) → — HTTP→HTTPS scheme flip, security.* empty-vs-populated branch behaviour, connection.asn integer typing.
• Migrate from ipapi.co to IP Geo API (2026 walkthrough) → — per-day rate-limit fragmentation, org ASN+name regex, attribution-backlink scrub for paid-tier customers.
• Migrate from ipgeolocation.io to IP Geo API (2026 walkthrough) → — separately-billed Security API SKU consolidation, apiKey-in-URL log-leak hardening, and latitude/longitude string-vs-number gotchas.
• Migrate from IP2Location to IP Geo API (2026 walkthrough) → — BIN/CSV/MMDB-download decommission, IP2Proxy SKU consolidation, USD-annual-prepay-to-EUR-monthly billing migration, and proxy_type enum-vs-split-booleans gotchas.
• Migrate from DB-IP to IP Geo API (2026 walkthrough) → — MMDB/CSV-download decommission, IP-to-Threat / Anonymous / Datacenter SKU consolidation, CC-BY-4.0 attribution-backlink scrub, and countryCode3 ISO-3 vs ISO-2 gotchas.

Get started

Free tier: 1 000 lookups / day → /pricing. Sign up at https://ipgeo.10b.app/pricing.

Industry deep-dives

• IP Geolocation for Fintech — KYC, Sanctions Screening, Fraud, and EU Residency → — fintech-specific deep-dive: the three IP-control surfaces (KYC country-of-origin, OFAC/EU sanctions, payment-fraud risk), EU-hosted GDPR posture, EUR billing, ASN-level hosting detection, and ≤40 ms median EU-edge latency for 800-1200 ms PSP authorisation budgets.

• IP Geolocation for Ad-Tech — RTB Enrichment, SIVT/IVT Filtering, and Click-Fraud Attribution → — ad-tech-specific deep-dive: the three IP-control surfaces (RTB bid enrichment with ≤40 ms latency budget + OpenRTB 2.6 device.geo/device.ext, SIVT/IVT filtering with IAB-confirmed datacenter ASN block-list, click-fraud post-back attribution + risk scoring), EU-hosted GDPR + ePrivacy + IAB-TCF v2.2 posture, bundled threat fields, ASN-level granularity, and predictable EUR billing.

• IP Geolocation for iGaming — Licence-Jurisdiction Enforcement, VPN-Circumvention Scoring, and Self-Exclusion Register Routing → — iGaming-specific deep-dive: the three IP-control surfaces (licence-jurisdiction enforcement with hard-fail-closed posture across MGA/UKGC/KSA/DGOJ/ANJ/ADM/DAS, anti-circumvention scoring with residential-proxy ASN block-list covering Bright Data + Oxylabs + Smartproxy + IPRoyal, self-exclusion register routing to GamStop/CRUKS/ROFUS/Spelpaus/OASIS by IP-country), EU-hosted GDPR + EGBA posture, bundled threat fields, ASN-level granularity, and predictable EUR billing.

• IP Geolocation for SaaS Monetization — Geo-Pricing, EU-VAT/DAC7 Tax-Routing, Trial-Abuse Scoring, and OFAC/EAR Export-Controls → — SaaS-specific deep-dive: the four IP-control surfaces (PPP-anchored geo-pricing with ≤40 ms checkout-flow budget, EU-VAT-MOSS + OECD DAC7 tax-routing to the right Stripe/Adyen/Braintree/Paddle tax-id, trial-abuse detection with residential-proxy ASN block-list across Bright Data/Oxylabs/Smartproxy/IPRoyal, and OFAC SDN + EAR export-controls feature-gating), EU-hosted GDPR posture, bundled threat fields, ASN-level granularity, and predictable EUR billing.

• IP Geolocation for Streaming Media — Content Licensing, VPN-Bypass Defence, CDN POP Steering, and SSAI Ad-Insertion → — Streaming-media-specific deep-dive: the four IP-control surfaces (per-territory licensing enforcement with hard-fail-closed HTTP 451 on ambiguous resolve, VPN/proxy/Tor circumvention defence with residential-proxy ASN block-list across Bright Data/Oxylabs/Smartproxy/IPRoyal, CDN POP steering and adaptive bitrate-ladder selection across Akamai/Cloudflare/Fastly/BunnyCDN/Lumen, and SSAI ad-insertion targeting with sports blackout windows via Haversine GPS-distance), ≤40 ms session-init budget on EU edges, studio-grade 24-month audit trail, threat fields on every plan, ASN-level granularity, and EU-hosted GDPR + AVMSD (Directive 2018/1808) posture.

• IP Geolocation for E-commerce — Tax-Jurisdiction Routing, BIN-vs-IP Carding Defence, PPP-Adjusted Currency Display, and Shipping-Zone Fulfilment Routing → — E-commerce-specific deep-dive: the four IP-control surfaces (EU OSS distance-sales 27-rate map + UK VAT 20% + CH-VAT 7.7% + NO MVA 25% + US Wayfair 13-state nexus + CA GST/HST per-province + AU/SG/IN/BR/JP GST/ICMS/JCT with sanctions hard-stop on IR/KP/SY/CU/BY/RU/MM/VE at checkout; BIN-vs-IP carding + refund-fraud 6-factor weighted score at place-order with residential-proxy ASN block-list across Bright Data/Oxylabs/Smartproxy/IPRoyal/Tier3; PPP-adjusted 7-tier pricebook on first paint with VPN/proxy fall-back to BIN-billing-country; 9-warehouse fulfilment routing FRA/AMS/MAD/MIL/DOV/IAD/LAX/DEL/SIN with DDP/DDU duty pre-calc and lithium/aerosol/prescription destination-gates), ≤40 ms checkout-first-paint budget, DAC7/GDPR/EU OSS audit posture, bundled threat fields on every plan, ASN-level granularity, and EUR billing.

• IP Geolocation for Healthcare — Cross-Border Telehealth Licensing, HIPAA PHI/EPHI Access Geofencing, EU Patient-Data Residency w/ Schrems II Routing, and Cross-Border Pharma + DEA Schedule Gating → — Healthcare-specific deep-dive: the four IP-control surfaces (cross-border telehealth licensure match at consult-init w/ US IMLC 41-state partial + CA/FL/NY/TX independent + EU MRPQ Directive 2005/36/EC + DE Bundesärztekammer + NL BIG + FR ONM + UK GMC + HTTP 451 hard-fail-closed on jurisdiction-mismatch + NO_RECIPROCITY hard-stop on IR/KP/SY/CU/BY/RU/MM/VE/AF/SO; HIPAA 45 CFR §164.308(a)(4) PHI/EPHI access geofencing w/ clinical-ASN allowlist Epic/Cerner/Allscripts/Mayo/MGH/Cleveland/Kaiser + residential-proxy ASN reject Bright Data/Oxylabs/Smartproxy/IPRoyal/Tier3 + home-office BAA-attested workstation allowlist + risk_score < 30 soft-allow; EU patient-data residency w/ GDPR Art. 9 special-category + EDPB Recommendations 01/2020 supplementary technical measures + Schrems II SCC flag for US-shard + routing to 6 EHR shards EU-FRA/EU-AMS/UK-LON/US-IAD/CA-YYZ/AU-SYD w/ VPN/proxy → fall-back to EU-FRA highest protection; cross-border pharma + controlled-substance gating w/ DEA Schedules I-V + Ryan Haight Act §3 in-person-eval requirement for telemed Rx + EU Falsified Medicines Directive 2011/62/EU originator-country audit + per-country bans for cannabis/CBD/psilocybin/MDMA/kratom), ≤40 ms consult-init budget, HIPAA/GDPR Art. 9/Schrems II/DEA/EU FMD audit posture, bundled threat fields on every plan, ASN-level granularity, and EUR billing.

• IP Geolocation for Travel + Hospitality — Geo-Rate Enforcement + Dynamic-Pricing per Booking Origin, OTA Carding + ATO Defence, OFAC/EU CONSILIUM/UK OFSI Sanctions Screening at Booking-Init, and GDS + EU OSS / DAC7 Reporting → — Travel/hospitality-specific deep-dive: the four IP-control surfaces (geo-rate enforcement + dynamic-pricing per booking origin w/ 8-tier pricebook T1 EU-Lux 1.00x → T8 Africa 0.75x + VPN/proxy/Tor fall-back to T2_NA_LUX anti-arbitrage + SANCTIONS_HARDSTOP on IR/KP/SY/CU/BY/RU/MM/VE/AF/SO HTTP 451 at search-render + BIN-billing-country pin at checkout; OTA carding + ATO defence at booking checkout w/ corporate-travel-platform ASN allowlist AS-CWT/Amex GBT/BCD/FCM/Egencia/Navan/Amadeus/Sabre fast-lane + consumer-OTA reject on VPN/Tor/relay + residential-proxy ASN block Bright Data/Oxylabs/Smartproxy/IPRoyal/Tier3 + 6-factor carding score threshold ≥70; OFAC + EU CONSILIUM + UK OFSI sanctions screening at booking-init w/ sanctioned-origin hard-stop regardless of session residency + EU 6AMLD compelled-disclosure on VPN/proxy + US-Cuba 31 CFR §515 General License gate + luxury-segment AML thresholds yacht €10K / private jet €20K / villa €5K/night / heli €3K + PEP screen + source-of-funds eval; GDS + inventory routing + EU OSS / DAC7 reporting w/ Amadeus EU/UK + Sabre US/CA + Travelport APAC + 27 EU-MS destination-VAT rates DE 19% → HU 27% + NO 25% + CH 8.1% + UK 20% + DAC7 Directive 2021/514 reportable-platform-operator evidence-log 5-year retention + Jan-31 lead-MS annual report), ≤40 ms search-render budget, OFAC/EU CONSILIUM/UK OFSI/DAC7/EU OSS/HOTREC audit posture, bundled threat fields on every plan, ASN-level granularity, and EUR billing.