Implementing Data Residency with Tyk MDCB

Tyk MDCB enables you to implement data residency requirements by keeping sensitive data within specific geographic boundaries while maintaining centralized API management. This guide shows you how to configure and deploy Tyk to meet data sovereignty regulations.

Data Residency in API Management

Data residency regulations require certain types of data to remain within specific geographic boundaries. For API management, this affects:

API request and response data
User authentication information
Analytics and logs
Configuration data

Common regulations include GDPR (EU), CCPA (California), PIPEDA (Canada), and various national data protection laws that specify where data must be stored and processed.

Data Types and Residency Considerations

API Traffic Data

API request and response data typically must be processed within the region:

Requests are processed by local Gateway instances
Responses are generated within the region
No cross-region request routing for regulated APIs
Traffic logs are stored locally or in compliant storage

Authentication Data

User authentication information requires special handling:

API keys can be synchronized but used locally
OAuth tokens can be validated within the region
JWT verification can happen locally
Session data stays within regional boundaries

Analytics Data

Analytics data often contains sensitive information:

Local Pump instances process analytics within the region
Anonymization techniques can be applied before cross-region transfer
Aggregated (non-PII) data may be centralized
Raw analytics can be stored in region-specific databases

Configuration Data

API definitions and policies are typically less sensitive:

Centrally managed in the control plane
Distributed to data planes as needed
May contain sensitive endpoints that require filtering

Implementation Patterns

Regional Isolation Pattern

[Diagram of regional isolation pattern with control plane and isolated data planes] Complete isolation of data within regions:

Data planes process all requests locally
No data leaves the geographic boundary
Analytics stored within the region
Local Redis and optional local database

Filtered Synchronization Pattern

[Diagram of filtered synchronization with selective data flow] Selective synchronization of non-sensitive data:

Sensitive data remains in region
Non-sensitive data may be centralized
Configuration filtering based on data classification
Analytics aggregation with PII removal

Analytics Aggregation Pattern

[Diagram of analytics aggregation pattern] Compliant analytics collection across regions:

Raw data stored locally
Anonymization at the source
Aggregated metrics sent to central analytics
Compliance with audit requirements

Configuration Guide

Control Plane Configuration

Configure the control plane to support data residency:

{
"mdcb_config": {
"allow_explicit_policy_id": true,
"group_id_handling": true,
"segments": {
"eu-segment": {
"data_residency": true,
"tags": ["eu-apis"]
}
}
}
}

Key settings:

Enable group-based segmentation
Configure segments for different regions
Tag APIs for specific regions
Enable data residency features

Data Plane Configuration

Configure worker gateways to maintain data residency:

{
"slave_options": {
"group_id": "eu-segment",
"call_timeout": 30,
"ping_timeout": 60,
"rpc_pool_size": 5,
"local_session_cache": true,
"disable_keyspace_sync": false,
"connect_retries": 5
},
"analytics_config": {
"type": "rpc",
"enable_detailed_recording": true,
"storage_expiration_time": 60
}
}

Key settings:

Assign the correct group_id
Enable local session cache
Configure analytics for local storage
Set appropriate timeouts

Pump Configuration

Configure Pump for compliant analytics handling:

{
"analytics": {
"type": "mongo",
"mongo": {
"collection_name": "tyk_analytics",
"mongo_url": "mongodb://localhost/tyk_analytics"
}
},
"purge_delay": 10,
"pumps": {
"mongo": {
"name": "mongo",
"meta": {
"collection_name": "tyk_analytics",
"mongo_url": "mongodb://localhost/tyk_analytics"
}
}
}
}

Key settings:

Configure local storage for analytics
Set appropriate purge delays
Use region-specific database connections

Verification and Compliance

Verifying Data Residency

Verify your implementation meets requirements:

Traffic Verification: Confirm API requests are processed locally
Data Storage Audit: Verify data storage locations
Network Analysis: Monitor traffic to ensure no cross-border transfers
Configuration Validation: Verify gateway configurations

Audit Trail Implementation

Implement audit trails for compliance demonstration:

Gateway Logs: Configure detailed logging
Admin Actions: Track all administrative actions
Configuration Changes: Log all configuration changes
Access Logs: Maintain records of all system access

Ongoing Compliance Monitoring

Establish continuous monitoring:

Regular Audits: Schedule periodic compliance reviews
Automated Checks: Implement automated compliance verification
Alert Configuration: Set up alerts for potential compliance issues
Documentation: Maintain up-to-date compliance documentation

Implementation Example: Financial Services Data Residency

This example demonstrates how a global financial institution implemented data residency for customer data across EU, US, and APAC regions. [Detailed diagram of multi-region deployment with data residency controls] Key implementation details:

Control Plane: Located in US with restricted access
Data Planes: Separate deployments in EU, US, and APAC
API Segmentation: APIs tagged by region and data sensitivity
Analytics: Region-specific Pump instances with local storage
Verification: Automated compliance checks and quarterly audits

The implementation ensured:

Customer data never left its region of origin
API definitions were managed centrally
Analytics were stored in-region with aggregated reporting
Compliance with GDPR, CCPA, and local banking regulations

Overview

Getting Started

Deploy Tyk

Managing APIs

Securing APIs

Managing Deployments

Reference

Developer Support

Implementing Data Residency with Tyk MDCB

Implementing Data Residency with Tyk MDCB

Data Residency in API Management

Data Types and Residency Considerations

API Traffic Data

Authentication Data

Analytics Data

Configuration Data

Implementation Patterns

Regional Isolation Pattern

Filtered Synchronization Pattern

Analytics Aggregation Pattern

Configuration Guide

Control Plane Configuration

Data Plane Configuration

Pump Configuration

Verification and Compliance

Verifying Data Residency

Audit Trail Implementation

Ongoing Compliance Monitoring

Implementation Example: Financial Services Data Residency

Next Steps

Overview

Getting Started

Deploy Tyk

Managing APIs

Securing APIs

Managing Deployments

Reference

Developer Support

​Implementing Data Residency with Tyk MDCB

​Data Residency in API Management

​Data Types and Residency Considerations

​API Traffic Data

​Authentication Data

​Analytics Data

​Configuration Data

​Implementation Patterns

​Regional Isolation Pattern

​Filtered Synchronization Pattern

​Analytics Aggregation Pattern

​Configuration Guide

​Control Plane Configuration

​Data Plane Configuration

​Pump Configuration

​Verification and Compliance

​Verifying Data Residency

​Audit Trail Implementation

​Ongoing Compliance Monitoring

​Implementation Example: Financial Services Data Residency

​Next Steps

Implementing Data Residency with Tyk MDCB

Data Residency in API Management

Data Types and Residency Considerations

API Traffic Data

Authentication Data

Analytics Data

Configuration Data

Implementation Patterns

Regional Isolation Pattern

Filtered Synchronization Pattern

Analytics Aggregation Pattern

Configuration Guide

Control Plane Configuration

Data Plane Configuration

Pump Configuration

Verification and Compliance

Verifying Data Residency

Audit Trail Implementation

Ongoing Compliance Monitoring

Implementation Example: Financial Services Data Residency

Next Steps