Jurisdiction & geo restrictions
Last updated: 2026-04-05 · Alpha version
The short version
RESQD is operated from the United States and must comply with US sanctions and export-control regulations. We make a best-effort attempt to block access from jurisdictions where providing a strong-crypto privacy service to the general public is illegal, sanctioned, or carries meaningful legal risk for the operator.
This is not a technical border. A VPN defeats it in one click. It is a good-faith compliance posture, documented publicly so our intent is unambiguous.
Who is currently restricted
The live block list is configured via an environment variable on our API and can be updated at any time. As of the last update of this page, it includes:
| Country | Primary reason |
|---|---|
| Cuba | US OFAC comprehensive sanctions |
| Iran | US OFAC comprehensive sanctions |
| North Korea | US OFAC comprehensive sanctions |
| Syria | US OFAC comprehensive sanctions |
| Russia | US sanctions program (post-2022) |
| Belarus | US sanctions program |
| China (mainland) | Strong-crypto export and local-law risk |
Hong Kong, Macau, and Taiwan are treated as distinct jurisdictions and are not on the block list.
What you see when you're blocked
A request from a blocked country returns HTTP 451 Unavailable For Legal Reasons and the browser lands here. Our response only echoes your own detected country code back to you — we don't publish the full live block list through the API, so you can't probe it for edge-case additions.
If you believe this is wrong
Email [email protected]. The operator reviews every appeal individually, in writing, and will add case-specific exceptions for users who can establish a legitimate claim — for example, a US citizen travelling, someone using a VPN endpoint they don't control, or an explicit professional carve-out.
If appealing is unsafe for you— for example, if the local government would retaliate against you for seeking a US-based privacy service — please don't send an identifying email. RESQD's threat model takes your safety more seriously than our compliance posture. The source code is public; run your own instance against your own cloud storage, which removes this layer entirely.
Trust boundary disclosure
RESQD is unilaterally deciding to restrict some users in advance of any sanction being imposed directly on them. We list this here as a known trust boundary alongside the others on our Security Model page. If this posture is a non-starter, the source code is available under AGPL-3.0 — you can run a private instance against your own S3/GCS/Azure buckets and none of the above applies.
What we log
When a request is geo-blocked, our Lambda emits a single warning line containing the detected country code and the path. We do not log IP addresses, user agents, or any other headers beyond the country code. The decision is stateless per request — a user who visits from a blocked country, gets a 451, and then comes back from a non-blocked region on a subsequent request is indistinguishable from any other first-time visitor.