All posts
Compliance··6 min read

How to prove remote work happened from an approved jurisdiction — without surveillance

A signed contract that says "EU residence required" feels like a control. It isn't. It's a promise. When a breach happens or an auditor arrives, a promise is not something you can hand over as proof. What they want to see is evidence: that, at the moment work was performed, it was performed from a permitted jurisdiction.

That gap — between a clause in a contract and a control you can demonstrate — is where most companies with remote teams are quietly exposed.

Why IP geolocation isn't enough

The obvious instinct is to check the IP address. It's also the weakest signal you can choose. A VPN turns any IP into any country in seconds, and your contractor in another timezone knows that better than you do. An IP-only check is not evidence of jurisdiction — it's evidence that someone could appear to be somewhere.

So IP alone can never be sufficient. It can contribute to a picture, but it can never, on its own, certify that work happened where it was supposed to.

Tracking is not the same as evidence

Here's the distinction that matters, and the one most "GPS employee tracker" tools get wrong: continuous location tracking and jurisdiction evidence are different products.

Tracking asks where is this person, all the time? — and storing that answer is a privacy liability, often illegal in an employment context, and culturally toxic with the people you depend on.

Evidence asks a narrower question, only at the moment of a work check-in: is this consistent with the approved jurisdiction? — and stores only the answer. No map. No history of movements. No coordinates.

The goal is not to watch employees. It's to generate the audit trail that proves due diligence in an inspection or a breach.

Coherence, not coordinates

The way to answer that narrower question reliably is to combine independent signals and look at whether they agree:

  • GPS — device hardware location, with mock-location detection.
  • WiFi positioning — nearby network BSSIDs resolved to a country.
  • IP geolocation — the weak signal, useful only as corroboration.

Their coherence produces one of three results — and this is the part that makes it humane as well as defensible:

  1. compliant — sufficient evidence the work occurred from the approved jurisdiction.
  2. needs_review — insufficient or inconsistent evidence. Flagged for a human, never auto-punished.
  3. non_compliant — strong evidence of a disallowed jurisdiction, or detected manipulation.

Technical uncertainty is never treated as guilt. A device with no GPS fix in a basement is not a fraud — it's a needs_review. Treating every ambiguity as a violation is how these systems lose the trust of the very people they need.

Privacy by design, not as a setting

The exact coordinates and the WiFi BSSIDs are processed transiently — used to derive the country, then destroyed. They are never written to a database, never written to a log. What persists is the compliance result, a confidence score, and the minimal technical fields needed to defend it later.

This isn't a privacy toggle bolted on at the end. Data minimisation (GDPR Art. 5) is the architecture. You can't leak coordinates you never stored.

What makes the evidence actually hold up

For a record to survive an audit, it has to be impossible to quietly change after the fact. That takes surprisingly little:

  • Each check-in is hashed (SHA-256) at the moment it's created.
  • The records are append-only — no edits, no deletes, by anyone, during the retention window.
  • The active policy_version and app_version are stored, so you can reproduce exactly which rules applied.
  • The whole thing exports as a standalone evidence package — signed, with a hash chain — that an auditor can verify offline, even after you've cancelled.

Where to start

You don't need to build any of this to find out if it matters to you. The question to answer first is simply: if a client or auditor asked you to prove that work happened from a permitted region, could you? If the honest answer is no, that's the gap worth closing — with evidence, not surveillance.

Book a call