New geo-block rules can put critical digital workflows at risk. Can a PaaS strategy help?

New changes are yet another hurdle to jump, but there’s a way around it

Assembling effective digital workflows requires a careful blending of people, process, and technology. Adding governance and compliance, as well as security and other concerns, such as budget and digital transformation, can become dramatically troublesome, especially when truly novel risks emerge or when change occurs faster than normal.

This is exactly what happened when Adobe announced that, starting June 23, 2025, their Acrobat Sign product will start denying access to IP addresses from mainland China. This means that many global organizations, as well as businesses serving Chinese customers, are about to experience significant disruptions if they rely on the Adobe platform.

These aren’t just regular document exchanges either. These are often business-critical agreements and contracts, which the business is very used to having some visibility into. For some organizations, if left unremedied, the problem could worsen very quickly after June 23.

What exactly is a geo-block?

Geo-blocks are a type of denial-of-service attack that targets users based on their location. They largely started as a way to protect intellectual property and enforce licensing agreements. Netflix might buy the rights to show your favorite movie to viewers in Japan, but not in the U.S. It checks your IP address upon connection to see if you’re in Japan. If you are, it’s favorite movie time. If not, no such luck.

Why do organizations use them?

What the geo-block actually blocks largely depends on the use case. Sometimes it’s a specific piece of content, or even an application feature. It might also be a whole site or platform; it all depends on who’s in charge and why the rules are being put in place. So why do businesses do it?

• IP and licensing rules were already discussed. Global licensing can become very complicated, and geo-blocks enable the granular enforcement of important agreements and the defense of valuable intellectual property.

  
  

• Data localization rules, such as China’s PIPL, require that personal data remain inside the country. Rather than deal with the complexity required to deliver capabilities inside specific borders, many vendors simply block the region.

  
  

• Regulatory and political decisions regarding export controls and sanctions, including US Executive Order 14117, have put in place tough new rules for cross-border information sharing, driving many vendors to geo-block their way to compliance.

  
  

• Finally, some vendors simply decide that the cost-to-serve math in doing business in a specific region just doesn’t work. Whether it’s fraud, chargebacks, or low contract value, geo-blocking can be an effective way to help maintain margins.

  
  

No matter the reason, the impact is huge.

Ultimately, it doesn’t matter why a platform or provider drops a block in your path. One day, things are working, and the next day they’re not. The costs and complications can add up quickly.

Contracts stop moving. This could be a big one. Those digital signature processes that have served your business well are going to stop working, and that could have a big impact on your sales pipeline.

APIs silently fail. A geo-block is sometimes only discovered when users realize a feature or service isn’t working. This could impact almost any automated workload across the business.

Audit trails dry up. Depending on what’s being stored on the other side of the geo-block, your audit and compliance trails can quickly break, leading to problems with internal stakeholders and regulators.

Shadow IT surges. Teams will try to find a way to get the job done. Human ingenuity means that your users will deploy very creative ways to try and circumvent geo-blocks. No matter which method they use (VPN, alternate browsers, etc), it adds new complexity to your stack.

Suddenly, a big change you weren’t expecting is costing you time and money you don’t have. And as already mentioned, rerouting these workflows is more complicated than just pushing a different button.

A case study: how Confidencial saved one company’s digital workflows

Imagine a global company with bustling offices in Shanghai, Shenzhen, and cities around the world. On June 23, 2025, as Adobe Acrobat Sign blocks all IP addresses from mainland China, daily operations in those branches grind to a halt. Finance teams in Shanghai can’t send or sign contracts; procurement in Shenzhen can’t finalize supplier agreements.

Previously seamless workflows become disrupted, and everybody is left trying to put complicated and ineffective workarounds in place. How could Confidencial’s digital signature solution make a difference?

Bring‑Your‑Own‑Cloud deployment: The company rapidly deploys the Confidencial Sign container in a neutral, accessible region such as Hong Kong or Singapore. BYOC ensures both local and international teams can access the signing platform without geographic restrictions or reliance on mainland China infrastructure.

Data‑blind encryption: All document contents are encrypted end-to-end, remaining completely opaque to both Confidencial and any foreign regulators. This approach eliminates cross‑border privacy concerns and ensures sensitive business information is protected throughout the signing process.

Seamless workflow migration: Staff continue to use their familiar Acrobat templates, signature fields, and recipient routing rules. The user experience remains unchanged—employees receive the same email invites as before, with only the backend endpoint switching to the new, compliant Confidencial platform.

Unbroken audit trail: Every signature event is automatically logged in the company’s local database or Security Information and Event Management (SIEM) system. This guarantees a complete, tamper-proof audit trail, supporting regulatory compliance and internal oversight requirements.

De-risking future blocks: a five-step action plan

Adobe’s move is yet another reminder that entrusting the future of your business to SaaS providers is a risky proposition. The solution isn’t building your own tools from scratch, but you need a plan to get ahead of the problem by the time that next big announcement drops. When the block is announced, it might be too late.

1. Map your exposures Conduct a comprehensive audit of all workflows that depend on third-party SaaS platforms. Identify every process where participants, data, or signatories may be located in high-risk jurisdictions such as China, Russia, or Iran. Document these dependencies, as well as any data flows, to understand your organization’s exposure and potential regulatory or compliance risks.

2. Stand up a Confidencial sandbox Quickly deploy a secure, isolated Confidencial environment in your preferred cloud region using infrastructure-as-code tools like Terraform. This sandbox allows you to test data residency, access controls, and compliance measures without impacting production systems. Ensure the setup mirrors your real-world stack to accurately assess performance, security, and operational requirements.

3. Design a pilot and get started Start small, selecting a representative live contract or workflow, and migrate it to the Confidencial sandbox. Involve real users from blocked or high-risk regions to validate that they can complete necessary actions, such as signing or reviewing documents, without friction. Once that loop is complete, you can fine-tune and optimize.

4. Plan and phase cutovers by risk tier. Plan your migration in phases based on the risk profile of each region. Begin by shifting the most vulnerable or regulated geographies—such as China, Russia, and Iran—onto the new, compliant platform. Lower-risk regions can initially remain on legacy tools, minimizing disruption and allowing for a controlled and prioritized rollout.

5. Revisit and revise your vendor questionnaires.

   Update your vendor due diligence process to require detailed disclosures about current and planned geo-blocking and data residency policies. Insist on “permissionless exit” rights, ensuring you can migrate data or terminate service without vendor-imposed barriers. This strengthens your compliance posture and ensures long-term flexibility in vendor relationships.

Want to see it in action? Bring your own cloud for a 14-day trial

When contracts stop moving, your business stops moving. Try our no-obligation trial to see how easy and effective it is to host Confidencial’s digital signature solution in your own cloud.