Private APN & Enterprise Security: When and Why to Use It

30 Oct 2025

Mobile data isn’t just “internet in your pocket.” For enterprises with roaming staff, payment terminals, or IoT fleets, the path your traffic takes is a security control. A private APN creates a closed data path from SIMs to your network, letting you enforce policy, isolate traffic from the public internet, and integrate cleanly with VPNs or zero-trust tools. This guide explains what private APNs are, when to use them, how they work with VPNs, typical use cases, what they cost, and how to deploy successfully—without jargon.

If your teams travel, the stakes go up: roaming adds new networks, new attack surfaces, and variable policies. A well-designed private APN keeps device traffic predictable and governable across borders. Whether you’re connecting laptops via eSIM, securing field equipment across Esim Western Europe, or building a partner-ready solution via our Partner Hub, the right APN choice determines how easily you can meet audit, compliance, and uptime targets.

Use this as a practical checklist to decide if a private APN fits—and how to keep costs and complexity under control.

What is a Private APN?

A private APN (Access Point Name) is a carrier-side configuration that defines how SIM traffic is handled. Rather than breaking out to the public internet using NAT on a generic, shared APN, a private APN:

Identifies your SIMs into a dedicated routing context
Assigns private/static IP ranges if required
Applies custom firewall, DNS and content policies
Delivers traffic to you over a defined path (e.g., IPsec/GRE to your DC/cloud)

Think of it as “your own lane” inside the mobile core, with enterprise-grade traffic isolation and policy controls.

Key benefits

Traffic isolation: Your devices don’t share a public NAT pool with everyone else.
Predictable addressing: Private or static IPs allow IP allowlisting and system-to-system integrations.
Policy enforcement: Apply DNS filtering, firewall rules, and segmentation per SIM group.
Controlled breakout: Choose where traffic exits—your data centre, cloud VPC, or a regional gateway.

Common variants

Private APN with public breakout: Policy and IP control, but final internet egress is via carrier NAT.
Private APN with private breakout: End-to-end private path to your network over IPsec/GRE/MPLS; no public internet until you decide.
Roaming home routing vs local breakout: Decide whether traffic tunnels back to a home gateway or breaks out regionally for latency/compliance.

When should you use a Private APN?

Choose a private APN when one or more of these apply:

You must IP-allowlist mobile devices to access corporate apps, SCADA, or payment backends.
You need to block open internet access by default, allowing only approved destinations.
You require consistent, auditable logs of device egress and DNS activity.
You deploy IoT/OT fleets where devices are headless and should never be internet-reachable.
You need static or reserved IPs per SIM for device-to-cloud rules or legacy systems.
You’re operating in higher-risk or compliance-heavy sectors (finance, health, critical infrastructure).

Travel scenarios where it shines:

Regional workforces moving between the US, Canada and Mexico using Esim North America
Teams rotating across France, Italy and Spain with Esim France, Esim Italy and Esim Spain
Short-term projects needing fast onboarding in the US via Esim United States

Check your target countries and carriers via Destinations.

Private APN vs VPN vs Zero Trust

These are complementary, not either/or.

Private APN: Carrier-layer isolation and policy. Ensures trusted device identity (SIM/IMSI), private addressing, and controlled gateways.
VPN (IPsec/GRE/SSL): Secure tunnel from APN gateway to your network or cloud VPC. Use to terminate traffic into your security stack.
Zero Trust/SASE: Identity-driven access per user/device/app. Often layered on top (device certificate, posture checks) for user devices.

Recommended patterns

Corporate laptops/phones on the road
Private APN + clientless approach: Route all traffic via your gateway where CASB/SWG runs.
Or Private APN + device VPN: Enforce split tunnel for corporate apps; APN blocks all other internet.
IoT/OT equipment
Private APN with private breakout to your VPC/DC; no public internet access.
Partners/contractors
Private APN with segmented SIM groups and per-segment firewall policies; issue time-bound SIMs.

Pro tips: - Avoid double encryption where unnecessary. If APN-to-cloud IPsec is in place and devices only talk to your internal services, you may not need device-level VPN. - Use device certificates via MDM/EMM for user hardware. The APN identifies the SIM; your MDM identifies the device.

Security controls you actually get

Identity and segmentation
SIM/IMSI-based policies and groups
Optional IMEI binding for device lock
Addressing
Private RFC1918 subnets, with optional static IPs per SIM
CGNAT or 1:1 NAT as needed
Firewalling
Default deny; allow only required FQDNs/IPs/ports
Geo or ASN-based controls for sensitive backends
DNS
Force safe resolvers; block DNS-over-HTTPS egress
Use internal resolver via tunnel for split-horizon domains
Logging and SIEM
Per-SIM flow logs and DNS logs exported to your SIEM
DDoS posture
With private breakout, you decide internet egress; with public breakout, leverage carrier scrubbing

Roaming and travel: what to plan for

Latency vs control
Home routing centralises control but adds RTT from, say, Tokyo to a London gateway.
Regional breakout (e.g., EU vs US gateways) reduces latency for users on Esim Western Europe or Esim North America.
Regulatory constraints
Some countries restrict VPN or enforce local breakout. Match your APN design to the route permitted in the destination. Confirm on Destinations.
IP allowlists and roaming IPs
If you rely on static source IPs, avoid scenarios where roaming uses dynamic CGNAT or changes egress country by country. Private breakout fixes this by presenting consistent IP space.
Device onboarding during travel
eSIM QR provisioning helps. Pre-stage profiles for each region (e.g., Esim France for an EU tour, Esim United States for US trips).

Cost model: what you’ll actually pay

Expect costs in these buckets:

One-off setup
APN configuration, IP ranges, SIM group policies, initial tunnel(s)
Monthly platform fee
Covers APN gateway capacity, monitoring, and management
Per-SIM charge
Often tiered; sometimes includes static IP options
Data usage
Pooled or per-SIM; roaming may have regional rates
Tunnels and hosting
IPsec/GRE tunnel endpoints in your DC/VPC; cloud egress costs may apply
Change management/professional services
Policy updates, incident support, new region gateways

Ways to optimise: - Start with a private APN + public breakout for policy control; add private breakout later for critical apps. - Use regional gateways to avoid transatlantic hairpin data charges for travellers. - Reserve static IPs only for systems that truly need allowlists; use dynamic private IPs elsewhere. - Monitor top talkers; block chatty apps at APN firewall instead of paying for unnecessary data.

Quick decision checklist: do you need a private APN?

Tick “yes” if the statement is true:

We must restrict mobile devices from open internet by default.
We rely on IP allowlists for any critical app or third-party API.
We need device fleet observability (per-SIM traffic and DNS logs).
We operate IoT or unattended devices that should never be publicly reachable.
We have travellers across multiple regions and require consistent egress policies.
We must meet compliance or audit requirements for network segregation.

Three or more “yes” answers usually justify a private APN.

Implementation: step-by-step

1) Define scope and risk - List device types (laptops, phones, IoT), users, and data sensitivity. - Map apps/domains/ports that must be reachable. - Decide “deny-by-default” vs “allow-by-default”.

2) Choose coverage and form factor - Confirm countries and networks via Destinations. - Select regional plans (e.g., Esim North America or Esim Western Europe) and country add-ons (Esim Italy, Esim Spain).

3) Addressing and segmentation - Allocate private subnets per SIM group (e.g., staff vs IoT). - Decide where static IPs are required.

4) Breakout architecture - Start with private APN + public breakout if you only need policy/DNS controls. - For maximum control, deploy private breakout to your DC/cloud via IPsec/GRE. - If latency matters for travellers, request EU and US gateways.

5) Security policy and DNS - Set default deny; allow only business apps/domains. - Enforce DNS to your resolvers; block DoH/DoT egress except approved endpoints. - Add geo/ASN blocks for risky destinations if relevant.

6) Integrate identity and device posture - Bind SIMs to users via MDM/EMM; consider IMEI binding for corporate-owned devices. - For user devices, layer device certificates or ZTNA for application-level control.

7) Build and test tunnels - Establish redundant tunnels; validate failover. - Test roaming from target countries (US/EU) for latency and policy correctness.

8) Logging, monitoring, and alerts - Export flow and DNS logs to SIEM. - Create alerts for policy violations and unusual data volumes.

9) Pilot and scale - Pilot with 10–50 users/devices across two regions. - Iterate rules, then scale to full fleet.

Pro tips: - Test common collaboration apps (Teams/Zoom) for split vs full tunnel to avoid performance complaints. - Document emergency bypass processes for critical field operations.

Common pitfalls (and how to avoid them)

IP allowlists failing during roaming
Use private breakout with consistent source IPs; avoid reliance on roaming CGNAT ranges.
DNS leaks
Force DNS to your resolver; block outbound UDP/TCP 53/853 except to approved IPs; manage DoH with SNI filtering.
Overly broad “allow” rules
Prefer FQDN and minimal port ranges; segment by SIM group.
Latency surprises
Place gateways regionally; verify RTT from your top travel corridors.
Tunnel single points of failure
Always build at least two tunnels to independent endpoints.

Who is this for?

Enterprises securing roaming staff devices with eSIM
Payments, logistics, and field services managing unattended endpoints
MSPs/ISVs embedding connectivity into their solutions via our Partner Hub
Organisations looking for turnkey policies and global eSIM bundles via For Business

FAQ

Q1: What is the main difference between a public and a private APN?
A private APN creates an isolated routing context for your SIMs with custom policies and addressing. Public APNs use shared NAT to the internet with limited control and no dedicated security posture.

Q2: Do I still need a VPN if I use a private APN?
Often yes, but it depends. For IoT or tightly controlled fleets, APN-to-cloud IPsec may be sufficient without device VPN. For user devices, a device VPN or ZTNA provides identity and app-level control on top of the APN.

Q3: Can I get static IPs for my SIMs?
Yes. Private APNs can assign static or reserved private IPs per SIM, which is ideal for IP allowlisting and legacy integrations. Public static IPs are possible but less common; many use private breakout and egress via corporate firewalls.

Q4: Will a private APN work while roaming internationally?
Yes. Design for either home routing (all traffic returns to your gateway) or regional breakout (e.g., EU/US). This affects latency and compliance—verify coverage per country on Destinations.

Q5: How much does a private APN cost?
Expect a setup fee, a monthly APN platform charge, per-SIM pricing (optionally for static IPs), data usage, and tunnel/cloud costs. You can start small with policy-only public breakout, then add private breakout and regional gateways as needs grow.

Q6: Does this support eSIM and multi-region bundles?
Yes. Private APN policies apply to both physical SIMs and eSIMs. For travellers, pair your APN with regional plans like Esim Western Europe or Esim North America and country-specific options such as Esim France or Esim United States.

Next step

Design the right private APN for your fleet and travel patterns. Speak to our enterprise team via For Business to scope coverage, security policies, and rollout.

Read more blogs

Andes Highlights (3 Weeks): Peru–Bolivia–Chile–Argentina Connectivity

Planning a south america itinerary 3 weeks through the high Andes? This route stitches together Peru’s Sacred Valley, Bolivia’s La Paz and Salar de Uyuni, Chile’s Atacama Desert, and northern Argentina’s quebradas or Mendoza wine country—often by long-distance bus and a couple of short flights. Connectivity is different at altitude: coverage is strong in cities but drops in high passes and salt flats; bus Wi‑Fi is patchy; border towns can be blackspots. The smart move is an eSIM with multi‑country coverage, backed by offline maps, offline translations, and a simple routine for crossing borders by bus without losing service. Below you’ll find a practical, connectivity-first itinerary; checklists to prep your phone, apps and documents; and on-the-ground tips for staying online where it matters: booking transport, hailing taxis, backing up photos, and navigating when the signal disappears.If you’re transiting via Europe or North America, you can also add a layover eSIM to stay connected door-to-door. Start with our country list on Destinations, then follow the steps, and you won’t waste time chasing SIM shops at 3,500 metres.The 3‑week Andes route at a glanceWeek 1: Peru (Cusco, Sacred Valley, Machu Picchu) - Fly into Cusco (or Lima then connect). - Base in Cusco; day trips to Pisac/Chinchero/Maras–Moray. - Train to Aguas Calientes; Machu Picchu visit; return to Cusco or continue to Puno/Lake Titicaca.Week 2: Bolivia and Chile (La Paz, Uyuni, San Pedro de Atacama) - Bus/collectivo via Copacabana to La Paz. - Fly or overnight bus to Uyuni. - 3‑day Uyuni–altiplano tour ending in San Pedro de Atacama (Chile).Week 3: Chile and Argentina (Atacama to Salta or Mendoza/Buenos Aires) - Choose: - North: San Pedro to Salta/Jujuy by bus; fly to Buenos Aires. - Or South: San Pedro–Calama flight to Santiago; bus or flight to Mendoza; onward to Buenos Aires.Connectivity notes (quick): - Cities: generally strong 4G/4G+; 5G in major hubs (Santiago, Buenos Aires). - Altitude/rural: expect long no‑signal stretches (Uyuni, altiplano passes, Paso Jama). - Bus Wi‑Fi: often advertised, rarely reliable. Plan to be offline onboard. - Border regions: networks switch; a multi‑country eSIM avoids sudden loss.eSIM vs local SIMs for a 4‑country tripFor a route with multiple borders and remote legs, eSIM wins on time and reliability.What a multi‑country eSIM gets you: - One plan across Peru, Bolivia, Chile, Argentina (check coverage per country on Destinations). - No passport/SIM registration queues at kiosks. - Keep your home number active on the physical SIM for calls/SMS codes. - Instant top‑ups if you burn data on photos or navigation.When a local SIM still helps: - Long stay in one country with heavy data use (e.g., a month in Buenos Aires). - Dead zones where a different local network performs better (rarely worth the hassle on a 3‑week pace).Practical approach: - Use an eSIM as your primary data line across all four countries. - If you find a specific local network far better in one region, add a cheap local SIM and keep the eSIM as backup.Device readiness checklist (before you fly)1) Check eSIM compatibility and SIM‑lock status on your phone.2) Buy and install your eSIM while on home Wi‑Fi. Keep a PDF/printed copy of the QR code.3) Label lines clearly (e.g., “eSIM Andes Data”, “Home SIM”).4) Turn on data roaming for the eSIM; leave roaming off for your home SIM to avoid charges.5) Set up dual‑SIM rules: data on eSIM; calls/SMS default to home SIM if needed.6) Download offline: Google Maps/Organic Maps for all target regions; language packs (Spanish at minimum); bus/air tickets; hotel confirmations.7) Cloud backups: set to upload on Wi‑Fi only; pre‑create shared albums for travel companions.8) Test tethering/hotspot with your laptop/tablet.If you’re transiting popular hubs, consider a short layover eSIM: - USA connections: add an Esim United States or a broader Esim North America.- Europe connections: Madrid/Barcelona? Use an Esim Spain. Paris or Rome? See Esim France and Esim Italy. Multi‑country layovers? Try Esim Western Europe.City‑by‑city connectivity notesCusco & the Sacred Valley (Peru)Coverage: Good in Cusco city; variable in high villages (Maras/Moray) and along Inca Trail approaches.Tips: Download Sacred Valley maps offline; pin viewpoints and ruins. most taxis use WhatsApp—save your accommodation’s number.Machu Picchu/Aguas Calientes: Patchy to none at the citadel. Upload your photos later; don’t rely on live ticket retrieval.Lake Titicaca: Puno and CopacabanaPuno: Reasonable 4G; bus terminals crowded—screenshot QR tickets.Crossing to Copacabana: Expect a signal drop around the border; have directions saved offline.La Paz (Bolivia)Good urban 4G; the cable car network has decent signal but tunnels do not.Yungas/“Death Road” tours: Mountain valleys cause dead zones—share your emergency contacts with the operator, carry a charged power bank, and don’t plan remote calls.Uyuni and the Altiplano (Bolivia to Chile)Uyuni town: OK 4G; ATMs finicky—use Wi‑Fi for banking apps.Salt flats/lagunas: Assume offline for most of the 3‑day tour. Guides often carry satellite phones; agree a pickup time/place in San Pedro and preload your map route.San Pedro de Atacama (Chile)Town: Solid 4G; accommodations often have Wi‑Fi but speeds vary.Geysers, Valle de la Luna: Offline navigation essential; sunrise trips start before mobile networks wake up in some areas.Salta/Jujuy or Mendoza/Buenos Aires (Argentina)Salta/Jujuy: Good city coverage; quebradas have long no‑signal sections.Mendoza: City 4G/5G; vineyards outside town can be patchy.Buenos Aires: Strong 4G/5G; ideal for cloud backups and large downloads before you fly home.Border crossings by bus: step‑by‑stepThe big ones on this route: Peru–Bolivia (Puno/Copacabana), Bolivia–Chile (Uyuni–San Pedro via Hito Cajón), Chile–Argentina (Paso Jama to Salta or Los Libertadores to Mendoza).How to keep service and sanity:1) The day before:- Top up your eSIM data.- Confirm your plan includes both countries you’re entering/leaving.- Download offline maps for both sides of the border and your town of arrival.- Save bus company WhatsApp and terminal address offline.2) On departure morning:- Keep a paper copy or offline PDF of tickets, insurance, and accommodation proof.- Charge phone and power bank; pack a short cable in your daypack.3) On the bus:- Don’t count on bus Wi‑Fi. Keep your eSIM as primary, but expect drops near mountain passes.- If your phone supports it, enable “Wi‑Fi calling” for later when you reach accommodation Wi‑Fi.4) At the border posts:- Data may be unavailable. Keep QR codes and booking numbers offline.- After exiting one country and entering the next, toggle Airplane Mode off/on to re‑register on the new network.- If the eSIM doesn’t attach, manually select a network in Mobile Settings.5) Arrival:- Send your accommodation a quick WhatsApp when you’re back online.- Recheck your eSIM’s data roaming is on; confirm you’re on an in‑country network, not a weak roaming partner.Pro tips: - Dual profiles: If your eSIM allows, keep a secondary profile for a different network in the same country—helpful in border towns.- Cash buffer: Some border terminals don’t accept cards; download a currency converter for offline use.Offline survival kit (5‑minute setup)Maps: Download regions for Cusco, Sacred Valley, Puno, La Paz, Uyuni, San Pedro, Salta/Jujuy or Mendoza, and Buenos Aires.Translations: Download Spanish for offline use; add phrasebook favourites (bus tickets, directions, dietary needs).Documents: Save PDFs of passports, tickets, hotel addresses; star them for quick access.Rides: Screenshots of pickup points; pin bus terminals and hotel doors.Entertainment: Podcasts and playlists for long bus legs, set to download on Wi‑Fi only.Altitude and your tech: what changesCoverage gaps lengthen: Fewer towers at high altitude; valleys can block signal. Assume offline on remote excursions.Batteries drain faster in cold: Keep your phone warm and carry a power bank (10,000–20,000 mAh).Hotel Wi‑Fi may be congested: Schedule big uploads (photo backups, app updates) for big-city stays like Santiago or Buenos Aires.GPS still works offline: Your blue dot shows on offline maps without data—preload everything.Data budgeting for 3 weeksTypical traveller usage across this route: - Messaging/Maps/Bookings: 0.2–0.5 GB/day- Social and photo sharing: 0.3–0.7 GB/day- Occasional video calls/streaming: 0.5–1.0 GB/dayFor a mixed-use trip, plan 15–25 GB for 3 weeks. Heavy creators should double it and upload over hotel Wi‑Fi when possible. If you work remotely, consider a higher‑capacity plan and a backup eSIM; see our guidance on For Business.Practical route with transport and connectivity cuesDays 1–4 Cusco base: Strong city signal; day trips may be spotty—go offline-ready.Days 5–6 Machu Picchu: Expect no service at the ruins; sync tickets ahead.Days 7–8 Puno to La Paz via Copacabana: Border signal drop; re‑register networks after crossing.Days 9–11 Uyuni tour to San Pedro: Treat as offline; charge nightly; carry spare cables.Days 12–14 San Pedro: Stable in town; tours offline; top up data before Paso Jama.Days 15–17 Salta/Jujuy or Mendoza: Good urban 4G; rural patches are offline.Days 18–21 Buenos Aires: Strongest connectivity of the trip; clear your uploads and map downloads for the flight home.Partnering and stopover extrasHospitality and tour operators in the Andes: help your guests stay connected—explore co‑branded solutions via our Partner Hub.Transatlantic flyers: test your eSIM setup on a layover with an Esim United States or Esim Western Europe before hitting high-altitude blackspots.FAQs1) Do I need a local SIM in each country?No. A multi‑country eSIM covering Peru, Bolivia, Chile and Argentina is simpler and works well for a 3‑week pace. Consider a local SIM only if you’ll spend longer in one country and want the absolute best regional coverage.2) Will my WhatsApp number change with an eSIM?No. WhatsApp is tied to your registered number, not your data line. Keep your home SIM active for voice/SMS (roaming off if you wish), and use the eSIM for data—WhatsApp continues as normal.3) Can I hotspot to my laptop or camera?Yes. Enable tethering on your eSIM. Mind your data: cloud backups and OS updates can burn gigabytes—set them to Wi‑Fi only or schedule in big cities.4) What if there’s no signal on the Uyuni/Atacama legs?That’s expected. GPS still works offline. Pre-download maps and translations, carry a power bank, and sync plans with your tour operator before departure.5) Will I get roaming charges at borders?If you’re using a multi‑country eSIM with coverage in both countries, you won’t incur extra roaming fees from your home carrier. Keep roaming off on your home SIM to avoid accidental use.6) I’m connecting via Europe or the US—worth getting a layover eSIM?Yes. It’s an easy way to test your setup and stay reachable. Try Esim North America or country options like Esim Spain, Esim France, or Esim Italy for common hubs.Next step: Browse South America coverage options and build your plan on Destinations.

31 Oct 2025

eSIM Not Working? The 15 Most Common Fixes (iOS & Android)

When you land and your eSIM won’t connect, it’s rarely a dead end. In most cases it’s a quick setting, a network registration delay, or a simple reinstall. This guide walks you through a traveller-first triage and the 15 most reliable fixes for when an eSIM is not working on iOS or Android. You’ll check line activation, roaming, APN, network selection, and dual-SIM priorities step by step. We’ll also flag what to collect before contacting support and how to avoid issues next time.If you’re choosing a plan for your trip, start with our regional and country packs (for example Esim United States, Esim France, Esim Italy, Esim Spain or Esim Western Europe and Esim North America). For destination-by-destination coverage and set-up notes, head to Destinations.Quick triage: is it your eSIM, your device, or the network?Run this 60‑second checklist to pinpoint the issue: - Airplane Mode off? Mobile Data on? Wi‑Fi off (for testing)? Restart done?- Is the eSIM line installed, turned on, and set as the Mobile Data line? - Is Data Roaming enabled for the eSIM line? - Does manual network selection show local networks? Can you latch onto any? - Any usage limits hit (data cap/exhausted), plan expired, or activation pending?Pro tip: Give new eSIMs 2–5 minutes after landing to register. If you installed mid‑flight, reboot after arrival.The 15 most common fixes (iOS & Android)Use these in order. After each fix, test by toggling Mobile Data off/on and loading a plain web page.1) Confirm your phone is eSIM‑compatible and unlockediOS: iPhone XR/XS or newer typically support eSIM.Android: Many recent models do; check your device settings.Settings path:iOS: Settings > Mobile Data > Add eSIM (or “eSIMs”)Android: Settings > Network & Internet > SIMs (or Mobile network)Ensure the phone is carrier‑unlocked. If it’s locked to a home network, roaming eSIMs may not register.2) Reboot and toggle radiosToggle Airplane Mode on for 10 seconds, then off.Restart the device.Turn Wi‑Fi off briefly to force a cellular test.3) Make sure the eSIM is installed and activeiOS: Settings > Mobile DataCheck the eSIM is listed and “On”.Set Mobile Data: eSIM lineAndroid: Settings > Network & Internet > SIMsTurn on the eSIM.Set Preferred SIM for Mobile data: eSIMIf you don’t see the eSIM, re‑scan the QR or use the activation code provided by your eSIM vendor.4) Enable Data Roaming for the eSIM lineRoaming must be enabled for travel eSIMs. - iOS: Settings > Mobile Data > eSIM line > Data Roaming = On- Android: Settings > Network & Internet > SIMs > eSIM > Roaming = On5) Check plan status, allowance and validityConfirm the plan is activated (some start on installation; others on first network attach).Ensure you have remaining data. If you’ve hit the cap, speeds may drop or data may stop.If your trip spans borders, confirm your plan covers those countries (e.g., use Esim Western Europe for multi‑country EU travel or Esim North America across USA/Canada/Mexico).Pro tip: If you installed long before travel, check the expiry window hasn’t elapsed.6) Set network to 4G/5G Auto (avoid 2G/3G only)iOS: Settings > Mobile Data > eSIM line > Voice & Data = 5G Auto or 4G/LTEAndroid: Settings > Network & Internet > SIMs > eSIM > Preferred network type = 5G/4G (Auto)Some networks have retired 3G; forcing 3G can block data.7) Manually select a local network, then revert to AutomaticiOS: Settings > Mobile Data > Network Selection > turn Automatic off > choose a listed local carrier. After a successful attach, you can return to Automatic.Android: Settings > Network & Internet > SIMs > eSIM > Network > choose a carrier, then try switching back to Automatic.Pro tip: If one network fails, try others in the list. Regional eSIMs often have multiple partners.8) Check and (if required) set the APNMost eSIMs push APN automatically, but some require manual entry. - iOS: Settings > Mobile Data > eSIM line > Mobile Data Network- Android: Settings > Network & Internet > SIMs > eSIM > Access Point NamesIf your provider specifies an APN, enter exactly as given (case sensitive). Save and select it.9) Update carrier settings and OSiOS: Settings > General > About. If a “Carrier Settings Update” prompt appears, accept. Also update iOS to the latest version.Android: Settings > System > System update. Install pending updates. Some devices also offer a “Carrier Services” or “Operator configuration” update in the Play Store.10) Turn off VPN, Private Relay and firewall apps (temporarily)VPNs, DNS filters and Private Relay can interrupt first network registration or captive portals.- Disable these, reboot, attach to the network, then re‑enable if needed.11) Reset network settings (safe but clears saved networks)If the above steps fail: - iOS: Settings > General > Transfer or Reset iPhone > Reset > Reset Network Settings- Android: Settings > System > Reset options > Reset Wi‑Fi, mobile & BluetoothYou’ll lose saved Wi‑Fi and Bluetooth pairings. Your eSIMs remain, but you may need to re‑select defaults.12) Prioritise the eSIM if you use two linesDual‑SIM phones can get confused about data routing.- Set the eSIM as the default data line.- Disable the physical SIM temporarily, or turn off “Allow Mobile Data Switching” (iOS) to keep data on the eSIM.13) Reinstall or reissue the eSIM (only if allowed)Delete the eSIM profile, then add it again using the original QR/code.Some QR codes are single‑use. If re‑adding fails, request a reissue from your provider before deleting.Always be connected to Wi‑Fi while installing an eSIM.14) Toggle VoLTE/5G options if calls aren’t neededData‑only eSIMs don’t require voice features. If attach fails:- Try disabling 5G temporarily (set to 4G/LTE).- Toggle VoLTE off/on (some networks need it one way or the other). Test each change.15) Give it time, move, or try a different bandNew registration can take a few minutes. Buildings and basements block signals.- Wait 2–5 minutes after changes, then restart.- Move outdoors or closer to a window.- If available in your device, try locking to LTE only (then re‑enable Auto) to stabilise initial attach.Before you fly: a 5‑minute pre‑travel checklistInstall the eSIM on Wi‑Fi before departure (but don’t exhaust the validity window).Save your QR/code and account login offline.Verify your device is unlocked and supports the destination bands.Know whether your plan is country‑specific (e.g., Esim United States, Esim France, Esim Italy, Esim Spain) or regional (e.g., Esim Western Europe).Turn on Data Roaming for the eSIM line, and set it as your Mobile Data line.Keep your physical SIM off or ready to toggle if you won’t use home roaming.When to contact support (and what to send)If you’ve worked through the fixes and still can’t connect, share these details with support to speed resolution: - Your device make/model and OS version- eSIM ICCID or EID (found in SIM/Network settings)- Country and city you’re in, and which networks appear in manual selection- Screenshots of: eSIM status, Data Roaming toggle, APN screen, network type (4G/5G)- Whether you’ve tried network reset, reinstall, and different network selectionsPro tip: Try a local SIM test with a friend’s device, if available, to rule out a local outage.For teams and frequent travellersIf you manage multiple travellers, centralised eSIM management saves hours. Explore pooled data, shared dashboards and deployment via QR or SM‑DP+ with For Business. Partners and resellers can automate provisioning and track redemptions via the Partner Hub.FAQsWhy is my eSIM not working after landing? Often it’s one of three things: Data Roaming is off, the eSIM isn’t set as the Mobile Data line, or the phone needs a reboot to register on the local network. Start with toggling Airplane Mode, enabling Data Roaming, and selecting a local network manually.Do I need to change APN settings for an eSIM? Usually no—APNs auto‑provision. If data won’t start, check the APN screen. If your provider lists a specific APN, enter it exactly and select it.Will a VPN stop my eSIM from working? VPNs and Private Relay can interfere with initial registration and captive portals. Turn them off, get connected, then re‑enable.Can I keep my physical SIM active while roaming on an eSIM? Yes, but set the eSIM as the default data line. If data keeps switching to the physical SIM, disable “mobile data switching” (iOS) or temporarily turn off the physical SIM.My eSIM shows bars but no internet. What now? This points to APN, data routing, or plan allowance. Confirm the eSIM is the data line, verify APN, and check you haven’t hit a data cap. Toggling 5G to 4G/LTE can also stabilise data.Which eSIM should I choose for multi‑country trips? Pick a regional plan: for the EU/Schengen area use Esim Western Europe; for cross‑border North American travel use Esim North America. For single‑country travel, browse by country via Destinations.Next step: Ready to pick a plan that works where you’re going? Start with Destinations to find the right eSIM and setup notes for your trip.

30 Oct 2025

Compliance 101: eKYC, Data Privacy (GDPR), and Logs Retention for Partners

Modern travel demands instant connectivity, and eSIM makes it happen. For partners reselling or embedding Simology connectivity, the job is bigger than coverage and price. You’re handling identity checks, personal data, and operational logs across borders. This guide brings together the essentials of eSIM compliance eKYC GDPR in plain English so you can build trust with travellers while staying audit‑ready. We outline what data is genuinely needed, how to minimise risk, and how long to keep records without over‑retaining. You’ll also find checklists and pro tips for privacy‑by‑design and practical data retention schedules. If you serve travellers headed to multiple regions — from Esim United States to Esim Western Europe — your compliance posture must flex with local rules while giving a consistent, friction‑light experience. Use this as a blueprint to align your teams and vendors, and to make privacy a feature travellers can feel.Why eKYC matters for eSIM travellers and partnersElectronic Know Your Customer (eKYC) verifies a traveller’s identity before activating service in markets where it’s required by telecom, anti‑fraud, or security regulations.Typical triggers: - Prepaid SIM rules (many EU and APAC markets). - Roaming controls and fraud prevention. - Payment risk or chargeback mitigation for high‑value plans.What eKYC usually collects: - Identity document data (passport, national ID, sometimes driving licence). - Face verification (selfie with liveness) to match the document. - Minimal device data to bind activation (e.g., EID/IMEI), and IP/location signals for risk scoring.Country differences matter. For instance, some EU countries require SIM registration before first use, while the United States is generally lighter on mandatory SIM registration but robust on privacy and law enforcement requests. If your travellers are buying across Esim France, Esim Italy, or Esim Spain, your workflow should adapt to each market’s rules without making the user repeat steps. Direct travellers to options on Destinations, and ensure your backend enables compliant activation journeys per country.GDPR and global privacy principles, distilledGDPR sets the global benchmark for personal data protection. Even when you sell outside the EU, adopting its core principles will simplify operations and reduce risk.Key principles to build into your eSIM flows: - Lawful basis: Most eSIM processing rests on contract (to provide service), legal obligation (where eKYC is mandated), and legitimate interests (fraud prevention). Use consent only for optional features like marketing. - Purpose limitation and minimisation: Collect only what the regulation or the service genuinely requires. Don’t repurpose identity images for unrelated analytics. - Storage limitation: Keep data only for the period needed to meet legal, tax, or dispute requirements — then delete or irreversibly anonymise. - Security and confidentiality: Encrypt at rest and in transit. Limit access by role. Maintain separation between KYC images and operational logs. - Transparency and control: Clear notices at point of capture, easy access to rights (access, rectification, deletion), and visible retention timelines.Cross‑border transfers: - If EU/UK data leaves the EEA/UK, safeguard with adequacy decisions, Standard Contractual Clauses (SCCs) or UK IDTA as appropriate, plus transfer risk assessments and technical controls (encryption, key management).Practical tip: Keep your Data Processing Agreement (DPA) stack tidy. You should have a DPA in place with Simology and any sub‑processors, aligned to the data you actually collect in each workflow.Data retention and logs: what to keep, and for how longTelecom operations generate a lot of data. You need enough to support travellers, fulfil lawful obligations, and investigate fraud — but not so much that you create unnecessary risk.Common data categories - eKYC data: document images, extracted fields, liveness artefacts, verification outcome, and audit trail. - Activation and provisioning: EID/IMEI, ICCID, activation timestamps, plan details, order/payment references. - Network session metadata: session start/stop, cell/location approximations, volume counters (no content). - Support and compliance: consent logs, policy versions, ticket history, refunds/disputes, law enforcement requests (where applicable). - Security: access logs, API logs, fraud signals, device fingerprints.Typical retention ranges (select minimum necessary) - eKYC images and liveness artefacts: 90 days to 24 months, depending on local mandate and dispute window. Prefer deleting images once the verification decision is final and only retaining a hashed template or verification token where admissible. - Extracted KYC data (e.g., name, document number): retain only as long as needed to meet telecom registration requirements; commonly 6–24 months, varying per country. - Activation/provisioning records: 12–24 months to support customer care, chargebacks, and lawful requests. - Network session metadata (no content): 6–12 months is typical in many markets; local law may require longer or shorter. - Billing/tax records: often 6–7 years in many jurisdictions. Store these separately and avoid bundling with KYC images. - Security and access logs: 6–18 months to support incident response and forensics.Do not keep - Raw biometric templates or full‑resolution video beyond the shortest regulatory and operational need. - Duplicate copies of KYC images in analytics sandboxes or support tools. - Content of communications (not part of eSIM data plans) unless explicitly regulated and lawful.Step‑by‑step: Build your retention schedule1) Map your data: - List every field captured in eKYC, activation, usage, billing, and support.2) Assign lawful purpose and system of record: - For each field, define why you need it and where it lives.3) Set retention per category: - Use the shortest timeline that satisfies the strictest regulatory need for that market.4) Automate deletion: - Implement lifecycle rules (e.g., S3 object lifecycle, database TTLs) and keep evidence of deletion in audit logs.5) Separate storage: - Store KYC images separately from billing/usage. Restrict access via least privilege.6) Document it: - Maintain a one‑page retention matrix per market. Keep it updated when laws change.Pro tips - Use tokenisation: replace document numbers with irreversible tokens in everyday systems; keep the mapping in a segregated vault. - Prefer summary over detail: retain aggregate usage counters over per‑packet detail. - Time‑box support access: temporary just‑in‑time access for agents, with session recording.Privacy‑by‑design for eSIM: a practical checklistMinimise from the start: collect only the document type required for that country. If a national ID suffices, don’t ask for a passport.Make it legible to travellers: show exactly why data is needed, where it’s stored, and for how long.Default to the strictest market: design flows that can downgrade requirements for lighter regimes, not the other way around.Secure everywhere: TLS 1.2+, encryption at rest (AES‑256 or better), HSM‑protected keys, rotating secrets.Strong vendor governance: DPAs, sub‑processor lists, breach SLAs, penetration tests, and SOC 2/ISO 27001 where available.Data Protection Impact Assessment (DPIA): run a DPIA for identity verification and cross‑border transfers.Consent hygiene: separate toggles for marketing vs service updates; keep timestamped consent logs.Traveller self‑service: portal to access/delete data where allowed, and to download invoices for expenses.eKYC implementation options and risk controlRight‑size your eKYC to the market and plan type:Document scan + liveness: standard for countries with SIM registration rules. Store verification outcome; avoid long‑term storage of the raw selfie/video.Database checks: where lawful, validate against government or telco registries to avoid storing images.Risk‑based flows: lighter checks for low‑risk, low‑value plans; step‑up verification if fraud signals trigger.Offline fallback: for travellers with poor connectivity, enable deferred document upload with limited temporary access.Re‑use safely: if a traveller verified last month for Esim North America, you may re‑use a tokenised verification to buy Esim United States without re‑capturing images, subject to local rules.Pro tips - Hash and forget images: retain a cryptographic hash of the document image for deduplication/fraud detection, not the image itself. - Separate decisioning: store “pass/fail + reason code” in operational systems; keep raw artefacts in a secure verification vault with short retention.Cross‑border operations: aligning US, EU, and beyondEU/UK: expect SIM registration in several markets, strong GDPR rights, and tight storage limitation. Host EU resident data in the EEA/UK where possible, with SCCs for any exports.United States: generally fewer mandatory KYC rules for prepaid; focus on CPNI, state privacy laws, and law enforcement response processes. Regional nuances apply.APAC/MENA: several markets require passport/ID capture for SIM activation; watch for data localisation (country‑resident storage) requirements.Keep it simple for travellers. Someone buying Esim Western Europe wants one purchase to cover France, Italy, and Spain. Behind the scenes, your systems should meet each market’s registration rules without extra friction. Offer clear guidance on Destinations and provide country‑specific help within the checkout.What travellers expect (and notice)Speed: a sub‑2 minute identity check that works on mobile.Clarity: simple explanations for why an ID is needed in France versus not in the US.Control: the ability to delete their account or remove a stored document when rules allow.Security cues: trusted logos, clear privacy links, and no surprise re‑verification for add‑on plans.Helpful coverage info: straightforward product pages like Esim France, Esim Italy, and Esim Spain that set expectations before checkout.Partner integration with SimologyIf you’re building on Simology via wholesale or bundling connectivity into your product:Define roles early: who is controller vs processor for eKYC, activation, and support data.Use standard endpoints: integrate identity verification and consent capture through approved APIs; don’t invent parallel data stores.Align retention with us: mirror Simology’s recommended timelines and ensure automated deletion on your side.Centralise help content: point travellers to the right local guidance and plan pages on Destinations.Governance cadence: quarterly reviews of sub‑processors, transfers, DPIAs, and incident drills.Explore options on For Business and get documentation, samples, and support via the Partner Hub.Quick compliance checklistseKYC readiness - Markets mapped: which plans require ID? - Verification vendor vetted and under DPA. - Short‑term storage of images with auto‑delete. - Decision tokens available for re‑use. - Clear traveller messaging per market.GDPR and privacy - Lawful bases documented per data category. - Transparent notices and consent logs. - Data subject request workflow tested end‑to‑end. - Cross‑border safeguards (SCCs/IDTA) in place.Logs and retention - Separate stores for KYC, usage, billing, and support. - Automated retention rules and deletion evidence. - Least‑privilege access with time‑boxed elevation. - Regular log integrity and access reviews.Security - Encryption everywhere, key rotation, HSM/KMS. - MFA and SSO for all admin access. - Pen tests and vulnerability management. - Incident response runbooks and contacts maintained.FAQQ1: What is eKYC in the context of eSIM? A1: eKYC is a digital identity check used before activating service in markets that require SIM registration or where you need stronger fraud protection. It typically includes scanning a government ID and a quick liveness check to confirm the document belongs to the traveller.Q2: Do all countries require eKYC for eSIM? A2: No. Requirements vary by country and plan type. Several EU and APAC markets require registration; others, such as parts of the United States, typically do not. Check plan pages like Esim United States and regional bundles such as Esim Western Europe for local notes.Q3: How long should we keep KYC images? A3: Keep them only as long as needed to satisfy local rules and operational needs. Many partners aim for 90 days to 12 months, deleting images once verification is final and retaining only a decision token or hash. Always separate image retention from billing/tax record retention.Q4: What network data is retained about travellers? A4: Operational metadata such as activation timestamps, session start/stop times, and aggregated data volumes. Content of communications is not retained. Typical retention ranges from 6 to 12 months, subject to local law and support requirements.Q5: How is GDPR handled when serving multi‑region travellers? A5: Apply GDPR principles by default: minimisation, clear purposes, storage limitation, strong security, and proper transfer safeguards (e.g., SCCs). Host EU data in the EEA/UK when possible, and use contractual and technical measures for any transfers.Q6: Can previous eKYC be reused for repeat purchases? A6: Often, yes. If regulations allow, store a tokenised verification result and reuse it for future activations (e.g., moving from Esim North America to Esim United States), avoiding another document capture. Respect market‑specific rules and set an expiry for reuse.Next step: Access implementation guides, sample DPAs, and integration support via the Simology Partner Hub.

30 Oct 2025