diff --git a/decisions/0005-sovereignty-vs-hyperscaler.md b/decisions/0005-sovereignty-vs-hyperscaler.md new file mode 100644 index 0000000..8468d7b --- /dev/null +++ b/decisions/0005-sovereignty-vs-hyperscaler.md @@ -0,0 +1,56 @@ +# ADR-0005 · Sovereignty over hyperscaler convenience + +**Status**: accepted +**Date**: 2026-05 + +## Context + +The dominant business model for video forensics SaaS (Verkada, Rhombus, Eagle Eye Networks) is: cameras stream to vendor cloud, AI runs in vendor cloud, customer pays per camera per month. This has clear commercial advantages — scaling is the vendor's problem, customer just buys cameras. + +However: + +- **CLOUD Act exposure**: any video stored in a US-jurisdiction cloud is subject to US warrants, regardless of customer location. +- **GDPR Art. 28-30 problems**: video of EU citizens transferred to US cloud requires SCC + supplementary measures, and after Schrems II this is shaky. +- **Argentina AAIP / EU regulators** trending toward localization requirements for sensitive video. +- **Bandwidth cost**: streaming raw video to cloud is expensive. Edge AI eliminates most of it. +- **Vendor lock-in** is severe — exporting from Verkada means losing all your historical tags. + +## Decision + +Blocao runs **on customer-owned infrastructure**. The hub itself, when used, runs on **EU sovereign bare-metal** (Hetzner Falkenstein/Helsinki, with optional OVH replica in Germany/France). No hyperscaler dependency in the critical path. + +Three storage tiers: + +1. **Raw video**: stays at the site, on the Cell's encrypted disk. Never leaves. +2. **Embeddings + metadata**: bridged to operator-run hub via MQTT. +3. **Evidence packs**: when explicitly exported, encrypted with customer-held keys (BYOK). + +Self-hosted infrastructure: MinIO (S3 API), Qdrant (vector DB), TimescaleDB (time-series), Mosquitto (broker), Caddy (TLS), Keycloak (auth). + +Cost analysis (50-100 sites, 500-1000 cameras): + +| Setup | Monthly cost | +|---|---| +| AWS reference (S3 + RDS + EC2 + Kinesis + Rekognition) | €8,000 - 15,000 | +| Hetzner bare-metal self-hosted | €800 - 1,500 | + +The 10× cost saving is structural, not a temporary discount. + +## Consequences + +**Good**: +- Sovereignty becomes a sellable feature, not a compliance afterthought. +- Margin economics work better at all scales. +- Customers can self-host the hub if they want — opens partner channels. +- AAIP / GDPR audits become easy: show the topology, show the policies, done. + +**Bad / trade-offs**: +- We carry operational responsibility (or our partners do). Hyperscaler abstracts this. +- Hetzner has had outages. We design for two regions to mitigate. +- "Self-hosted" historically connoted "harder to use" — the UX has to be exceptional to overcome that. + +## Alternatives considered + +- **AWS reference architecture**: cheaper to build, structurally more expensive to operate, sovereignty is impossible. +- **Multi-cloud abstraction**: complexity tax for no real benefit when 95% of customers don't care which cloud. +- **Customer-owned cloud (BYOC) on AWS**: better than vendor cloud, but still hyperscaler. Acceptable as a non-default option.