Files
wdmUI/decisions/0005-sovereignty-vs-hyperscaler.md

2.8 KiB
Raw Permalink Blame History

ADR-0005 · Sovereignty over hyperscaler convenience

Status: accepted Date: 2026-05

Context

The dominant business model for video forensics SaaS (Verkada, Rhombus, Eagle Eye Networks) is: cameras stream to vendor cloud, AI runs in vendor cloud, customer pays per camera per month. This has clear commercial advantages — scaling is the vendor's problem, customer just buys cameras.

However:

  • CLOUD Act exposure: any video stored in a US-jurisdiction cloud is subject to US warrants, regardless of customer location.
  • GDPR Art. 28-30 problems: video of EU citizens transferred to US cloud requires SCC + supplementary measures, and after Schrems II this is shaky.
  • Argentina AAIP / EU regulators trending toward localization requirements for sensitive video.
  • Bandwidth cost: streaming raw video to cloud is expensive. Edge AI eliminates most of it.
  • Vendor lock-in is severe — exporting from Verkada means losing all your historical tags.

Decision

Blocao runs on customer-owned infrastructure. The hub itself, when used, runs on EU sovereign bare-metal (Hetzner Falkenstein/Helsinki, with optional OVH replica in Germany/France). No hyperscaler dependency in the critical path.

Three storage tiers:

  1. Raw video: stays at the site, on the Cell's encrypted disk. Never leaves.
  2. Embeddings + metadata: bridged to operator-run hub via MQTT.
  3. Evidence packs: when explicitly exported, encrypted with customer-held keys (BYOK).

Self-hosted infrastructure: MinIO (S3 API), Qdrant (vector DB), TimescaleDB (time-series), Mosquitto (broker), Caddy (TLS), Keycloak (auth).

Cost analysis (50-100 sites, 500-1000 cameras):

Setup Monthly cost
AWS reference (S3 + RDS + EC2 + Kinesis + Rekognition) €8,000 - 15,000
Hetzner bare-metal self-hosted €800 - 1,500

The 10× cost saving is structural, not a temporary discount.

Consequences

Good:

  • Sovereignty becomes a sellable feature, not a compliance afterthought.
  • Margin economics work better at all scales.
  • Customers can self-host the hub if they want — opens partner channels.
  • AAIP / GDPR audits become easy: show the topology, show the policies, done.

Bad / trade-offs:

  • We carry operational responsibility (or our partners do). Hyperscaler abstracts this.
  • Hetzner has had outages. We design for two regions to mitigate.
  • "Self-hosted" historically connoted "harder to use" — the UX has to be exceptional to overcome that.

Alternatives considered

  • AWS reference architecture: cheaper to build, structurally more expensive to operate, sovereignty is impossible.
  • Multi-cloud abstraction: complexity tax for no real benefit when 95% of customers don't care which cloud.
  • Customer-owned cloud (BYOC) on AWS: better than vendor cloud, but still hyperscaler. Acceptable as a non-default option.