2.8 KiB
ADR-0005 · Sovereignty over hyperscaler convenience
Status: accepted Date: 2026-05
Context
The dominant business model for video forensics SaaS (Verkada, Rhombus, Eagle Eye Networks) is: cameras stream to vendor cloud, AI runs in vendor cloud, customer pays per camera per month. This has clear commercial advantages — scaling is the vendor's problem, customer just buys cameras.
However:
- CLOUD Act exposure: any video stored in a US-jurisdiction cloud is subject to US warrants, regardless of customer location.
- GDPR Art. 28-30 problems: video of EU citizens transferred to US cloud requires SCC + supplementary measures, and after Schrems II this is shaky.
- Argentina AAIP / EU regulators trending toward localization requirements for sensitive video.
- Bandwidth cost: streaming raw video to cloud is expensive. Edge AI eliminates most of it.
- Vendor lock-in is severe — exporting from Verkada means losing all your historical tags.
Decision
Blocao runs on customer-owned infrastructure. The hub itself, when used, runs on EU sovereign bare-metal (Hetzner Falkenstein/Helsinki, with optional OVH replica in Germany/France). No hyperscaler dependency in the critical path.
Three storage tiers:
- Raw video: stays at the site, on the Cell's encrypted disk. Never leaves.
- Embeddings + metadata: bridged to operator-run hub via MQTT.
- Evidence packs: when explicitly exported, encrypted with customer-held keys (BYOK).
Self-hosted infrastructure: MinIO (S3 API), Qdrant (vector DB), TimescaleDB (time-series), Mosquitto (broker), Caddy (TLS), Keycloak (auth).
Cost analysis (50-100 sites, 500-1000 cameras):
| Setup | Monthly cost |
|---|---|
| AWS reference (S3 + RDS + EC2 + Kinesis + Rekognition) | €8,000 - 15,000 |
| Hetzner bare-metal self-hosted | €800 - 1,500 |
The 10× cost saving is structural, not a temporary discount.
Consequences
Good:
- Sovereignty becomes a sellable feature, not a compliance afterthought.
- Margin economics work better at all scales.
- Customers can self-host the hub if they want — opens partner channels.
- AAIP / GDPR audits become easy: show the topology, show the policies, done.
Bad / trade-offs:
- We carry operational responsibility (or our partners do). Hyperscaler abstracts this.
- Hetzner has had outages. We design for two regions to mitigate.
- "Self-hosted" historically connoted "harder to use" — the UX has to be exceptional to overcome that.
Alternatives considered
- AWS reference architecture: cheaper to build, structurally more expensive to operate, sovereignty is impossible.
- Multi-cloud abstraction: complexity tax for no real benefit when 95% of customers don't care which cloud.
- Customer-owned cloud (BYOC) on AWS: better than vendor cloud, but still hyperscaler. Acceptable as a non-default option.