Files
wdmUI/decisions/0005-sovereignty-vs-hyperscaler.md
T

57 lines
2.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# ADR-0005 · Sovereignty over hyperscaler convenience
**Status**: accepted
**Date**: 2026-05
## Context
The dominant business model for video forensics SaaS (Verkada, Rhombus, Eagle Eye Networks) is: cameras stream to vendor cloud, AI runs in vendor cloud, customer pays per camera per month. This has clear commercial advantages — scaling is the vendor's problem, customer just buys cameras.
However:
- **CLOUD Act exposure**: any video stored in a US-jurisdiction cloud is subject to US warrants, regardless of customer location.
- **GDPR Art. 28-30 problems**: video of EU citizens transferred to US cloud requires SCC + supplementary measures, and after Schrems II this is shaky.
- **Argentina AAIP / EU regulators** trending toward localization requirements for sensitive video.
- **Bandwidth cost**: streaming raw video to cloud is expensive. Edge AI eliminates most of it.
- **Vendor lock-in** is severe — exporting from Verkada means losing all your historical tags.
## Decision
Blocao runs **on customer-owned infrastructure**. The hub itself, when used, runs on **EU sovereign bare-metal** (Hetzner Falkenstein/Helsinki, with optional OVH replica in Germany/France). No hyperscaler dependency in the critical path.
Three storage tiers:
1. **Raw video**: stays at the site, on the Cell's encrypted disk. Never leaves.
2. **Embeddings + metadata**: bridged to operator-run hub via MQTT.
3. **Evidence packs**: when explicitly exported, encrypted with customer-held keys (BYOK).
Self-hosted infrastructure: MinIO (S3 API), Qdrant (vector DB), TimescaleDB (time-series), Mosquitto (broker), Caddy (TLS), Keycloak (auth).
Cost analysis (50-100 sites, 500-1000 cameras):
| Setup | Monthly cost |
|---|---|
| AWS reference (S3 + RDS + EC2 + Kinesis + Rekognition) | €8,000 - 15,000 |
| Hetzner bare-metal self-hosted | €800 - 1,500 |
The 10× cost saving is structural, not a temporary discount.
## Consequences
**Good**:
- Sovereignty becomes a sellable feature, not a compliance afterthought.
- Margin economics work better at all scales.
- Customers can self-host the hub if they want — opens partner channels.
- AAIP / GDPR audits become easy: show the topology, show the policies, done.
**Bad / trade-offs**:
- We carry operational responsibility (or our partners do). Hyperscaler abstracts this.
- Hetzner has had outages. We design for two regions to mitigate.
- "Self-hosted" historically connoted "harder to use" — the UX has to be exceptional to overcome that.
## Alternatives considered
- **AWS reference architecture**: cheaper to build, structurally more expensive to operate, sovereignty is impossible.
- **Multi-cloud abstraction**: complexity tax for no real benefit when 95% of customers don't care which cloud.
- **Customer-owned cloud (BYOC) on AWS**: better than vendor cloud, but still hyperscaler. Acceptable as a non-default option.