ADR-023: Cloud provider and region strategy¶
| Status | Accepted |
| Date | 2026-04-10 |
| Deciders | CTO, Head of Platform Engineering |
| Affects repos | bank-core, bank-kyc, bank-aml, bank-payments, bank-credit, bank-risk-platform, bank-platform, bank-app |
Context¶
The serverless execution model (ADR-022) and Snowflake analytics platform (ADR-002) both require a cloud provider to be declared before infrastructure or pipeline work can begin. The bank operates under NZ and AU data residency obligations — RBNZ BS11 and APRA CPS 234 require that customer data is held in a jurisdiction with adequate legal protections and, where mandated, within the relevant country.
Future market expansion (beyond NZ and AU) is anticipated but is not in scope for launch. The architecture must not make single-region assumptions in application logic, but operating a single region at launch is acceptable.
Decision¶
AWS (Amazon Web Services), ap-southeast-2 (Sydney) as the primary and sole region at launch.
| Concern | Decision |
|---|---|
| Cloud provider | AWS |
| Launch region | ap-southeast-2 — Sydney, Australia |
| Additional regions | None at launch. Architecture designed for expansion; added by future ADR when a market requires it |
| AU data residency | ap-southeast-2 satisfies CPS 234 and APRA data localisation expectations |
| NZ data residency | Sydney under appropriate data processing agreements (DPAs) is the accepted path under BS11 until an AWS NZ region is available. When AWS NZ region launches, NZ customer data migrates there under a separate ADR |
| Snowflake | Snowflake ap-southeast-2 (Sydney) — same network as application tier; minimises egress cost and CDC latency |
| Multi-AZ within region | Minimum two availability zones for all stateful infrastructure; three AZs for Tier 1 services (ledger, payments) |
Design constraint: region-agnostic application logic¶
All application code shall be free of hard-coded region assumptions. Region is an infrastructure variable, not a code constant. This constraint enables future multi-region deployment without application changes.
Consequences¶
Positive: - AWS Sydney is the mature, well-documented choice for regulated financial services in AU/NZ — deepest APRA/RBNZ compliance documentation of any cloud provider - Snowflake and AWS in the same region eliminates cross-region data transfer for analytics workloads - Serverless ecosystem (Lambda, API Gateway, Cognito, S3) is most mature on AWS - Single region simplifies operations at launch without limiting future expansion
Negative: - NZ data residency relies on contractual arrangements rather than physical NZ data centres until an AWS NZ region is available — this must be documented in DPAs and disclosed appropriately - Single region means no geographic redundancy at launch — RTO/RPO obligations (NFR-019) are met through multi-AZ within Sydney, not cross-region failover
Alternatives considered¶
GCP (Google Cloud): Rejected. Weaker financial services compliance posture for AU/NZ regulated entities. Snowflake on GCP would split the analytics and application tiers across providers.
Azure: Rejected. Strong enterprise compliance but weaker serverless maturity for this stack. Lambda + SST + Cognito have no direct Azure equivalents of comparable maturity.
Multi-cloud at launch: Rejected. Complexity not justified. Vendor risk is managed through abstraction at the application layer (standard interfaces, no cloud SDK directly in business logic) rather than multi-cloud operation.
Multi-region at launch: Deferred. Adds significant operational overhead before the first customer. SG-006 is updated to reflect single region at launch as the correct starting position.
Signoff record¶
| Date | Name | Role | Status |
|---|---|---|---|
| 2026-04-10 | Ross Millen | CTO | Approved |
| 2026-04-10 | Ross Millen | Head of Architecture | Approved |
| 2026-04-10 | Ross Millen | Head of Data | Approved |
Capabilities¶
| Capability | Description | Relationship |
|---|---|---|
| CAP-033 | Tenant data isolation | governed — data residency obligations (CPS 234) must be satisfied per tenant |
| CAP-034 | Jurisdiction configuration layer | governed — NZ/AU jurisdiction boundary follows cloud region decisions |
| CAP-035 | Per-jurisdiction regulatory report profiles | governed — regulatory reports must be generated from data in the correct region |
Related decisions¶
| ADR | Title | Relationship |
|---|---|---|
| ADR-002 | Snowflake as the analytics and risk compute platform | Snowflake region is co-located with the application tier |
| ADR-022 | CI/CD and deployment strategy | cloud provider is a prerequisite for pipeline infrastructure |
| ADR-035 | Snowflake account configuration and data residency | supplements this ADR for Snowflake-specific data residency |
All ADRs
Compiled 2026-05-22 from source/entities/adrs/ADR-023.yaml