Skip to content

Architecture Decision Record: Customer Data Residency

Decision Title: Choosing to store customer data in dedicated databases within Microsoft Azure's UK South region

Decision Maker: CEO

Date: 27-11-2023

Status: Approved

Problem Statement

We need to decide on an Azure managed relational database service that scales up to support high volume of transactions and securely stores customer data within the UK.

Decision Considerations

  • Available in the Azure UK South region
  • Resilient to Azure availability zone failures
  • Supports encryption at rest using customer-managed keys
  • Works with database automation tools e.g. SQL Alchemy, Flyway
  • Cost effective with introduction of new customers

Considered Options

  1. Shared Azure Database for MySQL database server with a dedicated database per customer encrypted at rest with a shared customer-managed key.
  2. Dedicated Azure Database for MySQL database server per customer encrypted at rest with a dedicated customer-managed key.
  3. Shared Azure SQL Server database server with a dedicated database per customer encrypted at rest with a dedicated customer-managed key using transparent data encryption (TDE).

Decision

Although maintaining dedicated Azure Database for MySQL database server per customer is not the most cost effective or scalable option (option 2), it reduces the blast radius in the event of an accidental misconfiguration or malicious attack by enabling us to isolate data onto dedicated / customer-specific database servers and encrypting the data at rest with dedicated / customer-managed keys.

However, we do believe that moving to Azure SQL Server (option 3) might be a better option in the future as it significantly reduces the infrastructure cost and allows us to encrypt each customer-specific database with a dedicated customer-managed key but it does increase the risk profile as it becomes a single point of failure.

Therefore, for now we are happy to have a dedicated Azure Database for MySQL database server for each Reg-1 customer, which can then be encrypted at rest with a dedicated customer-managed key.