Skip to main content

Overview

MCSP supports two storage tiers for uploaded content:

Global Storage (Default)

Content stored in the primary cloud region, replicated across AZs, and served via the global CDN. No data sovereignty guarantees.

Nigeria Residency (Premium)

Content stored exclusively on MTN Cloud infrastructure physically within Nigeria. Never replicated outside the Nigeria region. Enforced at the IAM layer. Billable feature.
Residency decisions are immutable. Once the Residency Policy Engine records a NIGERIA or GLOBAL decision at upload time, that decision cannot be changed by any application principal. Enforcement is backed by cloud IAM bucket policy — not application code.

Nigeria Residency Isolation Model

ComponentDesign
Storage isolationDedicated object storage bucket in MTN Cloud Nigeria. IAM bucket policy explicitly DENIES replication to any other region. This is an infrastructure-layer control, not an application-layer flag.
Metadata isolationA Postgres replica in the Nigeria region holds metadata for residency-flagged content. The global Postgres instance stores only a residency pointer and a content stub — no PII or sensitive metadata is held outside Nigeria for residency content.
Upload routingUpload Ingestor reads the residency decision from the job descriptor. If residency = NIGERIA, both the staging object and the transcode output are written directly to the Nigeria bucket — the global hot bucket is never touched.
CDN servingResidency content is served from a Nigeria CDN origin (MTN network PoP within Nigeria). Global CDN edge caching is explicitly excluded for residency-flagged content.
Access controlThe Nigeria residency bucket is accessible only to services running inside the Nigeria VPC. Services in the global VPC access residency content via VPC Peering through a controlled ingress in the Nigeria VPC. No direct cross-VPC bucket access is permitted.
Serving residency content exclusively from a Nigeria CDN origin limits global delivery performance for international diaspora users accessing residency-flagged content. This is a deliberate, documented tradeoff for the sovereignty guarantee.

Residency Policy Engine (RPE)

The RPE is the authoritative decision-maker for all storage routing decisions. Before any write operation, the calling service queries the RPE with the contentId and userId/orgId. The RPE evaluates a three-level priority hierarchy:
1

Organisation-level default policy (highest priority)

If the content belongs to an organisation that has set a default residency policy, that policy applies unconditionally to all uploads by members of that organisation.
2

Creator preference at upload

If no organisation policy applies, the RPE respects the creator’s residency preference submitted at upload session creation.
3

Platform default (lowest priority)

If neither an organisation policy nor a creator preference is set, content routes to global storage.
The RPE returns a routing decision — GLOBAL or NIGERIA — and writes an immutable policy decision record to the audit log. The RPE rejects any attempt to change the decision for a content ID that has already been decided.

Residency Compliance Audit

Every residency decision record contains:
FieldValue
content_idUnique content identifier
user_idCreator or uploader
org_idOrganisation (if applicable)
decisionNIGERIA or GLOBAL
decision_timestampISO 8601 UTC timestamp
rpe_versionRPE software version at decision time
policy_ruleThe rule ID that triggered the decision
Audit log writes are synchronous and write-path critical. Unlike fire-and-forget telemetry, audit log write failures are surfaced back to the calling service. The audit store uses an append-only schema — no DELETE or UPDATE is permitted by any application principal.
Audit records are queryable by compliance teams and exportable as a verifiable residency compliance report. The Nigeria residency bucket emits access logs to a dedicated compliance log store within the Nigeria region — logs do not leave Nigeria.

Access Control Summary

See ADR-003 for the architectural decision record covering why IAM-enforced bucket policy was chosen over application-layer-only enforcement.

Build docs developers (and LLMs) love

Get started for freeTalk to us