Annex — Regional Architecture

Annex

China Architecture

Data sovereignty, regulatory requirements, and distinct architecture track. China operations cannot be treated as a configuration overlay on the global architecture.

DraftUpdated 17 Mar 2026

Why this matters

PIPL compliance, ICP licensing, and Great Firewall constraints are non-negotiable. Architecture decisions that ignore these requirements risk regulatory violation and service disruption.

What this informs

ADR-004 (China as parallel track), infrastructure partner selection, cross-border data flow design, and Phase 1 timeline dependencies.

What remains unresolved

CAC security assessment timeline not confirmed. Cloud provider selection pending. Cross-border data minimisation strategy under review.

Requirements

Confirmed

Pending

Personal data of Chinese citizens must be stored within mainland China

Confirmed

Separate data infrastructure required. No replication to global data centres without explicit consent and regulatory approval.

PIPL (Personal Information Protection Law) effective Nov 2021. Applies to all PII including vehicle owner data, service records.

Cross-border data transfer requires security assessment

Decision needed

Any data flowing from China to global systems must pass CAC (Cyberspace Administration of China) security assessment. Threshold: 100,000+ personal records or 10,000+ sensitive records.

Assessment timeline: 45–60 working days. Must be completed before go-live of any integrated system.

Infrastructure

ICP (Internet Content Provider) licence required for all internet-facing services

In progress

Domain registration, hosting, and CDN must be China-based. ICP filing required before DNS resolution works within China.

ICP licence tied to specific domain and hosting provider. Change of provider requires re-filing.

Great Firewall constraints on external service access

Confirmed

Global SaaS services (Google Cloud, AWS global, Salesforce) are unreliable or blocked. Cloud infrastructure must use China-approved providers (Alibaba Cloud, Tencent Cloud, Huawei Cloud).

API calls to global endpoints will fail intermittently. All external integrations need China-local alternatives or relay services.

Integration

WeChat ecosystem integration for dealer and customer channels

In progress

WeChat Mini Programs are the primary mobile interface in China. Native app distribution is secondary. Payment via WeChat Pay / Alipay, not Stripe.

WeChat Mini Program approval process: 5–10 working days. Content review on each deployment.

Local mapping and location services required

Confirmed

Google Maps unavailable. Must use Amap (Gaode) or Baidu Maps for dealer locator, service routing, and geolocation features.

Map API licensing is separate from global agreements. Coordinate system uses GCJ-02, not WGS-84.

Compliance

Automotive data security regulations (GB/T 40855-2021)

Decision needed

Vehicle telematics data classified as important data. On-board diagnostics, location tracking, and driving behaviour data subject to additional controls.

Regulation evolving. Ministry of Industry and Information Technology (MIIT) guidelines expected to tighten. Architecture must accommodate future requirements.

Operations

Local support and operations team

Draft

24/7 operations cannot be managed from global NOC alone. Local incident response, regulatory liaison, and vendor management required.

Partner model vs. local hire decision pending. Minimum team: 2 ops engineers, 1 compliance officer.

Architecture Diagrams

China Infrastructure Topology

Independent infrastructure stack showing cloud provider, CDN, data storage, and integration relay services.

Draft

Regional Architect

Cross-Border Data Flow Model

Data flow paths between China and global systems. Shows what data crosses borders, through which channels, and under which approvals.

Draft

Regional Architect

Open Questions

Should the China platform share the same domain model as global, or evolve independently?

What is the minimum viable integration between China and global systems?

Can telematics data be processed locally and only aggregated insights shared globally?

Which China cloud provider aligns best with the enterprise’s existing Asia-Pacific infrastructure?

What is the timeline for CAC security assessment, and does it block Phase 1?

Guardrails

All personal data must be stored on China-approved cloud infrastructure within mainland China.

Cross-border data transfers require completed CAC security assessment before go-live.

ICP licensing must be secured before any internet-facing service launches in China.

WeChat ecosystem is the primary customer and dealer channel. Native apps are secondary.

Architecture must accommodate tightening MIIT regulations on automotive data.

Decision Layer

Decisions Supported

ADR-004 (China parallel track). Guardrails inform all infrastructure and vendor decisions for China operations.

Dependencies

Blocks Phase 1 China scope. Depends on CAC assessment timeline, cloud provider selection, and cross-border data flow model.

Next Actions

Initiate CAC security assessment. Shortlist China cloud providers. Define minimum viable cross-border integration.

Confidence

Low-Medium — requirements are documented but timeline and partner selection carry significant uncertainty.

← Platform Deprecation

All outputs Next

Enterprise Alignment→