Annex

Annex — Regional Architecture

China Architecture

Data sovereignty constraints, infrastructure separation, and regulatory requirements for China market operations. Documents the distinct architecture track required for compliance.

DraftUpdated 20 Mar 2026Enterprise Alignment →Risk Assessment →

Why this matters

China regulatory and infrastructure constraints require a distinct architecture track. Treating China as a configuration overlay will fail compliance.

What this informs

ADR-004 (China as parallel track), infrastructure vendor selection, and the cross-border data flow model required for Phase 1.

What remains unresolved

CAC security assessment timeline uncertain. Cross-border data flow model not yet defined. Local support team structure pending.

Requirements

Confirmed

Pending

Data Sovereignty

Personal data of Chinese citizens must be stored within mainland China

Confirmed

Separate data infrastructure required. No replication to global data centres without explicit consent and regulatory approval.

PIPL (Personal Information Protection Law) effective Nov 2021. Applies to all PII including vehicle owner data, service records.

Cross-border data transfer requires security assessment

Decision needed

Any data flowing from China to global systems must pass CAC (Cyberspace Administration of China) security assessment. Threshold: 100,000+ personal records or 10,000+ sensitive records.

Assessment timeline: 45–60 working days. Must be completed before go-live of any integrated system.

Infrastructure

ICP (Internet Content Provider) licence required for all internet-facing services

In progress

Domain registration, hosting, and CDN must be China-based. ICP filing required before DNS resolution works within China.

ICP licence tied to specific domain and hosting provider. Change of provider requires re-filing.

Great Firewall constraints on external service access

Confirmed

Global SaaS services (Google Cloud, AWS global, Salesforce) are unreliable or blocked. Cloud infrastructure must use China-approved providers (Alibaba Cloud, Tencent Cloud, Huawei Cloud).

API calls to global endpoints will fail intermittently. All external integrations need China-local alternatives or relay services.

Integration

WeChat ecosystem integration for dealer and customer channels

In progress

WeChat Mini Programs are the primary mobile interface in China. Native app distribution is secondary. Payment via WeChat Pay / Alipay, not Stripe.

WeChat Mini Program approval process: 5–10 working days. Content review on each deployment.

Local mapping and location services required

Confirmed

Google Maps unavailable. Must use Amap (Gaode) or Baidu Maps for dealer locator, service routing, and geolocation features.

Map API licensing is separate from global agreements. Coordinate system uses GCJ-02, not WGS-84.

Compliance

Automotive data security regulations (GB/T 40855-2021)

Decision needed

Vehicle telematics data classified as important data. On-board diagnostics, location tracking, and driving behaviour data subject to additional controls.

Regulation evolving. Ministry of Industry and Information Technology (MIIT) guidelines expected to tighten. Architecture must accommodate future requirements.

Operations

Local support and operations team

Draft

24/7 operations cannot be managed from global NOC alone. Local incident response, regulatory liaison, and vendor management required.

Partner model vs. local hire decision pending. Minimum team: 2 ops engineers, 1 compliance officer.

Architecture Diagrams

China Infrastructure Topology

Cloud provider selection, CDN, DNS, and network architecture for China-based deployment. Alibaba Cloud / Tencent Cloud evaluation.

Draft

Regional Architect

Cross-Border Data Flow Model

What data crosses the China boundary, through which mechanisms, and with what compliance controls. CAC assessment scope.

Draft

Compliance Officer

Open Questions & Guardrails

Unresolved Questions

Should the China platform share the same domain model as global, or evolve independently?

What is the minimum viable integration between China and global systems?

Can telematics data be processed locally and only aggregated insights shared globally?

Which China cloud provider aligns best with the enterprise's existing Asia-Pacific infrastructure?

What is the timeline for CAC security assessment, and does it block Phase 1?

Guardrails

No personal data of Chinese citizens stored outside mainland China without CAC approval.

All internet-facing services require valid ICP licence before DNS activation.

Cloud infrastructure must use China-approved providers — no AWS/GCP/Azure global regions.

WeChat Mini Program approval required for each deployment — content review is mandatory.

Vehicle telematics data classified as important data under GB/T 40855-2021.

Decision Layer

Decisions Supported

ADR-004 (China as parallel track). This annex provides the evidence base for that decision.

Dependencies

CAC security assessment (45–60 days) on the critical path. ICP licensing required before any China deployment.

Next Actions

Engage regulatory counsel for CAC pre-assessment. Define cross-border data flow model. Evaluate cloud providers.

Confidence

Low — requirements documented but validation with regulatory counsel and infrastructure partners not yet initiated.