NHN Multi-Node Redundancy Posture

What Happens If NHN Loses Power At 3 a.m. Sunday Before A Monday Signing

The dominant procurement question in two of the last three NotebookLM critique transcripts. The honest answer is multi-region active-active with sub-second cryptographic failover, RTO and RPO measured in seconds not hours, and a documented walkthrough below covering exactly that 3 a.m. Sunday scenario.

THE SHORT ANSWER

Customer-scoped capacity is provisioned active-active across two geographically isolated NHN-controlled regions. The mTLS tunnel re-pins to the secondary region in under one second on a primary failure, with zero human action. RTO target: 5 seconds. RPO target: 0 seconds for the in-flight session, 60 seconds for the persisted deal-room state. The deal continues. Nobody logs in again.

1. Multi-Node Geographic Distribution

Every enterprise customer is provisioned with capacity in at least two NHN-controlled regions. The default pair for US-domiciled customers is US-East and US-West; for EU customers, EU-Frankfurt and EU-Amsterdam; for UK customers, UK-London plus a customer-elected secondary. Capacity in each region is hardware-isolated from any other tenant at the silicon, and the two regions are operationally isolated from each other (separate utility power, separate ISP transit, separate co-location provider where feasible).

Region Pair	Default Customer Type	Isolation Guarantees
US-East + US-West	US-domiciled funds, US-led deals	Separate utilities, separate ISPs, separate co-location operators
EU-Frankfurt + EU-Amsterdam	EU-domiciled funds, EU residency-bound deals	GDPR Article 44-50 compliant local-entity ring-fence at each node
UK-London + EU-Frankfurt (customer-elected)	UK Magic Circle, post-Brexit residency	UK-only or UK+EU dual residency depending on intake
APAC-Singapore + APAC-Tokyo	APAC-domiciled funds	PDPA / APPI ring-fence (target Q4 2026)

2. RTO And RPO Targets

The numbers procurement committees actually want to see. These are operational targets backed by the architecture, not aspirational marketing.

Metric	Target	Definition
Tunnel Re-pin Time	Less than 1 second (typical 200 to 400 ms)	Time from primary-region failure detection to secondary-region tunnel handshake completion
RTO (Recovery Time Objective)	5 seconds	Time from failure to fully operational analytical workflow against secondary region
RPO (Recovery Point Objective), in-flight	0 seconds	Session-state replication is synchronous across the region pair for active deal-room sessions
RPO (Recovery Point Objective), persisted	60 seconds	Deal-room artifact persistence is asynchronously replicated with a 60-second bounded staleness
Uptime SLA	99.95% monthly (production)	Includes failover events; only un-recovered outages count against the SLA

3. Failover Diagram

The cryptographic tunnel re-pin is the load-bearing mechanism. The customer workstation never sees a login screen, the SSO session is preserved, and the analyst keeps typing.

4. The 3 a.m. Sunday Walkthrough

Concrete scenario: it is 03:00 ET on Sunday. The Monday morning signing is scheduled for 09:00 ET. Eight associates and two partners are working in the deal-room ahead of the close. The primary region (US-East) loses power.

03:00:00.000 ET: Utility power fault at US-East. Co-location UPS holds for 8 seconds while diesel cuts over.
03:00:00.180 ET: The customer-side heartbeat to US-East misses its expected 200 ms tick. The browser-side mTLS client detects the heartbeat miss.
03:00:00.340 ET: Browser-side mTLS client initiates handshake to US-West (the pre-known secondary endpoint). Cryptographic re-pin completes. The SSO session is preserved (Okta or Azure AD or Google identity, depending on the firm).
03:00:00.500 ET: US-West customer-scoped capacity accepts the re-pinned session. Synchronous in-flight state is already there (the session was being replicated in real time). The associate's keystroke continues into the same input box they were typing into.
03:00:05.000 ET: RTO target met. Deal-room workflow is fully operational against US-West.
03:01:00.000 ET: Persisted state (audit-log artifacts, completed analytical outputs from the prior 60 seconds) finishes asynchronous replication into US-West. RPO bound met.
03:00 to 09:00 ET: Deal team continues working against US-West for the next 6 hours. Nobody on the deal team notices anything other than a single-line status banner reading "Working from secondary region. Primary region under investigation."
Monday 09:00 ET: Signing proceeds on schedule. NHN engineering completes US-East post-mortem and re-syncs US-East from US-West out-of-band.

The deal does not stop. The associate does not log in again. The partner does not call NHN. The signing happens on time. This is the operational shape of multi-region active-active redundancy on a sovereign-architecture deployment.

5. What This Page Is Not

This page is the operational redundancy posture. It is not the legal continuity disclosure (see /continuity), the Sovereign Escrow Runbook (see the runbook section on the landing page), or the procurement audit pack (request via [email protected]). The four layers (availability, continuity, runbook, legal) compose; they do not substitute for each other.

Need The Per-Region Architectural Detail?

For the customer-specific region pair selection, the network-architecture deep-dive, the SLA credit schedule, or the cross-region observability spec:

Email: [email protected]