Problem
Banks needed a secure way to collect regulated forms from branches and customers while preserving every edit, attachment, and signature. The existing solution stored only final PDFs, which made it impossible to reconstruct a submission during audits or explain how a form evolved over time.
Constraints
The system had to support strict data retention, multiple jurisdictions, and offline branch operations. Regulatory teams required a clear chain of custody, immutable records, and evidence of who changed what and when.
Architecture
Diagram placeholder
Service map with a Forms service, Submissions service, Audit Log, and an immutable object store.
The platform was split into small services: a Forms service for schema and versioning, a Submission service for user responses, and an Audit service that consumed events from both. Each submission was stored as an append-only journal so that edits could be replayed.
Key decisions & trade-offs
Versioning was enforced at the schema level rather than the UI to avoid silent drift. We accepted slower release cadence in exchange for deterministic migrations and schema diffs that could be audited later. The Forms service owned all validation rules so that client behavior could not bypass server-side checks.
Security & compliance
Every record was signed with an internal integrity key and stored in WORM-compliant storage. Access was partitioned by region, with strict least-privilege roles for branch, compliance, and ops teams. All retrievals were logged and reconciled against retention policies.
Outcome
Audits moved from weeks of manual reconstruction to hours of automated retrieval. The team gained repeatable submissions, reliable version history, and predictable incident recovery.
What I’d improve next
Add self-serve audit dashboards so compliance can answer common questions without engineering support, and shorten schema migration lead time with better preview tooling.