Product Context

AtlasRec provides a recommendations platform for enterprise customers. Each tenant is a separate retailer or media app that wants personalized recommendations on its website and mobile app, but tenant data cannot leak across customers and some tenants require all data storage, training, and serving to stay within a specific region.

Scale

Task

Design an end-to-end multi-tenant recommendations service that satisfies strict privacy and data residency constraints. Address the following:

1. Clarify product requirements, tenant isolation guarantees, and what level of cross-tenant sharing is allowed, if any.
2. Propose a multi-stage recommendation architecture (retrieval → ranking → re-ranking) that works for both large tenants with rich data and small tenants with sparse data.
3. Design the offline and online data/feature architecture, including how training, feature computation, and model serving respect regional residency rules.
4. Explain how you would handle cold start, model updates, and feature freshness without introducing training-serving skew.
5. Define offline and online evaluation, including tenant-level metrics, privacy/compliance guardrails, and rollout strategy.
6. Identify major failure modes such as data leakage, stale regional models, feature drift, and regional outages, with detection and mitigation.

Constraints

• No raw user-level data may move across tenant boundaries.
• Some tenants prohibit even model parameter sharing across regions; assume the strictest tenants require fully region-local training and serving.
• p99 latency must stay under 180ms, including policy filtering.
• Cost matters: the platform must support many small tenants without dedicating a full GPU fleet per tenant.
• Auditable compliance is required: every feature, model, and request path must be attributable to a tenant and region.