Question
Design region failover for a financial-records system (immutable double-entry transaction journal) with a hard RPO of 0 (zero committed transactions may be lost on a region failure) and RTO ≤ 30 seconds, across two primary regions 80ms apart plus a third 'witness' region. Zero RPO seems to demand synchronous cross-region replication, but the team refuses to pay 80ms on every commit. Reconcile these: define exactly what 'committed' means to a client, how failover decides it is safe to promote the standby without split-brain, and how you avoid a scenario where the old primary comes back and accepts writes that the new primary never saw. State precisely which failures you can survive at RPO 0 and which you cannot.
Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.