Stripe's Zero-Downtime Data Movement Platform Migrates Petabytes with Millisecond Traffic Switches
Stripe's Zero-Downtime Data Movement Platform handles petabyte-scale database migrations with millisecond cutovers. This in-house system ensures data consistency and minimal disruption for $1.4T in transactions.
During QCon San Francisco 2025, Stripe staff software engineer Jimmy Morzaria unveiled the company's Zero-Downtime Data Movement Platform. This innovative system facilitates petabyte-scale database migrations with traffic cutovers that typically complete in milliseconds. Supporting Stripe's critical infrastructure, the platform manages over 5 million database queries per second across more than 2,000 MongoDB-based shards, achieving 99.9995% reliability for $1.4 trillion in annual transactions.
The platform's six-phase migration blueprint is built on three core principles: ensuring data consistency with downtime shorter than typical node failover events, minimizing performance impact on live queries, and effectively handling shards that range from small datasets to tens of terabytes.
/filters:no_upscale()/news/2025/11/stripe-zero-downtime-date-move/en/resources/1Stripe-DocDB-Blueprint-Crop-1763704321893.jpeg)
Stripe's DocDB zero-downtime data movement stages
The data migration process begins with a "migration registration" phase, updating the routing metadata service to register new target shards and their respective key ranges, establishing the data's intended destination. This is followed by the bulk data import phase, which transfers the primary dataset using an optimized service. Morzaria detailed how this service achieves tenfold performance improvements over standard imports by reordering inserts to align with MongoDB's B-tree storage engine, sorting items by their most-used indexes within each shard, thereby boosting write performance by 10x.
Following the import, the asynchronous replication phase commences. A dedicated replication service ensures bidirectional synchronization between source and target shards. This critical step captures ongoing changes from the source data while also replicating modifications back to the source shards. This bidirectional capability is essential, enabling complete migration rollbacks if any issues arise, serving as a vital safety mechanism for sensitive financial data.
/filters:no_upscale()/news/2025/11/stripe-zero-downtime-date-move/en/resources/2Stripe-DocDB-Async-Replication-Crop-1763704321893.jpeg)
Architecture overview of the Async Replication step in the zero-downtime migration
After replication, a validation service conducts comprehensive correctness checks, meticulously comparing data between source and target shards. This thorough verification step ensures data integrity across the entire migration boundary before proceeding to the traffic switching phase.
The traffic switch, or cutover, is arguably the platform's most technically sophisticated phase. Utilizing what Morzaria describes as "versioned gating," this mechanism orchestrates version updates across the database proxy service, coordinator, routing service, and replication service.
/filters:no_upscale()/news/2025/11/stripe-zero-downtime-date-move/en/resources/1Stripe-DocDB-Traffic-Switch-1763704321893.jpeg)
The traffic switch stage is based on "versioned gating", allowing minimal downtime
This process initiates with client applications querying through the proxy at version one, routing to the source database. The coordinator subsequently sets version two and verifies replication synchronization. Upon confirmation, the proxy fetches new routes and begins querying with version two, directing traffic to the target database. Simultaneously, the original source shard continues to receive updates, preserving rollback capability. This entire coordination process typically completes within milliseconds, with a maximum duration of 2 seconds, ensuring customer disruption remains imperceptible.
The migration concludes with deregistration, which involves cleaning up metadata and decommissioning the migration infrastructure. Beyond its primary use for horizontal scaling, Stripe leverages this platform for various other critical operations, including shard merging, MongoDB version upgrades across multiple major releases, and tenancy model transitions. Morzaria highlighted that Stripe's substantial foundational investments have enabled these tools to effectively serve a broad spectrum of scenarios, extending far beyond their initial design scopes.
Stripe developed its DocDB platform in-house, opting against managed services due to specific requirements concerning security policy enforcement, predictable performance, and multi-tenancy support with enforced quotas. By 2020, as individual shards grew to tens of terabytes, the company recognized the critical need for a systematic approach to data movement. Morzaria underscored the business imperative, noting that 40% of customers abandon transactions following payment denials, making zero-downtime migrations an absolute necessity. Therefore, the build-versus-buy decision was strategically sound for Stripe, aligning with its unique requirements and security demands.