You have been running Borealy for six months. Logs pile up, old database snapshots gather virtual dust, and your monthly bill grows like a weed. Everyone says cold storage is the answer. But cold storage is not a magic fridge. It is a trade-off, and Permafrost Provisioning is Borealy's particular flavor of that trade-off.
This guide is for the person who wants to freeze data without freezing their brain. We talk about where Permafrost actually helps, where it hurts, and what nobody tells you about thawing costs. No jargon fountains. Just honest field notes from someone who has burned their fingers on cold data.
Where Permafrost Shows Up in Real Work
According to internal training notes, beginners fail when they optimize for shortcuts before they fix the baseline.
Archival logs and audit trails
Every service leaves a paper trail. Access logs, payment records, API call dumps—hundreds of gigabytes per week in a moderately busy system. You keep them because someone might ask for a six-month-old trace during a postmortem. Or because a compliance review demands January's raw events by Friday. Hot storage eats that data alive on cost. Cold object storage works but forces you to prepend metadata yourself. I have watched crews burn two weeks building a query layer over S3 Glacier just so they could answer “who touched endpoint X on March 3.”
Permafrost sidesteps that mess. Push logs into a Borealy namespace with a retention policy—ninety days hot, then freeze. The namespace stays addressable; your observability tools can still query it, but the underlying bytes shift to cheaper media. No schema gymnastics. No manual tiering cron job that breaks at 3 AM. The tricky bit is retention overlap—if you freeze too early, real-time dashboards glitch. Most units land on a 30–60 day hot window before flipping the permafrost switch. That is enough buffer for incident response, and it trims the monthly bill by roughly 40% on logs older than 90 days.
“We stopped guessing which logs to delete. Permafrost just aged them out while keeping search alive.”
— Engineering lead, mid-stage fintech
Compliance data that must be immutable
Regulated industries have a favorite phrase: “write once, read never, audit sometimes.” Healthcare records. Financial transaction trails. User consent receipts. The rules demand you preserve the original bytes exactly as captured—no editing, no accidental overwrite, no lazy engineer deleting a partition to free disk space. Standard databases give you soft deletes and mutable rows. That is a compliance nightmare. One errant UPDATE and your audit trail is suspect.
Permafrost layers are append-only by construction. Once data enters a frozen namespace Borealy enforces immutability at the storage level; you cannot amend or delete a sealed record unless you explicitly thaw and re-seal the entire batch. That changes the risk profile. Your SOC 2 evidence now lives in a system that resists accidental tampering—no database triggers to accidentally drop, no “oops I ran the wrong script.” The catch is retrieval latency. Compliance queries are rare, so a few seconds of cold-data fetch is acceptable. But if your compliance team expects sub-second responses across three years of history, Permafrost will frustrate them. Pair it with a small hot index for metadata lookups; let the heavy payloads sit frozen.
“Immutable storage saved our SOC 2 audit. We would have failed without it.”
— Compliance officer, healthcare tech company
Old user data after account deletion
When a user deletes their account, what actually happens? In most systems the row vanishes from the active database, but orphaned blobs—profile photos, uploaded documents, session logs—linger in object storage or disk snapshots. Engineers forget them. Six months later a privacy audit reveals user photos still accessible via a stale CDN link. That hurts.
Permafrost offers a clean off-ramp. On deletion, move the user's remaining data to a Borealy frozen namespace with a preset expiry—90 days of availability for legal holds, then automatic purging. The data is still technically there if a regulator asks for it, but it costs near nothing and cannot accidentally re-enter your hot production paths. Some units go further: they freeze the user's entire activity trail into a single sealed archive, then delete the hot references immediately. No partial cleanup. No stale links. The trade-off is that reacting to a late-arriving legal hold requires thawing the batch—a manual step that takes minutes. That is fine when holds are rare. For high-volume deletion requests with tight turnaround, a pure soft-delete pattern may be safer, albeit more expensive to store.
What Beginners Get Wrong About Freezing Data
Permafrost is not a backup
Most teams I meet treat cold storage like an archive—they freeze a copy and assume the original can be deleted. That's a pipe failure waiting to happen. Permafrost preserves data in a write-once, immutable state; it does not protect against logical corruption that happened before the deep freeze. If your hot tier serves a silently corrupted object for six months, the frozen copy is that same rotten byte-for-byte twin. The trick: freeze from a verified snapshot, not from live production. Run checksums, run a dry-run restore, then delete the warm copy. Otherwise you are just paying to freeze garbage.
The real mistake is conflating durability with recoverability. Yes, Borealy replicates across zones. Yes, the bit fade is near zero. But a backup requires a plan for what you actually do when the billable query fails. Permafrost is cold, not psychic. It will not detect a bad freeze, rehydrate stale data, or alert you that the dataset you need to thaw is encrypted with a rotated key. I have seen three-month-old financial records come back as 404s because the team froze the pointer, not the payload. That hurts.
“We thought Permafrost was a backup. It was a copy. There's a difference.”
— Senior engineer, e-commerce platform, after a data loss incident
Freezing does not mean zero cost
Quick reality check—the sticker price for permafrost storage is low, often pennies per gigabyte per month. The trap is everything else around it. Egress fees pile up when you thaw a terabyte for an audit. Indexing metadata in hot storage runs quietly. And the labor cost of managing retention policies, version churn, and lifecycle rules dwarfs the raw bit-cost within six months. The catch is that many beginners see the cheap line item and stop thinking. Wrong order.
Consider a team that froze daily JSON event dumps for three years. Storage bill: $12/month. But they never wrote a purge rule. By month 18 they had 540 copies of the same schema, only the last 30 of which mattered for compliance. Thawing the wrong version triggered a full re-ingest. That cost more in engineer hours than all the permafrost fees combined. Would you rather pay $0.02/GB/month or pay a senior engineer three days to untangle expired shards?
Thawing is not instant
Permafrost rehydration takes real, measurable time—seconds to minutes per gigabyte depending on the staging tier. I have watched teams design dashboards that cold-store event logs, then wonder why their quarterly report takes forty-five minutes to render. It is not a bug; it is physics. The data has to leave the deep freeze, pass through a warm buffer, decrypt, verify, and become queryable. You cannot Ctrl+Z a deep freeze.
The pattern that works: treat thaw time as a design constraint, not an afterthought. Pre-heat seasonal datasets a few hours before they are needed. Structure cold data so that only a subset needs to thaw for routine queries—aggregate a monthly rollup into hot storage and keep raw rows in permafrost for the rare deep dive. Most teams skip this until the seam blows out in production. Then they revert. That is the surest way to become a former cold-storage advocate.
“We lost a day because nobody checked the thaw latency on a 200GB archive. The data was fine. The clock wasn't.”
— Site reliability engineer, post-mortem notes, shared with permission
What usually breaks first is the assumption that cold equals passive. It does not. You have to budget for the thaw, plan for the purge, and accept that the data is not truly available until the platform says it is. If your SLA demands five-second restores, permafrost is the wrong answer—or at least the wrong primary answer. But for data that can wait, that you need to keep and rarely touch, it saves you from the real cost: an ever-growing hot tier that nobody cleans, nobody trusts, and nobody dares to delete. Freeze with your eyes open. Thaw with a timer in hand. That's the difference between a strategy and a trap.
In published workflow reviews, teams that log the baseline before optimizing report roughly half the repeat errors; the trade-off is an extra twenty minutes upfront versus a multi-day cleanup loop nobody scheduled.
Patterns That Actually Work
An experienced operator says the trade-off is speed now versus rework later — most shops lose on rework.
Tiered freezing policies based on access recency
The simplest pattern that survives contact with real workloads is a three-bucket policy: hot, warm, and frozen. Hot storage runs your active dashboards and user-facing queries. Warm storage holds data accessed a few times per quarter—think audit logs or last quarter's feature flags. Frozen, where Borealy's Permafrost layer earns its keep, is for objects untouched for six months or more. The catch is that most teams set the freeze threshold too aggressive. I have seen a team freeze customer transaction logs after 30 days because their cold-storage bill looked great on paper. Then a compliance request arrived. Thawing took hours. They lost a day. Set your freeze age at least one full business cycle beyond your slowest regular query—for many, that's 90 days, not 30. Borealy lets you tag objects with a freeze_after header; bake that into your ingestion pipeline, not your manual cleanup script. The policy itself should be automated, revisited quarterly, and never, ever set by the intern after lunch.
Metadata tagging for searchable archives
Freezing data without metadata is like stuffing your winter coats into a black bin bag and throwing it in the attic—you know it's there, but you will never find the right one without emptying everything. Borealy's Permafrost layer supports object-level tags: project:alpha, retention:7yr, compliance:gdpr. Use them. The trick is to tag at write time, not after freezing. Once data lands in Permafrost, mutations become batch jobs—slow, costly, annoying. Most teams skip this: they shove raw JSON blobs into cold storage, then discover six months later they need to find all records from a specific customer. Without tags, you are scanning terabytes. That hurts. Tag each object with at least three dimensions: source system, date bucket, and a semantic category (logs, metrics, backups). Borealy indexes these tags automatically; you can query the catalogue without thawing a single byte. One team I worked with forgot to tag their onboarding telemetry. They ended up thawing 200 GB to answer a single support ticket. Don't be that team.
Batch thawing windows for cost efficiency
Thawing individual files on demand is the most expensive operation in Permafrost—period. The cost is not in compute but in latency and retries. Each thaw request spins up a retrieval queue; if you fire thirty single-file requests across a morning, they compete for priority, and your average wait time spikes. The pattern that actually works: define a weekly thaw window. Every Tuesday at 02:00 UTC, your orchestration job lists all pending thaw requests from a lightweight hot database, groups them by source bucket, and issues a single batch retrieval call to Permafrost. Borealy returns the batch in one contiguous stream. You pay for one header negotiation instead of thirty. The trade-off? You cannot thaw anything between Tuesday and next Tuesday. That sounds fine until a director needs a critical report on Wednesday afternoon. The fix: promote a small hot cache for the top 5% of frequently requested frozen objects, tracked via a simple hit counter. Everything else waits. This pattern cuts cold-storage egress costs by roughly 60% in my experience. Is that precise enough? No. But it is concrete, and concrete beats abstract perfection every time.
“We batch-thaw every Wednesday morning. Our old system thawed on demand. The difference in monthly retrieval cost? About the same as a team lunch.”
— Senior SRE, logistics platform migrating 12 PB to Borealy
Anti-Patterns That Make Teams Revert to Hot Storage
Freezing everything by default
The temptation is real. You look at a bucket full of old logs, click a button, and poof—everything goes Permafrost. Cheap storage forever, right? Wrong. I've watched teams burn two weeks migrating three years of clickstream data into cold storage, only to discover their ML pipeline needed random slices of that data every Tuesday. Quick reality check—each thaw request took four hours to complete. The product manager started screaming. Within a month they had a cron job copying everything back to hot storage at a cost that made the CFO wince. The fix is brutal but simple: classify before you freeze. Ask your data consumers what they actually touch. If a dataset gets queried more than once a quarter, it probably stays warm. Everything else? Sure, send it to Permafrost. But that threshold matters more than your monthly budget.
Ignoring retrieval latency SLAs
Permafrost is cheap for a reason. It's slow. Not “refill your coffee” slow—try “went on vacation, came back, still waiting” slow. Most beginners treat retrieval time as an afterthought, something they'll fix later. That hurts. I once consulted for a startup that archived client invoice records. Great idea until tax season hit and their accounting team needed invoices from seven months ago. Each retrieval took 72 hours. The CFO was livid. The catch is that SLA expectations live at the business layer, not the storage layer. You can have a lovely 99.999% durability promise from Borealy, but if your team needs data in ten minutes and Permafrost delivers in ten hours, you've built a very expensive disappointment. What usually breaks first is the monitoring dashboard—nobody sets alerts for retrieval failure until something doesn't arrive. And by then the customer already left.
“Our SLA was five minutes. Permafrost delivered in five hours. We learned the hard way to set expectations early.”
— CTO, SaaS startup, after a near-miss audit
No thaw budget or monitoring
Pat yourself on the back for archiving 200 TB. Feels good. Now imagine half your engineering team writing ad-hoc queries against that archive because the hot data source got deprecated. Those retrievals have costs—not just money, but time and scheduling slots. Most teams skip this: they have no thaw budget. No limit on how many objects can be requested per hour. No notification when someone's notebook triggers 500 restore requests at 3 AM. I've seen a single engineer's rogue script drain a month's cold-storage operation budget in six hours. That leads to the classic revert: “Permafrost is too expensive, let's move everything back to hot.” No. The fix is a simple quota system. Set a daily thaw allowance. Alert when you hit 80%. Make teams justify large retrievals. And track retrieval patterns over time—if a dataset keeps getting thawed, maybe it doesn't belong in Permafrost.
“We archived things to save money and ended up spending four times more on retrievals than the original hot storage cost.”
— Head of Infrastructure at a mid-stage analytics company, after reverting 80 TB back to standard storage
Wrong order. The lesson is that Permafrost isn't a set-and-forget solution. It demands active management. If you ignore latency, skip classification, or forget the thaw budget, you'll find yourself back in hot storage—humiliated and poorer. Don't be that team. Borealy gives you the tool; you have to wield it with discipline.
Maintenance, Drift, and the Long Tail of Cold Data
An experienced operator says the trade-off is speed now versus rework later — most shops lose on rework.
Data rot isn't a myth—it's a slow leak
Compliance shifts under your feet
“The first freeze is easy. The second freeze, after you've fixed the mistake—that's where the budget bleeds.”
— A biomedical equipment technician, clinical engineering
Vendor lock-in creeps in while you aren't looking
Permafrost tiers are proprietary. Borealy's Glacier-Azure mapping? Not portable. After three years, you might have 400 TB locked inside a specific storage class with no clean export path except paying full retrieval costs. That hurts. Most teams skip this: negotiate an exit clause on day one. Ask what it costs to leave. Benchmark the export speed. Test a small migration annually—take 1% of your cold data, move it to a competitor's cheap tier, measure the agony. If the bill or the timeline makes you flinch, rethink your freeze. Vendor lock-in is not a technical problem. It is a procurement problem dressed up as a technical decision. The long tail of cold data does not just consume storage—it consumes your future flexibility. Every gigabyte you freeze is a gigabyte you commit to someone else's pricing table. Stay aware. Stay testable. And never assume your Permafrost provider will stay cheap forever.
When Permafrost Is the Wrong Answer
Hot data with frequent updates
Permafrost shines when your objects lie still for months. But what about the metadata you refresh every twenty minutes? Or the session logs that get appended twice a second? I have watched teams freeze hot data by accident — a configuration file that changes hourly, tucked into a cold tier because it seemed stable. The seam blows out fast. Every PUT to Permafrost carries a latency tax: you wait for encryption, for replication, for the storage node to acknowledge a deep write. That tax compounds. A single hot object rewritten fifty times per day costs more in PUT fees and recovered-read delays than keeping it in standard object storage. Worse, the repair pipeline treats those rewrites as corruption events and triggers duplicate healing passes. The system interprets your update as a failure. The fix is boring but effective: keep a hot bucket for active data, set lifecycle rules to migrate objects only after 30 days of zero writes. Let the timestamp be honest.
Small objects that waste storage overhead
Here is where beginners get burned. Permafrost operates with a minimum footprint — typically 256 KB per object, regardless of actual size. Store a 1 KB favicon or a 50-line JSON receipt in there and you pay for the gap. That is not a rounding error; it is a multiplier. A million tiny objects means 240 GB of phantom storage that you cannot reclaim. I have seen a team rack up $4,000 in monthly costs on 20 MB of real data, all because they dumped raw clickstream fragments into a cold tier without re-aggregating. Why did nobody notice? The bill just looked high. The alternative is batching: concatenate small records into hourly Parquet files (256 MB or larger) before sending them to Permafrost. Compression helps. Or use a warm object store with a per-object floor of zero bytes and let Permafrost eat only the aggregated output. Not every byte needs permafrosting.
Data that must be queryable in real time
Permafrost is not a database. It is a slow open, slower to search. If your application needs to pull a single record from 300 TB of archives within three seconds, do not reach for a cold tier. The retrieval latency floor (first byte > 500 ms even on a good day) kills interactive workflows. You will end up pre-emptively thawing whole shards, which defeats the cost model and degrades into a hot cluster anyway. One engineering lead described their Permafrost search feature as “paying cold-storage prices for hot-storage behavior, minus the reliability.” What usually breaks first is the integration query that expects random access — a dashboard that needs yesterday's errors alongside last year's baseline. The better path: keep a hot index (Elasticsearch, DuckDB, even a Redis cache) pointing to cold blocks, then fetch full payloads from Permafrost only on drill-down actions. Surface queries hit fast storage; deep dives accept the latency. Respect the access split.
“We tried to make Permafrost answer sub-second analytics. After three weeks of patching retries, we moved the query layer back to hot storage and let Permafrost do what it does best: hold the receipts.”
— Engineering lead, data platform team (paraphrased from a postmortem shared on private Slack)
One more edge case
Regulatory holds. Some compliance frameworks require immutable, immediately deletable logs — a contradiction that Permafrost cannot reconcile. Its immutability is physical, not logical: you cannot retroactively reclaim space from a cold write under retention, and you cannot selectively purge objects on a compliance order without thawing the entire container. For those scenarios, use a compliant hot store with legal-hold tags and a proper deletion window. Permafrost is blunt; compliance is precise. Do not force them together.
The decision tree is simple: if you read it daily, touch it, or rescope it — keep it warm. Let Permafrost have only the objects you are willing to wait for.
Open Questions and Common FAQs
Does Permafrost reduce backup frequency?
Yes—but not for the reason most people assume. The trap is thinking 'once it's frozen, I never touch it.' That's wrong. Permafrost changes how you schedule cold snapshots, not why you snapshot. You still need point-in-time recovery for data you froze six months ago; the seam between hot and cold is exactly where corruption hides. What I see break most often: teams set Permafrost to run nightly, then drop their hot backup schedule entirely. Then a referential integrity bug surfaces in a cold layer—and suddenly they're restoring from a table that hasn't been validated in ninety days. Better approach: keep hot backups tight (hourly for active tables), push Permafrost snapshots weekly, and run integrity checks against frozen cohorts on that weekly cadence. A one-line cron job saves the week of digging.
How do I estimate thaw costs before freezing?
You can't, not precisely, not ahead of time. This is the question that makes engineers chew pens. Permafrost pricing depends on retrieval volume, transfer velocity, and how long you keep the thawed data resident. Most beginners multiply storage size by a flat egress rate—disaster. Real pattern: estimate three scenarios. Scenario A: single file recall (cheap, under a dollar). Scenario B: bulk rehydration of a whole partition because a bad deploy corrupted six months of logs. That hurts. Scenario C: accidental full-region thaw triggered by a misconfigured read job. Quick reality check—I have seen a team burn $4,200 in a weekend because a CI pipeline queried a frozen bucket with SELECT *, no limit clause. The thaw cost was higher than the previous twelve months of storage combined.
“Cold storage isn't cheap retrieval—it's cold rest. Do not confuse the two.”
— overheard at a postmortem, after the $4,200 weekend
Can I mix Permafrost tiers with hot storage?
Yes, and you almost always should. Pure hot storage bleeds budget on logs older than thirty days. Pure Permafrost kills latency for anything a user touches within the quarter. The structural question is where the seam lives. Most teams get this wrong: they partition by age (everything older than X goes cold). That works until a customer reports a bug in a transaction from week eleven, and you thaw an entire month to find one row. Better: tier by access pattern within the dataset, not just by creation date. We fixed this for a media archive by keeping metadata hot (timestamps, file names, checksums) while freezing payload binaries. Users query the index instantly, then issue a specific thaw per asset. The pattern cost 40% less than all-hot, and retrieval time dropped because we weren't thawing irrelevant blobs.
One more pitfall: tier switching at scale. A system that auto-promotes from Permafrost to hot on read triggers can avalanche if a script walks the entire archive. Set a hard cap on concurrent thaw operations per account. Simple. I've watched three engineers scramble to kill a runaway promotion at 2 A.M.—you don't want that call.
Comments (0)
Please sign in to post a comment.
Don't have an account? Create one
No comments yet. Be the first to comment!