The Principle × Lifecycle Matrix
Each cell is an intersection of a governing principle and a lifecycle stage. Tap any chip to open the pattern — or browse the full catalogue via the tab above.
Pattern Field Guide
A compact, Google Cloud Architecture-style reference for every data-architecture pattern referenced across Tiers 1–3, grouped by canonical source. Each pattern gets a clean diagram, a one-paragraph description, a use case, and the primary trade-offs. Tier 4 — governance and regulatory patterns — appears at the bottom as a Standards Mesh Reference list. For deep treatment of the 75 composable patterns (context · forces · solution · applicability · anti-patterns · standards mesh), see the Deep Catalogue tab.
The Deep Pattern Catalogue
Index of Patterns
| ID | Pattern | Principle | Data Lifecycle Stage | Governance Stage | Tier |
|---|
Standards Reference
Every pattern carries a standards mesh pointing to articles, principles, or controls it helps satisfy. Below is the consolidated reference set.
| Framework | Scope & Relevance to Data Architecture |
|---|---|
| BCBS 239 (2013) | Basel Committee Principles for Effective Risk Data Aggregation and Risk Reporting. 14 principles for G-SIBs and D-SIBs: governance (P1–P2), risk data aggregation (P3–P6), reporting (P7–P11), supervisory review (P12–P14). The foundational regulatory expectation for risk data architecture. |
| GDPR | EU Regulation 2016/679. Article 5 principles (lawfulness, minimisation, purpose limitation, storage limitation); Art. 17 right to erasure; Art. 25 by-design/by-default; Art. 28 processor obligations; Art. 30 records of processing; Art. 32 security; Arts. 44–49 cross-border transfers. |
| PDPA (Singapore) | Personal Data Protection Act. Nine consent-based obligations (consent, purpose, notification, access/correction, accuracy, protection, retention, transfer, accountability) plus mandatory breach notification. Revised 2020. |
| EU AI Act (2024) | Data-governance obligations within Regulation (EU) 2024/1689: Art. 10 data governance for training/validation/test sets; Art. 12 record-keeping; Art. 11 technical documentation; Art. 14 human oversight. Directly applicable to data architectures supporting AI. |
| NIST AI RMF | US voluntary framework with four functions (Govern, Map, Measure, Manage). Increasingly used to structure data-governance posture around AI systems, paired with ISO/IEC 42001 and the EU AI Act. |
| DAMA-DMBOK 2 (2017) | DAMA International's canonical practitioner reference — eleven knowledge areas around data governance: architecture, modelling, storage, security, integration, reference/master data, metadata, quality. The default vocabulary for enterprise data management. |
| DCAM (2023) | EDM Council Data Management Capability Assessment Model. Eight components × five maturity levels. Widely used in BFSI for measurable data-management posture aligned to BCBS 239. |
| ISO 8000 series | International data-quality standards: 8000-61 (quality management process), 8000-110 (characteristics), 8000-115 (master data quality), 8000-116 (master data exchange). Formal vocabulary cross-organisation. |
| ISO/IEC 27001:2022 | Information Security Management System. Annex A controls including A.8.2 classification, A.9 access control, A.10 cryptography, A.12.4 logging, A.15 supplier relationships. |
| ISO/IEC 27701:2019 | Privacy Information Management System extension to 27001. PII controller and processor controls providing a structured path to evidence GDPR/PDPA compliance. |
| ISO/IEC 27040 | Storage security. Block/file/object storage protection, cryptographic erase, sanitisation, backup security — complements 27001 for data at rest. |
| ISO/IEC 38505 | Governance of Data. Evaluate-Direct-Monitor cycle applied to organisational data, covering accountability and value realisation. |
| ISO/IEC 11179 | Metadata Registries. Structural foundation for enterprise catalogues: framework, metamodel, data definitions, naming principles. |
| MAS TRMG / FEAT | Monetary Authority of Singapore — Technology Risk Management Guidelines (2021) and Fairness/Ethics/Accountability/Transparency principles (2019). Data residency, outsourcing, protection, privileged access, responsible analytics. |
| MAS 626 / HKMA | MAS Outsourcing Notice 626 (Singapore) and HKMA Supervisory Guidelines (Hong Kong). Vendor-held data, cross-border transfer, right-to-audit, exit management expectations. |
| SOX (2002) | Sarbanes-Oxley Act. Sections 302 (management certification) and 404 (internal control reporting). Applies to IT general controls and data-integrity controls on any system in scope of financial reporting. |
| SOC 2 (AICPA) | Trust Services Criteria: Security (CC1–CC9), Availability, Processing Integrity, Confidentiality, Privacy. CC7 System Operations and CC8 Change Management are most directly relevant to data platforms. |
| CCPA / CPRA | California Consumer Privacy Act (2018) and Privacy Rights Act (2023). Extra-territorial privacy regime with consumer rights (know, delete, correct, opt-out) and sensitive PI categorisation. |
| PCI DSS v4.0 | Payment Card Industry Data Security Standard. Mandatory for any system handling cardholder data. Requirements 3 (protect stored data), 4 (protect in transit), 7–8 (access), 10 (logging). |
| NIST SP 800-88 | Guidelines for Media Sanitization. Clear, purge, destroy methods plus cryptographic erase as an accepted method. Widely adopted in commercial destruction practice. |
| NIST SP 800-207 | Zero Trust Architecture. Never trust, always verify; least privilege; explicit authorisation per request. The reference model for modern access control. |
| Dehghani Data Mesh | O'Reilly book (2022) codifying four principles — domain ownership, data as a product, self-serve platform, federated computational governance. The predominant modern paradigm for federated data architecture. |
Bibliography & Primary Sources
Every pattern in this catalogue is synthesised from one or more of the following primary references. Books and papers are cited with author and year; regulatory frameworks with publisher and effective date; vendor documentation with publisher and current page title.
Colophon & Method
Why a Pattern Catalogue
Software architecture matured once its patterns were codified. Data architecture has followed a similar arc — with patterns crystallising across four decades of practitioner and regulatory experience, from the dimensional modelling of the 1990s through the data-mesh synthesis of the 2020s. This catalogue organises those patterns as principle × lifecycle × tier, mapped to their codified source in each case.
This catalogue treats each design decision as a reusable primitive — a named solution to a recurring problem in a specific context — rather than as a framework feature. Reflection is a pattern; LangGraph is an implementation.
Every pattern has three depths: a sketch (card), a reference (modal body), and a mapping (standards grid). Start shallow. Deepen only when implementing.
Primary Sources
S1. Zhamak Dehghani — Data Mesh: Delivering Data-Driven Value at Scale (O'Reilly, 2022). The codifying text for the federated data paradigm.
S2. DAMA International — DAMA-DMBOK 2: Data Management Body of Knowledge (2nd Ed., 2017). Eleven knowledge areas; the default vocabulary.
S3. EDM Council — DCAM: Data Management Capability Assessment Model (2023). Eight components, five maturity levels; the BFSI capability yardstick.
S4. Kimball & Ross — The Data Warehouse Toolkit (3rd Ed., 2013). Dimensional modelling canon.
S5. Bill Inmon — Building the Data Warehouse (4th Ed., 2005). Normalised EDW canon.
S6. Linstedt & Olschimke — Building a Scalable Data Warehouse with Data Vault 2.0 (2015). Hub-link-satellite ensemble modelling.
S7. Andrew Jones — Driving Data Quality with Data Contracts (Packt, 2023). Contract-first ingestion patterns.
S8. Richard Snodgrass — Developing Time-Oriented Database Applications in SQL (2000). Bitemporal and temporal query semantics.
S9. Martin Kleppmann — Designing Data-Intensive Applications (2017). Distributed data systems, idempotence, replication, reconciliation.
R. Regulatory and standards substrate — BCBS 239 · GDPR · PDPA (SG) · EU AI Act · NIST AI RMF · ISO 8000/27001/27701/27040/38505/11179 · MAS TRMG/FEAT/626 · HKMA · SOX · PCI DSS · SOC 2 · CCPA/CPRA · NIST SP 800-88 & 800-207.
Honest Caveats
Unlike software architecture, data architecture lacks a single ISO-grade canonical pattern corpus. This catalogue synthesises the most authoritative sources named above; it is not itself a standard.
DAMA-DMBOK is the closest the field has to a lingua franca, but it is a body of knowledge rather than a pattern catalogue in the software sense. DCAM supplies the capability model.
BCBS 239 (2013) remains the strongest regulatory driver for data-architecture discipline in BFSI. Its 14 principles implicate every pattern in this catalogue, directly or indirectly.
Standards mesh mappings are indicative. They do not constitute legal advice or regulatory endorsement.
Every pattern in this catalogue is traceable to at least one public reference. Where the field lacks a widely recognised name, the more general name is preferred. No proprietary methodology is reproduced.