MHSRIP — Scalability Plan: SA-First, Then Africa & Beyond

Step 1 · Why SA first

The South African memorial market — real numbers.

Roughly half a million deaths per year in SA, of which ~40% have meaningful family follow-through (a service, an obituary, a tribute moment). That's the reachable top of funnel. Conversion to a paid subscription is the question — and the SA market has shown willingness to pay for grief services that respect the family.

Indicator	SA	SADC (12 nations)	Why it matters
Population	~62M	~350M	SA is the wedge — anchor for the corridor.
Deaths/year	~520k	~3.2M	Annual top of funnel; addressable on Day 0–60 after loss.
Smartphone penetration	~85%	~60%	Mobile-first design is non-negotiable; WhatsApp is the shared channel.
Avg funeral spend	R20k–R35k	R15k–R30k	Adjacent revenue (florists, programmes, etc) sized to family budget.
Funeral homes	~4,000	~12,000	B2B distribution channel — already-paying, captive segment.
Hospices	~135	~340	Pre-need acquisition pipeline; warm CAC.
POPIA enforcement	Active	Mixed	Mature framework, lower regulatory uncertainty than EU first.

Step 2 · Infrastructure phases

Four infrastructure phases, each funded by the prior.

Today's setup (Phase 1) is the same single Ubuntu box at 154.66.197.199 hosting MHSRIP plus several other apps. It's perfect for now. The phases below show the trigger, the work, and the exit criteria for each step up.

Single-server foundation.

Now → 10k users Cost · ~R800/mo Trigger out · CPU sustained > 60%

What we have

Single Ubuntu VPS (shared with 5 other apps via PM2)
MySQL 8 + Redis 7 colocated
Sharp inline image processing
nginx fronting; Let's Encrypt SSL
Tarball deploy via deploy.sh

Quick wins this phase

Cloudflare in front of nginx — free CDN + DDoS
Daily MySQL dump → S3-compatible storage (Backblaze B2)
Redis AOF persistence for session durability
Image CDN domain (img.mhdsrip.com → Cloudflare R2)
Fail2ban on SSH + nginx rate limits

Capacity ceiling

Comfortable to ~3k DAU / 10k MAU at current spec
Sharp synchronous resize is the first bottleneck
MySQL queries-per-second rises with feed loads
Redis sessions: ~50k connections OK on this box

Done when

p95 page load < 800ms sustained
Zero downtime deploys (currently 2–4s)
Daily backups verified via restore test
Cloudflare cache hit rate ≥ 70% on static

Split tier + image worker.

10k → 100k users Cost · ~R6k/mo Trigger out · DAU > 8k or DB CPU > 70%

Architecture changes

Move MHSRIP to its own VPS (separate from honingcraft etc.)
MySQL on a dedicated DB host (4 vCPU / 8 GB / managed Hetzner or DO)
Redis Cluster managed (Upstash or self-hosted)
Image worker: BullMQ + Sharp/Replicate runners, async
S3-compatible object storage (Cloudflare R2) for all uploads

Performance work

Add MySQL read replica for feed queries
HTTP caching: ETag + stale-while-revalidate on static views
Pagination on memorial walls (cursor-based)
Composite indexes on hot queries (post_decd_ID + post_Date)
N+1 query elimination on memorial_view (single round-trip pull)

Operational gates

Status page (statuspage.io or self-hosted)
Sentry for errors
UptimeRobot or BetterStack monitoring
Synthetic transactions hourly (signup → first tribute)

Done when

p95 sustained < 600ms at 8k DAU
Image processing async / non-blocking
DB read replicas serving 60%+ of reads
Restore drill passes monthly

Multi-AZ in Johannesburg.

100k → 1M users Cost · ~R30k/mo Trigger out · MRR > R500k or DAU > 40k

Move to AWS af-south-1 (Cape Town)

ECS Fargate or EKS for app tier; auto-scale 2–10 tasks
RDS MySQL Multi-AZ (db.r6g.xlarge baseline)
ElastiCache Redis cluster mode (3 shards)
S3 for uploads behind CloudFront + signed URLs
SES for transactional email (POPIA-compliant residency)

Data & sharding prep

Tenant-key everything by garden_ID (sharding-ready)
Split read/write traffic at the app layer
Cold storage of inactive memorials → S3 Glacier after 5 years
Event log (analytics) moves to ClickHouse or BigQuery

Reliability

Blue/green deploys via Fargate task-set switching
RTO 15 min / RPO 5 min
Quarterly DR drill with full region failover
SOC 2 Type 1 audit completed

Done when

99.95% monthly uptime achieved 3 months in a row
Single-AZ failure → zero customer impact (drill verified)
Sharding-ready schema deployed (no data move yet)
SOC 2 Type 1 report in hand

Multi-region + edge.

1M → 5M+ users Cost · R150k+/mo Trigger out · M&A or 2nd country GA

Geographic split

af-south-1 (Cape Town) — Africa region
eu-west-1 (Dublin) — UK + EU
us-east-1 (Virginia) — US + Canada
ap-southeast-2 (Sydney) — AU + NZ
Cloudflare edge for static + Worker logic globally

Data sovereignty

Data residency by user's home region
Sharded by region_ID; replication only of public memorials
Cross-region invite handling via federation tokens
Region-specific encryption keys (KMS per region)

Operational maturity

SOC 2 Type 2 + ISO 27001
24/7 on-call rotation (3+ engineers)
Weekly chaos engineering drills
Per-tenant rate limiting + DDoS shielding

Done when

99.99% monthly uptime achieved
p95 < 300ms in every region
One full region failure → automatic traffic shift
Investor-grade DD pack always within 24h reach

Step 3 · Geographic rollout

SA → SADC → world.

Don't conquer everywhere at once. Each region needs local language, local pricing, local charity directory, local funeral-home partnerships and local payment rails. Eight phases, sequenced by similarity to the home market.

2026 · Q2

South Africa.

Home market. Full SA charity directory, ZAR pricing, en/af/zu UI. Funeral home outreach in Gauteng and Western Cape.

2026 · Q4

Namibia + Botswana.

Same time zone, English-default, similar funeral culture. Local Stripe rails, NAD/BWP optional. ~5M combined population.

2027 · Q1

Zimbabwe + Zambia.

Strong diaspora ties to SA — natural network spillover. Mobile money integrations (EcoCash, MTN MoMo). USD pricing.

2027 · Q3

Kenya + East Africa.

Funeral culture strong, Swahili UI added. M-Pesa integration becomes a flagship feature. ~150M reachable.

2027 · Q4

UK + diaspora.

Massive SA / SADC diaspora. GBP pricing, GDPR-compliant data residency in eu-west. UK funeral home partnerships.

2028 · Q1

Nigeria + West Africa.

Largest single African market. Full localisation, Yoruba/Igbo/Hausa UI. Strong cultural fit for memorial-as-celebration framing.

2028 · Q2

Australia + NZ.

SA expat-heavy. AUD/NZD pricing, ap-southeast residency, partnership with InvoCare and similar.

2028 · Q4

USA + Canada.

Largest absolute market. Most regulated. Enter via funeral-home B2B partnerships first; consumer marketing follows. CCPA compliance, 50-state insurance lead-gen.

Step 4 · Compliance

Five regulatory regimes by 2028.

Grief data is sensitive PII by every framework's definition. Compliance is not optional and not deferrable — it's product. Get ahead of each, in order, not after first incident.

POPIA · South Africa

In scope fromDay one. Information Regulator active.

RequiredPOPIA registration, Information Officer appointed, SA data residency for personal data, consent flows, right-to-erase tested.

GDPR · UK + EU

In scope fromPhase 4. Required for any EU resident even before geographic expansion if they sign up.

RequiredEU data residency option, DPO appointed, SCCs for any cross-border transfer, breach notification < 72h, age-of-consent gates.

CCPA / CPRA · California

In scope fromUSA launch. Strictest US state framework — comply here = comply nearly everywhere in US.

Required"Do not sell my info" link, opt-out mechanisms, mandatory disclosures, 12-month data audit trail.

PCI-DSS · Stripe via SAQ-A

In scope fromDay one (any card-not-present payment).

RequiredStripe Elements (no card data ever touches our servers), HTTPS everywhere, quarterly ASV scans (Stripe handles via SAQ-A).

SOC 2 Type 2

In scope fromPhase 3. Demanded by enterprise B2B (funeral home chains, corporate bereavement).

RequiredDocumented controls, 6-month observation window, annual audit, incident response runbooks, employee access reviews.

Step 5 · Costs at scale

What this costs per phase.

Infrastructure costs scale sub-linearly with users — but compliance, operations and security overhead grow faster. Plan for both. All figures in ZAR for SA budget, with USD equivalents in brackets.

Phase	Users	Infra	Ops + people	Compliance
Phase 1 now	≤ 10k	R800/mo ($45)	Founder + 1 PT eng	POPIA registration only
Phase 2 2026 H2	10k–100k	R6k/mo ($330)	+1 backend, +0.5 ops	POPIA full + privacy audit
Phase 3 2027	100k–1M	R30k/mo ($1.6k)	+1 SRE, +1 T&S, +1 BD	SOC 2 Type 1 (~R200k/yr)
Phase 4 2028+	1M–5M+	R150k+/mo ($8k+)	3-region oncall, DPO, CISO	SOC 2 Type 2 + ISO 27001 (~R600k/yr)

Roll-up: from ~R10k/mo today to ~R500k/mo at 5M users — with revenue ramping from ~R20k MRR to ~R30M+ MRR if pricing stays at R149/mo and we hit a 10% paid conversion. Margin per phase improves as fixed costs amortise across MAUs.

Step 6 · People & org

Who you need, when.

Hire ahead of the bottleneck, not after. Six roles unlock the next phase each time; the rest can be fractional or contracted.

Role	Hire by	Why this hire unlocks the next phase
Backend / SRE	Phase 1 → 2	Owns the migration to dedicated VPS, image worker, MySQL replicas, observability.
Mobile lead	Phase 1 → 2	Native iOS + Android; push pipeline; camera-first capture.
Growth / data lead	Phase 1 → 2	Owns analytics stack, cohort dashboards, K-factor tracking, weekly investor update.
Trust & safety	Phase 2 → 3	Moderation tooling, abuse handling, T&S review pipeline, GDPR/POPIA right-to-be-forgotten.
BD / partnerships	Phase 2 → 3	Funeral home outreach, hospice agreements, corporate bereavement contracts. Region-aware.
DPO	Phase 3	Required for GDPR, smart for POPIA, cheap insurance for SOC 2. Can be fractional initially.
CISO	Phase 3 → 4	Multi-region security, SOC 2 Type 2 audit lead, vendor security reviews.
Regional leads	Phase 4	One per major region (Africa, EU, US, AU). Local funeral-home network and local language UX.

Step 7 · What could go wrong

The three failure modes we plan for.

Most consumer scaling stories die from one of these. Each has a specific mitigation we ship before the failure mode triggers.

Trust event in SA

RiskSingle viral story (fake death, abuse on a memorial wall, family dispute escalates publicly) can collapse SA brand permanently.

MitigationT&S team-of-1 by Phase 2. Death-cert verification on owner claim from Day 1. 24-hour content review SLA. Crisis comms plan rehearsed.

Scaling debt

RiskPhase 1 bottleneck (single Sharp pipeline, single MySQL) becomes Phase 2 outage. Migrations under load are 5× harder than ahead of load.

MitigationImage worker before 5k DAU, not after. Read replica before 50% DB CPU sustained, not after. Migration drills monthly.

Compliance lag

RiskExpand to UK without GDPR foundations. Information Regulator finds POPIA gap. SOC 2 missing for first enterprise deal.

MitigationRegion's compliance ships before its launch. SOC 2 Type 1 in Phase 3, not Phase 4. Privacy review on every new feature, not annually.

From one server in South Africa, to a global memorial network.

The South African memorial market — real numbers.

Four infrastructure phases, each funded by the prior.

Single-server foundation.

What we have

Quick wins this phase

Capacity ceiling

Done when

Split tier + image worker.

Architecture changes

Performance work

Operational gates

Done when

Multi-AZ in Johannesburg.

Move to AWS af-south-1 (Cape Town)

Data & sharding prep

Reliability

Done when

Multi-region + edge.

Geographic split

Data sovereignty

Operational maturity

Done when

SA → SADC → world.

South Africa.

Namibia + Botswana.

Zimbabwe + Zambia.

Kenya + East Africa.

UK + diaspora.

Nigeria + West Africa.

Australia + NZ.

USA + Canada.

Five regulatory regimes by 2028.

What this costs per phase.

Who you need, when.

The three failure modes we plan for.