Portuguese retailer consolidates three clouds into hybrid architecture

Challenge

A Portuguese retailer with 40 physical stores and its own e-commerce had workloads scattered across AWS (e-commerce), Azure (ERP and Microsoft 365) and GCP (legacy analytics). Cost grew 18% per year. Two different cybersecurity vendors disputed responsibility on every incident. And retail's inclusion in the NIS2 perimeter required documented sovereignty evidence for customer personal data.

Approach

Workload audit in three weeks. We identified five workloads that deserved to stay where they were, three that could be shut down (hidden cost in forgotten pre-prod environments), and four candidates for migration to European sovereign cloud.

We designed a hybrid architecture:

• AWS: e-commerce stays. CloudFront + RDS + ECS Fargate. Optimized cache layer.
• OVHcloud (Gravelines): customer data, loyalty programme, BI on transactions. SecNumCloud.
• Azure: Microsoft 365 tenant kept, with documented sovereignty audit for the DPO.
• GCP: decommissioned. BigQuery migrated to ClickHouse on OVH VPS.

Unified identity layer in Keycloak, federated to AWS, OVH and M365.

Outcome

Aggregate cloud cost fell 32% in the first full year after migration. Average incident time dropped from 47 minutes to 12, because operations became centralized in a single team (ours) instead of shared across three external vendors. NIS2 and GDPR documentation was delivered to the DPO in October 2025.

The client remains multi-cloud, but now intentionally and auditably - not by inertia.