Can Your Money Survive a Bombed Alipay Server? Inside Data Center Redundancy

On Zhihu a user asked whether blowing up Alipay’s physical storage servers would cause all users’ money to disappear.

"If the physical servers of Alipay were destroyed by a bomb or missile, would the public’s money in Alipay be gone? Would the data disappear with the servers?"

A former bank operations engineer answered, noting that this issue has been considered for decades and that financial systems are subject to strict information security regulations.

In July 2007, the Ministry of Public Security, the National Security Agency, the National Cryptography Administration, and the State Council Information Office issued the "Information Security Level Protection Management Measures," designating Level‑3 protection as the highest standard for non‑bank financial systems.

The purpose of these standards is to prevent severe damage to social order, public interest, or national security if an information system is compromised.

The core of Alipay’s architecture follows a “two‑site three‑center” model, meaning two data centers in the same city with either hot‑standby (active‑active) or warm‑standby (active‑passive) configurations.

In an active‑active setup, destroying one center has little impact because the other continues operating. In a warm‑standby setup, traffic can be switched to the second center with minimal disruption. To truly affect service, an attacker would need to destroy both centers simultaneously.

Alipay also employs a disaster‑recovery (cold‑backup) site that stores periodic backups offline. While cold backups are not real‑time, they allow data recovery after a failure, though some recent transactions may be lost depending on the backup interval.

Even if all three primary centers and their backups were destroyed, Alipay’s transaction data could be reconstructed from partner banks and funds because the underlying financial transactions are recorded elsewhere.

To illustrate the distributed nature of the system, the following diagram shows the typical multi‑center layout:

Further analysis of Alipay’s DNS records reveals multiple IP addresses, indicating a multi‑active deployment across several locations.

Data centers are classified in various ways. Internationally they use tiers (T1‑T4), while Chinese standards (GB50174‑2008) categorize them as A, B, C (A being the highest). Operators also assign star ratings (1‑5), with financial services requiring A‑class facilities.

Tier classification (T1‑T4)

Chinese classification (A, B, C)

Operator star rating (1‑5)

Financial data centers have redundant power supplies (2N+1), meaning two independent generators can each meet full load, plus an additional backup source. Even destroying a generator would not shut down the center.

Physical security measures include isolated power distribution rooms, UPS systems providing at least 15 minutes of runtime, diesel generators with fuel contracts for up to 12 hours, and fire‑suppression systems using clean agents (e.g., FM‑200) that do not damage equipment.

Additional safeguards such as seismic design, flood resistance, and restricted proximity to hazardous facilities further ensure continuity.

In summary, Alipay’s infrastructure is built with multiple layers of redundancy—geographic distribution, hot and cold backups, power and fire protection—making it extremely difficult to erase users’ funds by simply destroying a single server or even an entire data center.