⏱ 19 min read
Most data platforms fail in a strangely familiar way: not with a dramatic outage, but with a slow erosion of meaning.
At first everything looks healthy. Events flow through Kafka. Warehouses fill up. Microservices publish JSON with good intentions. Dashboards multiply. Teams announce they are “data-driven.” Then six months later, finance and operations disagree on what an order is, customer success has three competing definitions of churn, and a machine learning team quietly maintains a fourth customer table because nobody trusts the first three.
This is not primarily a tooling problem. It is a semantics problem wearing an infrastructure costume.
The industry spent years getting good at moving data. We built streaming pipelines, lakehouses, CDC platforms, service meshes, and schema registries. Useful things, all of them. But movement is not meaning. A parcel system with excellent trucks still fails if nobody agrees what package “delivered” means. The same applies to enterprise data. If your platform does not encode domain semantics as explicit, versioned contracts, it becomes a high-speed ambiguity engine.
That is why data platforms need domain contracts, and why schema topology matters more than many teams realize. Not just schemas in the narrow technical sense, but the shape of ownership, meaning, and change across the enterprise. A schema topology is the map of how data contracts are organized across domains, bounded contexts, integration edges, and platform services. Get that topology right and teams can evolve independently without tearing the business apart. Get it wrong and every change becomes archaeology.
The central idea is simple: schemas should express domain commitments, not merely serialization convenience. A contract is not “these fields exist.” A contract is “this domain promises to publish these facts, with these semantics, at this level of stability, for these consumers, under these evolution rules.” That is a much bigger thing. It belongs in architecture, not just in an Avro file checked into a repository nobody reads.
Context
Modern enterprises are usually running two architectures at the same time whether they admit it or not.
One is the operational architecture: microservices, APIs, workflows, event streams, transactional stores. This is the world of systems of record and user-facing behavior. microservices architecture diagrams
The other is the analytical and integration architecture: data lakes, warehouses, Kafka topics, change data capture, feature stores, MDM hubs, reporting layers, and increasingly AI pipelines. This is the world of derived truth, reconciled truth, and decision support. event-driven architecture patterns
The dangerous illusion is to think these two worlds can be joined by raw data extraction alone. They cannot. Operational systems are optimized for transactional behavior inside bounded contexts. Analytical consumers want stable, reusable business meaning across contexts. Those are different needs. If you expose operational schemas directly to the platform, you export implementation detail and call it enterprise data.
This is where domain-driven design matters. Bounded contexts are not just a software design technique for microservices. They are the only sane starting point for a data platform that expects multiple teams to publish and consume business data over time. A Customer in billing is not necessarily the same as a Customer in identity. An Order in fulfillment is not the same thing as an Order in finance. Pretending otherwise creates enterprise mythology, not architecture.
A good platform accepts that different domains see the world differently. A great platform makes those differences explicit and governable.
Problem
Most organizations adopt one of three bad patterns.
The first is the database exhaust platform. Teams CDC their tables into Kafka or the lake and assume downstream consumers can sort it out. This produces fast onboarding and long-term chaos. Consumers become coupled to source schema quirks, nullable columns that mean “not yet,” and accidental keys that were never intended to cross system boundaries.
The second is the central canonical fantasy. An enterprise architecture group designs one universal customer, product, invoice, and order model. It looks elegant in PowerPoint. It dies in production because no domain actually owns it, every team negotiates every field, and change requires committee diplomacy. The result is paralysis, shadow models, or both.
The third is the topic sprawl mess. Teams publish events freely, often with Kafka as the backbone, but topics are organized around applications rather than domain meaning. You get customer-service-events-v2-final, order-updated, order-updated-2, and several “gold” topics created by downstream teams compensating for missing semantics upstream. The stream becomes a graveyard of near-truths.
Underneath all three patterns sits the same failure: the enterprise has not decided what a data contract is and where it lives.
A contract cannot be merely technical compatibility. Backward-compatible nonsense is still nonsense. A field can remain present forever and still be semantically broken. The question is not only “can old consumers deserialize this?” but “does the producer still mean the same thing?”
That distinction is where architecture earns its keep.
Forces
There are several forces pulling against each other here, and any serious design has to respect them.
Domain autonomy. Teams need to evolve their services and data products without begging permission from a central board for every change.
Enterprise interoperability. The business still needs cross-domain reporting, reconciliation, customer 360 views, finance closure, and regulatory reporting.
Event-driven scale. Kafka and similar platforms reward decoupling and asynchronous integration, but they also make it cheap to publish poorly understood facts at industrial volume.
Microservice reality. Service boundaries often reflect transactional boundaries, not reporting or enterprise semantics. If you mirror service schemas directly, your data platform inherits operational fragmentation.
Historical truth. Analytical systems care deeply about time, lineage, and replay. Operational APIs often care only about current state.
Regulatory and audit demands. Financial, healthcare, and telecom organizations cannot rely on “best effort semantics.” They need traceable definitions, versioning rules, retention policies, and reconciliation paths.
Speed versus stewardship. The platform team wants standards. Product teams want velocity. Both are right.
These forces make simplistic answers attractive and wrong. You do not want a rigid enterprise canonical model. You also do not want an anything-goes publishing culture. The architecture has to create enough structure to preserve meaning while allowing local change.
That is what schema topology is for.
Solution
Use domain contracts as the primary semantic boundary in the data platform, and organize schemas into a topology aligned with bounded contexts, integration edges, and enterprise consumption layers.
Here is the opinionated version:
- Operational services own internal schemas.
- Domains own published contracts.
- The platform enforces evolution rules.
- Cross-domain models are derived, not imposed.
- Reconciliation is designed in, not bolted on after the CFO loses trust.
A domain contract is the stable agreement a domain offers to other parts of the enterprise. It describes not just field names and types, but business meaning, ownership, invariants, quality expectations, identifiers, temporal behavior, deprecation policy, and allowed evolution.
This is different from a service event.
A service event often says what happened inside an application boundary. A domain contract says what facts the domain is willing to stand behind outside that boundary. Sometimes those are the same thing. Often they are not.
For example, an e-commerce checkout service may emit PaymentAuthorized, InventoryReserved, and ShipmentCreated. Those are useful operational events. But the finance domain contract for revenue recognition should not be inferred casually from them. Finance needs settled facts, timing rules, exceptions, reversals, and reconciliation markers. That is a different contract, owned by a different domain concern.
This leads to a schema topology with three broad layers:
- Internal operational schemas inside services and databases.
- Published domain contracts exposed through events, CDC-derived streams, APIs, or batch datasets.
- Derived enterprise models for analytics, regulatory reporting, and cross-domain consumption.
The important rule is that consumers should depend on the published domain contract, not on internal operational representation. And enterprise-wide models should be assembled from domain contracts, not negotiated directly against service teams one field at a time.
The contract becomes the seam where architecture can encode semantics. It says, for instance:
- what an
OrderAcceptedfact means - whether amounts are gross or net
- whether timestamps represent business occurrence time or processing time
- whether identifiers are stable across channels
- whether deletes are hard deletes, soft deletes, or legal redactions
- whether events are append-only facts or corrections to prior facts
That is not bureaucracy. That is survivability.
Architecture
A practical architecture for domain contracts usually contains a few key elements.
1. Bounded context aligned ownership
Each business domain owns its contracts: orders, payments, fulfillment, pricing, identity, claims, policy, whichever matter in your enterprise. Ownership means responsibility for semantics, quality, lifecycle, and support.
This is classic domain-driven design, but applied to the data plane.
Do not let the platform team invent order semantics. Do not let the warehouse team define what “active customer” means. The owning domain should publish it or explicitly state that no such contract exists.
2. Contract metadata beyond schema
A registry should hold more than Avro or Protobuf definitions. It should capture:
- domain owner
- business description
- classification and privacy rules
- SLA or freshness expectations
- keys and identity semantics
- temporal semantics
- deprecation timeline
- compatibility rules
- lineage to source systems
- reconciliation obligations
Teams often think a schema registry solves this. It solves one thin slice. Serialization compatibility is the floor, not the house.
3. Event and state forms
Some domain contracts are naturally event streams. Others are better expressed as state snapshots, slowly changing dimensions, or bitemporal records. The architecture should permit both.
Kafka is excellent where facts are time-ordered and consumers need streaming behavior. It is less magical when consumers really need a curated current-state table with well-governed dimensions and corrections. Do not force everything into an event shape because the platform team likes streams.
4. Reconciliation as a first-class capability
Cross-domain truth rarely emerges automatically. Orders, payments, shipments, returns, and invoices will disagree at times. Systems process out of order. Upstream corrections arrive late. Human workflows intervene.
So the platform needs reconciliation pipelines and explicit exception handling. If the order domain says shipped, finance says not billable, and CRM says canceled, the platform should not quietly pick a winner. It should preserve provenance, surface discrepancies, and support governed convergence.
That exception path matters. Enterprise trust is built in the uncomfortable corners, not the happy path.
5. Derived enterprise models
Some consumers need cross-domain data products: revenue mart, customer 360, supply chain performance model, regulatory ledger. These should be downstream derived products, with explicit transformation logic and lineage, not pseudo-canonical upstream mandates.
This preserves a healthy asymmetry. Domains publish what they own. Enterprise products compose those facts for wider use.
6. Policy-driven schema evolution
Compatibility rules should vary by contract class. Public domain contracts deserve stricter rules than internal team-only streams. Some contracts may allow additive evolution only. Others may permit field deprecation with a long notice period. High-risk domains may require semantic review for changes to key fields, units, or event meaning.
The point is not to stop change. The point is to make change legible.
Migration Strategy
Most enterprises are not starting from a clean slate. They have service databases, warehouse ingestion pipelines, brittle ETL, and enough undocumented Kafka topics to frighten an auditor.
So the migration must be progressive. This is a strangler move, not a rewrite.
Start by identifying high-value, high-confusion domains. Usually orders, customers, payments, products, or claims. Pick one where semantic inconsistency causes obvious cost: finance disputes, operational defects, dashboard distrust, or integration churn.
Then move through these steps.
Step 1: Map the current schema topology
Inventory source schemas, topics, CDC feeds, warehouse tables, and major consuming reports. Do not just list interfaces. Trace meaning. Find where the same business concept exists in multiple incompatible forms.
You are looking for semantic hotspots:
- overloaded entities
- reused but differently interpreted IDs
- timestamps with unclear business meaning
- state fields whose transitions vary by channel
- warehouse transformations compensating for upstream ambiguity
Step 2: Define the first domain contracts
Do not boil the ocean. Pick a small set of contracts the domain can genuinely own and defend. Good first candidates are facts with business significance and broad reuse: OrderAccepted, PaymentSettled, ClaimSubmitted, ShipmentDelivered.
Write down invariants and semantics in human language first. Then encode the technical schema.
Step 3: Publish side-by-side with existing feeds
This is where strangler migration becomes practical. Keep old CDC or application events running. Introduce new domain contract topics and curated tables in parallel. Consumers can migrate over time.
This side-by-side period is essential. It allows comparison, reconciliation, and trust-building. It also reveals semantic gaps the old system had been hiding.
Step 4: Add reconciliation and equivalence checks
For each new contract, compare against legacy outputs. Track record counts, business totals, lateness, identity matching, and exception cases. Expect mismatch. The mismatch is not failure; it is learning.
Step 5: Migrate consumers by value
Do not migrate every consumer at once. Move the ones with the most to gain and the least custom dependency first. Dashboards and downstream marts often move before operational consumers. Regulated reports may move later, after auditability is demonstrated.
Step 6: Deprecate legacy interfaces deliberately
Once enough consumers have moved and reconciliation shows stability, begin retiring old feeds. Publish timelines. Freeze schema changes on deprecated artifacts. Make ownership explicit. Nothing dies from neglect in an enterprise; it dies from governance and a date. EA governance checklist
A migration like this is less glamorous than a greenfield event-driven platform. It is also how enterprises actually succeed.
Enterprise Example
Consider a global retailer with e-commerce, stores, marketplace sellers, and regional finance systems. They had Kafka, microservices, CDC from Oracle and PostgreSQL, and a large cloud warehouse. On paper, a modern platform. In practice, every major metric was disputed.
The heart of the problem was “order.”
The commerce platform treated an order as a customer checkout artifact. Fulfillment treated it as one or more shipment groups. Stores treated click-and-collect reservations as store tasks. Finance recognized sales based on invoicing and settlement. Marketplace orders had seller-specific timing and exception rules. The warehouse had built a giant fact_order table intended to unify all this. It was 600 columns wide and trusted by nobody.
The initial instinct was to redesign the canonical order model. That would have failed. Instead, the architecture team reframed the problem in domain terms.
They established distinct contracts:
- Sales Order Contract owned by commerce: customer commitment to purchase, line intent, pricing snapshot, channel metadata.
- Fulfillment Contract owned by supply chain: reservation, pick, pack, ship, delivery, return facts.
- Financial Order Contract owned by finance: billable event, tax posture, settled amount, refund, chargeback, revenue status.
- Marketplace Settlement Contract owned by marketplace operations: seller remittance facts, fees, exceptions.
These contracts were published through Kafka where streaming made sense, and through curated warehouse tables where stable state views were more appropriate. A contract catalog documented semantics, identifiers, and business event timing. Crucially, there was no single upstream “enterprise order” schema.
Instead, the warehouse built derived marts:
- order lifecycle mart
- net revenue mart
- customer experience mart
A reconciliation service matched facts across sales, fulfillment, and finance by business keys and temporal windows. Exceptions were surfaced to operations and finance rather than hidden in SQL.
What changed?
- Dashboard disputes dropped sharply because reports now named the contract they used.
- Integration churn fell because consumers stopped binding directly to commerce service events.
- Finance month-end close improved because discrepancies became visible earlier.
- Marketplace onboarding accelerated because seller-specific rules were isolated in domain-owned contracts, not embedded in one giant order table.
The tradeoff was real. More contracts existed than before. Some consumers had to learn the difference between sales order and financial order. Good. That difference existed already. The architecture simply stopped lying about it.
Operational Considerations
If you adopt domain contracts, a few operational disciplines become non-negotiable.
Contract testing
Producers must test published contracts independently from internal implementation. Consumers should validate assumptions against sample and historical data. Schema compatibility checks are necessary, but semantic regression tests are just as important.
Data quality observability
Track freshness, completeness, duplication, null drift, distribution changes, and key integrity by contract. A contract without observability is just a promise with no witness.
Lineage and provenance
Every enterprise consumer should be able to answer: which contract did this field come from, which transformation shaped it, and what source systems contributed? In regulated environments, this is not optional.
Identity management
Cross-domain data falls apart when identifiers are sloppy. Contracts should clearly distinguish local entity IDs, enterprise IDs, external reference IDs, and correlation IDs. Many reconciliation failures are really identity failures in disguise.
Temporal design
Business event time, effective time, load time, and correction time should be modeled deliberately. If you flatten them into one timestamp, someone in finance will eventually discover why that was a bad idea.
Security and privacy
Domain contracts often become durable enterprise interfaces. That means privacy classification, masking, retention, right-to-erasure handling, and regional policy enforcement belong in the contract model and the platform controls around it.
Tradeoffs
No worthwhile architecture comes free.
The biggest tradeoff is more explicit modeling work upfront. Teams must articulate semantics rather than just exposing data. Some will resist. They will call it overhead. They are wrong in the long term, but they are not wrong that it costs effort.
Another tradeoff is more artifacts. Instead of one raw feed and one giant warehouse table, you may have multiple domain contracts and derived models. This can look like complexity. Sometimes it is complexity. The question is whether it reflects business reality or merely implementation accident. Usually the former.
There is also a tradeoff between autonomy and consistency. Domain ownership can lead to divergence in style, naming, and granularity. The platform must provide standards and tooling without recentralizing semantics.
And there is the perennial event-driven tradeoff: asynchrony buys decoupling at the price of coordination complexity. Late events, duplicates, reorderings, and corrections are facts of life in Kafka-based architectures. Domain contracts do not eliminate those issues. They make them tractable.
Failure Modes
The pattern fails in recognizable ways.
Contract theater
Teams create formal schemas and catalogs, but semantics remain vague. Every field has a description like “status of entity.” Nobody can answer edge-case questions. This is governance cosplay. ArchiMate for governance
Canonical creep
Derived enterprise models slowly become mandatory upstream standards. Domains lose ownership, changes bottleneck, and the old central canonical fantasy returns under a new label.
Platform absolutism
The data platform team becomes too controlling. Every change requires review. Delivery slows. Product teams route around the platform with side topics, ad hoc extracts, or private datasets.
Service event confusion
Operational events are published and treated as enterprise contracts without enough semantic hardening. Downstream consumers then build on unstable implementation detail.
Reconciliation denial
Teams assume consistent truth will emerge naturally if enough data is collected. It will not. Without explicit reconciliation and exception workflows, the platform accumulates silent contradictions.
Migration fatigue
The strangler migration starts well but never finishes. Legacy and new contracts run forever, doubling cost and confusion. This usually happens when deprecation is not funded and owned.
When Not To Use
Do not use heavy domain contracts everywhere.
If you are a small product company with one or two teams, modest reporting needs, and limited integration complexity, this approach may be overkill. A few well-documented APIs and warehouse models might be enough.
If the data has very short-lived local usefulness and almost no cross-team reuse, an internal event or local schema may not need enterprise-grade contract discipline.
If your domains are not actually stable enough to name yet, forcing contract formalization too early can create false precision. Early-stage businesses often need to discover domain boundaries before institutionalizing them.
And if your organization lacks any appetite for domain ownership, this pattern will be frustrating. Domain contracts work when business and technology stewardship meet. If every team still thinks data meaning is “someone else’s problem,” you need organizational change as much as technical architecture.
Related Patterns
A few related patterns are worth calling out.
Data Mesh. Domain contracts fit naturally with data mesh thinking, especially around domain-owned data products. But this article is narrower and more concrete: it focuses on the semantic interface and schema topology, not the entire operating model.
Bounded Context Mapping. From domain-driven design, this helps identify where translation is needed between domains rather than pretending one model fits all.
Strangler Fig Pattern. Essential for migration. Introduce contracts beside existing feeds, build confidence, then retire legacy paths.
Anti-Corruption Layer. Useful when deriving contracts from ugly legacy schemas or third-party package models. The contract layer shields consumers from upstream nonsense.
Event Sourcing. Sometimes complementary, sometimes not. Event-sourced systems already have streams of facts, but those internal events are not automatically enterprise-ready domain contracts.
Canonical Data Model. Use sparingly and downstream. A canonical model can be valuable as a derived enterprise consumption model, but it should not erase bounded contexts upstream.
Summary
A data platform without domain contracts is a transport network for ambiguity. It can move data quickly, replicate it broadly, and still fail the business because meaning leaks out at every boundary.
The fix is not a grand universal schema. It is not raw CDC everywhere. It is not a schema registry mistaken for architecture.
The fix is to treat published data as a domain commitment. Let bounded contexts own their semantics. Define contracts that capture business meaning, temporal rules, identifiers, evolution policy, and quality expectations. Organize schema topology around internal schemas, published domain contracts, and derived enterprise models. Build reconciliation in from the start. Migrate progressively with a strangler approach, side by side with legacy feeds, until trust is earned and old interfaces can be retired.
In real enterprises, truth is plural before it is reconciled. Good architecture does not deny that. It gives the plurality names, boundaries, and rules.
That is what domain contracts are for. And that is why your data platform needs them.
Frequently Asked Questions
What is a data mesh?
A data mesh is a decentralised data architecture where domain teams own and serve their data as products. Instead of a central data team, each domain is responsible for data quality, contracts, and discoverability.
What is a data product in architecture terms?
A data product is a self-contained, discoverable, trustworthy dataset exposed by a domain team. It has defined ownership, SLAs, documentation, and versioning — treated like a software product rather than an ETL output.
How does data mesh relate to enterprise architecture?
Data mesh aligns data ownership with business domain boundaries — the same boundaries used in domain-driven design and ArchiMate capability maps. Enterprise architects play a key role in defining the federated governance model that prevents data mesh from becoming data chaos.