| I've worked in finance technology for eight years now, in various domains. As a broad generalization, if you are latency bound (milliseconds or less) then everything is done in code and the DB is never in the main loop. At the other end, if you are throughput bound - think end of day/month activities - then stored procedures all the way. For everything in between, prefer to have the logic in code due to the maintenance benefits that come with it. > Do you have an API on top of DB that enforces the rules? In general, a database is owned by the app it is associated with and the app mediates all access to that data. The usual enterprise integration patterns (esb, messaging, web services, file dumps) are used to share data with other systems. > Is the security/data validation also done in the API/app layer? Largely yes. There's some level of security (like app access control and encryption at rest) that's handled in the DB tier but authorization is largely an app level concern. Similarly, some constraints are imposed in the DB schema but those are quite basic. Most validation is done in the app tier. |