PracHub
QuestionsCoachesLearningGuidesInterview Prep
|Home/System Design/Harvey

Design a Cloud File Storage Service

Last updated: Jun 24, 2026

Quick Overview

This question evaluates competency in designing large-scale distributed file storage and collaboration systems, covering storage and metadata modeling, API design, synchronization and consistency models, resumable large-file handling, versioning, access control, scalability, availability, durability, and security.

  • medium
  • Harvey
  • System Design
  • Software Engineer

Design a Cloud File Storage Service

Company: Harvey

Role: Software Engineer

Category: System Design

Difficulty: medium

Interview Round: Technical Screen

Design a cloud file storage and collaboration service similar to Google Drive or Dropbox. At a high level, the service must let users store files in a hierarchical folder structure, share them with fine-grained permissions, and keep multiple clients (web, desktop, mobile) in sync. Your design should cover the following capabilities: - Upload, download, delete, move, and rename files and folders. - A hierarchical folder structure scoped per user or per organization. - Sharing files and folders with users or groups using roles such as **owner**, **editor**, **commenter**, and **viewer**, with inheritance down a folder subtree. - Large-file uploads that are **chunked and resumable** (survive a dropped connection). - File **version history** and the ability to restore a prior version. - **Synchronization** across web, desktop, and mobile clients, including offline edits that reconcile on reconnect. - **Search** by file name and basic metadata (owner, type, modified time). - High availability, durability, and security. Walk through the end-to-end design: high-level architecture, the public API surface, the split between metadata and blob storage, the metadata/data model, the upload and download paths, the synchronization protocol, the consistency model, the scaling approach, failure handling, and the major trade-offs you would call out. ```hint Where to start The single most important decision is to **separate metadata from blob content**. Metadata (the namespace tree, permissions, versions) lives in a transactional store and is small; file bytes live in object storage and are large and immutable. Almost every other decision follows from this split. ``` ```hint Large files For resumable uploads, think about splitting a file into fixed-size **chunks**, uploading each chunk independently (ideally direct-to-object-storage via pre-signed URLs), checksumming per chunk, and committing a **manifest** of chunk keys as an atomic "complete" step. Content-addressing chunks by hash gives you dedup and idempotent retries for free. ``` ```hint Sync Don't have clients diff their whole tree on every poll. Maintain a **monotonic per-drive change log** (sequence numbers / cursor); a client sends its last cursor and receives an ordered delta. This is the backbone of both incremental sync and conflict detection. ``` ```hint Scale & consistency Reason separately about the two stores. Metadata wants **strong consistency** within a drive (rename/move/permission must be transactional) → partition by drive/workspace so each shard is a single-writer transactional unit. Blobs want **durability + cheap reads** → replicated object storage + CDN for immutable versioned blobs. Push everything non-critical (search indexing, thumbnails, virus scan, notifications) onto an async event bus. ``` ### Constraints & Assumptions - **Users:** tens of millions of registered users; assume a few million daily-active clients each maintaining a persistent sync connection. - **Data:** petabytes of stored bytes; individual files from a few KB to several GB. - **Traffic:** read-heavy on download/list/sync (assume reads dominate writes by roughly an order of magnitude), but sustained write traffic from uploads and edits. - **Durability target:** very high for file content (object stores commonly advertise ~11 nines of annual durability via cross-zone replication); plan to match that. - **Availability:** the metadata and download paths must stay available; brief degradation of search or thumbnails is acceptable. - **Security:** TLS in transit, encryption at rest, short-lived signed access to blobs, and an audit trail for share/download events. - Out of scope unless raised: real-time co-editing of a single document (operational transforms / CRDTs) — treat that as a separate collaboration system; you only need last-writer / conflict-copy semantics for whole-file sync. ### Clarifying Questions to Ask - Is the unit of isolation a single user's drive, or are there shared **organization/team** drives with their own permission roots? This changes the sharding key. - What is the expected **file-size distribution** and the largest file we must support? It drives the chunk size and whether we need multipart at all. - Do we need **block-level delta sync** (Dropbox-style: only re-upload changed chunks of an edited file), or is whole-file re-upload acceptable for v1? - How strong are the **sharing/permission** requirements — simple ACLs, or nested groups, public links, expiring links, and link passwords? - Is **server-side full-text search** (indexing file contents, not just names) in scope, or only metadata search? - What are the **retention** rules for deleted files and old versions (trash window, version count cap, legal hold)? - Do we need **multi-region active-active** writes (global low-latency, e.g. for an enterprise customer like a law firm operating across offices), or is single-region-write with regional read replicas sufficient? ### What a Strong Answer Covers A strong answer is judged on the following dimensions (these are the areas to demonstrate, not the answers themselves): - **Metadata/blob separation** — recognizing the two stores have different consistency, durability, cost, and scaling needs, and designing each accordingly. - **Namespace & data model** — a workable representation of the folder tree (parent pointers, stable node IDs, uniqueness within a parent), versions, and permissions; and how move/rename/delete map onto it. - **Resumable upload path** — chunking, direct-to-storage uploads, per-chunk checksums, an atomic commit/manifest step, and idempotency on retry. - **Download path** — authorization, short-lived signed URLs, CDN caching of immutable versions. - **Sync protocol** — the change-log/cursor mechanism, delta delivery, push vs. poll, and offline-edit reconciliation. - **Permission model** — direct vs. inherited ACLs, group/org membership, conflict resolution, and how to evaluate this fast under read-heavy load (caching, precomputation). - **Consistency model** — being explicit about what is strongly consistent (namespace/permission ops within a shard) vs. eventually consistent (search, previews, notifications), and why. - **Scaling** — partitioning metadata by drive/workspace, object-storage + CDN for blobs, async event bus for derived work, and where the hot spots and bottlenecks are. - **Reliability & security** — durability strategy, backups/PITR, idempotency keys, encryption, signed access, audit logging, and observability (which metrics/SLOs). - **Trade-offs** — articulating the real tensions (strong vs. eventual consistency, direct vs. proxied upload, inheritance vs. precomputed ACLs, dedup vs. simplicity/privacy, single- vs. multi-region writes). ### Follow-up Questions - A user **moves a 50,000-file folder** into a new parent that has different sharing. How do you make the move appear atomic, and how do you propagate the permission change without rewriting 50,000 rows synchronously? - Two desktop clients edit the **same file while both are offline**, then both reconnect. Walk through exactly what your sync protocol does — how the conflict is detected and what the user sees. - How would you add **block-level delta sync** so that editing one page of a 2 GB file re-uploads only a few chunks? What changes in the data model and the upload path? - Storage cost is dominated by **duplicate content** across users (e.g. the same PDF shared widely). How do you deduplicate safely, and what are the privacy and security pitfalls of cross-user dedup? - A whole region hosting the **metadata primary** goes down. What is your failover story, what is the RPO/RTO, and what could a client observe as lost or stale during the cutover?

Quick Answer: This question evaluates competency in designing large-scale distributed file storage and collaboration systems, covering storage and metadata modeling, API design, synchronization and consistency models, resumable large-file handling, versioning, access control, scalability, availability, durability, and security.

Related Interview Questions

  • Design Cloud File Storage - Harvey (medium)
  • Design a Secure PDF Data Room - Harvey (medium)
  • Design a RAG question-answering system - Harvey (medium)
  • Design a Cloud File Storage Service - Harvey (medium)
  • Design a secure document vault - Harvey (medium)
|Home/System Design/Harvey

Design a Cloud File Storage Service

Harvey logo
Harvey
Apr 12, 2026, 12:00 AM
mediumSoftware EngineerTechnical ScreenSystem Design
8
0

Design a cloud file storage and collaboration service similar to Google Drive or Dropbox.

At a high level, the service must let users store files in a hierarchical folder structure, share them with fine-grained permissions, and keep multiple clients (web, desktop, mobile) in sync. Your design should cover the following capabilities:

  • Upload, download, delete, move, and rename files and folders.
  • A hierarchical folder structure scoped per user or per organization.
  • Sharing files and folders with users or groups using roles such as owner , editor , commenter , and viewer , with inheritance down a folder subtree.
  • Large-file uploads that are chunked and resumable (survive a dropped connection).
  • File version history and the ability to restore a prior version.
  • Synchronization across web, desktop, and mobile clients, including offline edits that reconcile on reconnect.
  • Search by file name and basic metadata (owner, type, modified time).
  • High availability, durability, and security.

Walk through the end-to-end design: high-level architecture, the public API surface, the split between metadata and blob storage, the metadata/data model, the upload and download paths, the synchronization protocol, the consistency model, the scaling approach, failure handling, and the major trade-offs you would call out.

Constraints & Assumptions

  • Users: tens of millions of registered users; assume a few million daily-active clients each maintaining a persistent sync connection.
  • Data: petabytes of stored bytes; individual files from a few KB to several GB.
  • Traffic: read-heavy on download/list/sync (assume reads dominate writes by roughly an order of magnitude), but sustained write traffic from uploads and edits.
  • Durability target: very high for file content (object stores commonly advertise ~11 nines of annual durability via cross-zone replication); plan to match that.
  • Availability: the metadata and download paths must stay available; brief degradation of search or thumbnails is acceptable.
  • Security: TLS in transit, encryption at rest, short-lived signed access to blobs, and an audit trail for share/download events.
  • Out of scope unless raised: real-time co-editing of a single document (operational transforms / CRDTs) — treat that as a separate collaboration system; you only need last-writer / conflict-copy semantics for whole-file sync.

Clarifying Questions to Ask

  • Is the unit of isolation a single user's drive, or are there shared organization/team drives with their own permission roots? This changes the sharding key.
  • What is the expected file-size distribution and the largest file we must support? It drives the chunk size and whether we need multipart at all.
  • Do we need block-level delta sync (Dropbox-style: only re-upload changed chunks of an edited file), or is whole-file re-upload acceptable for v1?
  • How strong are the sharing/permission requirements — simple ACLs, or nested groups, public links, expiring links, and link passwords?
  • Is server-side full-text search (indexing file contents, not just names) in scope, or only metadata search?
  • What are the retention rules for deleted files and old versions (trash window, version count cap, legal hold)?
  • Do we need multi-region active-active writes (global low-latency, e.g. for an enterprise customer like a law firm operating across offices), or is single-region-write with regional read replicas sufficient?

What a Strong Answer Covers

A strong answer is judged on the following dimensions (these are the areas to demonstrate, not the answers themselves):

  • Metadata/blob separation — recognizing the two stores have different consistency, durability, cost, and scaling needs, and designing each accordingly.
  • Namespace & data model — a workable representation of the folder tree (parent pointers, stable node IDs, uniqueness within a parent), versions, and permissions; and how move/rename/delete map onto it.
  • Resumable upload path — chunking, direct-to-storage uploads, per-chunk checksums, an atomic commit/manifest step, and idempotency on retry.
  • Download path — authorization, short-lived signed URLs, CDN caching of immutable versions.
  • Sync protocol — the change-log/cursor mechanism, delta delivery, push vs. poll, and offline-edit reconciliation.
  • Permission model — direct vs. inherited ACLs, group/org membership, conflict resolution, and how to evaluate this fast under read-heavy load (caching, precomputation).
  • Consistency model — being explicit about what is strongly consistent (namespace/permission ops within a shard) vs. eventually consistent (search, previews, notifications), and why.
  • Scaling — partitioning metadata by drive/workspace, object-storage + CDN for blobs, async event bus for derived work, and where the hot spots and bottlenecks are.
  • Reliability & security — durability strategy, backups/PITR, idempotency keys, encryption, signed access, audit logging, and observability (which metrics/SLOs).
  • Trade-offs — articulating the real tensions (strong vs. eventual consistency, direct vs. proxied upload, inheritance vs. precomputed ACLs, dedup vs. simplicity/privacy, single- vs. multi-region writes).

Follow-up Questions

  • A user moves a 50,000-file folder into a new parent that has different sharing. How do you make the move appear atomic, and how do you propagate the permission change without rewriting 50,000 rows synchronously?
  • Two desktop clients edit the same file while both are offline , then both reconnect. Walk through exactly what your sync protocol does — how the conflict is detected and what the user sees.
  • How would you add block-level delta sync so that editing one page of a 2 GB file re-uploads only a few chunks? What changes in the data model and the upload path?
  • Storage cost is dominated by duplicate content across users (e.g. the same PDF shared widely). How do you deduplicate safely, and what are the privacy and security pitfalls of cross-user dedup?
  • A whole region hosting the metadata primary goes down. What is your failover story, what is the RPO/RTO, and what could a client observe as lost or stale during the cutover?

Submit Your Answer to Earn 20XP

Sign in to leave a comment

Loading comments...

Browse More Questions

More System Design•More Harvey•More Software Engineer•Harvey Software Engineer•Harvey System Design•Software Engineer System Design

Your design canvas — auto-saved

PracHub

Master your tech interviews with 8,500+ real questions from top companies.

Product

  • Questions
  • Learning Tracks
  • Interview Guides
  • Resources
  • Premium
  • For Universities
  • Student Access

Browse

  • By Company
  • By Role
  • By Category
  • Topic Hubs
  • SQL Questions
  • AI Coding Questions
  • Compare Platforms
  • Discord Community

Support

  • support@prachub.com
  • (916) 541-4762

Legal

  • Privacy Policy
  • Terms of Service
  • About Us

© 2026 PracHub. All rights reserved.