For IT, security, and architecture reviewers: current USA production posture (May 2026). We describe an enterprise-ready design; we do not claim SOC 2, ISO 27001, or HIPAA unless agreed in writing.
| Layer | Technology | Role |
|---|---|---|
| Edge & TLS | HTTPS, custom domains | TLS for marketing site (www.ez4youtech.com) and platform (aiplatformusa.ez4youtech.com) |
| Application | FastAPI + Next.js | REST API (auth, BYOS, catalog apps, feedback) and agent/admin workspace UI (BFF to API) |
| Compute | Azure Container Apps | Managed runtime, health checks, tagged releases |
| Secrets | Azure Key Vault → Container App secrets | JWT signing key, encryption key, Mongo URI: never committed to git |
| Database | MongoDB Atlas (M10) | Tenants, users, encrypted subscription credentials, usage, platform feedback |
| Object storage | Azure Blob Storage | Tenant-scoped documents, workflows, error-report screenshots |
| AWS SES | Contact form delivery (transactional; separate from Azure region) | |
| Bot protection | Cloudflare Turnstile | CAPTCHA on public contact form before email send |
| AI (BYOS) | OpenAI, Together, Groq, xAI (Grok), DeepSeek, Mistral, Fireworks, OpenRouter, Azure OpenAI | Customer-owned API keys; billed on your provider account |
| Images / deploy | Azure Container Registry | Immutable tagged container images per release |
| Marketing site | Static HTML + CDN | Public site and docs: no tenant data on static pages |
| Area | Practice | What it means for you |
|---|---|---|
| Data in transit | TLS 1.2+ | Browser ↔ platform, platform ↔ Atlas, platform ↔ AI providers |
| Secrets at rest | Fernet encryption | BYOS API keys encrypted in MongoDB; decrypted only for outbound provider calls |
| Authentication | JWT + bcrypt | Every API call carries tenant_id, plan, and role; passwords hashed; login rate limited per IP |
| Tenant isolation | API + storage paths | Queries and blob paths prefixed with tenant_id/; no cross-tenant key or document access |
| Access control | RBAC + plan gating | Superadmin, partner, tenant admin (BYOS only), agent (apps), enforced server-side |
| Rate limiting | Login, contact, feedback | Brute-force and abuse mitigation on public and auth endpoints |
| Security headers | HSTS, X-Frame-Options, etc. | Applied in production deployments |
| Logging & PII | Centralized log redaction | No API keys, passwords, or raw user content in application logs; safe messages to end users |
| Error reports | Signed screenshot URLs | Ops access via time-limited HMAC links, not public blob URLs |
| CAPTCHA | Cloudflare Turnstile | Contact spam reduction before SES delivery |
| Revenue model | Subscription only | We do not sell prompts, train on your data, or use client content for advertising |
| Practice | What we do | Note |
|---|---|---|
| Secrets management | Key Vault + Container App env | No production secrets in source control |
| Dependency hygiene | Pinned dependencies | Python 3.11, FastAPI, Pydantic v2 |
| Automated tests | RBAC, feedback, database indexes | Run before production deploy |
| Release checkpoints | Versioned release tags | Documented rollback to prior production revision |
| Deploy discipline | Tagged container images | Unique image per Azure Container Apps revision |
| Backups | Atlas + blob soft-delete | Atlas M10 backup policy; Azure Blob 14-day soft delete |
| Monitoring | Azure Monitor action group | Ops alerts; pre-deploy verification checklist |
| Pre-cloud product gate | 220-app catalog + QA | Full catalog validated with wave launch before USA production scale |
| CI/CD path | Azure DevOps pipeline (manual release) | Tagged releases; prod approval gate on deploy |
Live health: platform health endpoint reports MongoDB and storage backend. For questionnaires or a PDF leave-behind, use Contact or your pilot SOW.