Architecture & Security
Understand how EZ4Youtech protects data with BYOK, tenant isolation, and secure AI processing.
Secure Design Principles
Enterprise-ready patterns for BYOK AI — we do not claim SOC 2, ISO 27001, or HIPAA unless agreed in writing.
- Encryption — TLS in transit; BYOK keys encrypted at rest (Fernet in MongoDB)
- BYOK ownership — your organization's API keys; never logged or shared across tenants
- Tenant isolation — every request scoped by
tenant_idin JWT and storage paths - Role separation — tenant admins configure keys; agents run apps without handling secrets
Authentication and tenancy
- JWT on every authenticated API call — carries
tenant_id, industry, plan, and role - RBAC workspaces — platform ops, partner provisioning, tenant admin (BYOK only), agent app catalog
- Database and storage — all queries and S3-compatible paths prefixed by
tenant_id/ - bcrypt password hashing; login rate limiting per IP
BYOK and AI routing
- Tenant admin saves OpenAI, Together, and/or Anyscale keys once per tenant
- Keys encrypted at rest; decrypted only at runtime for the outbound provider call
- No API keys in application logs; agents select provider and model in the UI
- Training and retention follow your provider account policies — EZ4Youtech does not resell tokens or use your prompts to train public models
Application and data handling
- Plan-based gating — app catalog and agent seats enforced server-side (
plan_gating.py,seat_limits.py) - Document and run history — tenant-scoped uploads and analysis history; not stored on consumer chat platforms
- Security headers in production —
X-Content-Type-Options,X-Frame-Options,Referrer-Policy, HSTS whenAPP_ENV=production - Revenue model — platform subscription; we do not capture or sell client content for advertising or model training
See also Security overview and FAQ: vs consumer AI.
Deployment Model
One multi-tenant codebase; isolated client workspaces; USA-first cloud path.
- Public site — static HTML on CDN (
ez4youtech.com) - SaaS application — Streamlit UI + FastAPI API on a dedicated app host
- Data — MongoDB Atlas (tenants, users, keys) and S3-compatible object storage per tenant
- AI — BYOK router to your chosen provider per request
Production topology (target)
| Layer | Component | Role |
|---|---|---|
| Edge | S3 + CloudFront | Public site, assets, tutorials (static) |
| App UI | Streamlit | Agent and admin workspaces (app. subdomain) |
| API | FastAPI | Auth, tenant, BYOK, catalog app runs, contact |
| Database | MongoDB Atlas | Tenants, users, encrypted BYOK credentials, usage |
| Object storage | S3 | /tenant_id/documents/, workflows, run artifacts |
| AI providers | BYOK | OpenAI, Together, Anyscale — billed on your provider account |
| Observability | CloudWatch / Datadog | Logs, metrics, alerts (at scale) |
Request flow (agent run)
- Agent signs in → JWT issued with
tenant_idand plan. - Streamlit loads enabled apps from
GET /api/apps(plan-gated). - User submits a catalog app → API loads tenant BYOK key, routes via
ai_router. - Provider returns output → stored under tenant scope; usage recorded for dashboards.
Multi-tenant and Enterprise
- One deployment serves many clients — isolation by
tenant_id, not separate codebases per SMB - Enterprise — custom integrations (CRM, carriers) on the shared platform; optional regional hosting in SOW
- Environments — local dev (in-memory or Atlas); production secrets via host env (
JWT_SECRET_KEY,ENCRYPTION_KEY)
Monorepo reference: docs/architecture_context.md in the EZ4Youtech repository. Deploy order: docs/tomorrow_local_and_security_plan.md.