Register Owner: CTO
Effective Date: June 13, 2026
Reviewed: On material architecture change and at least annually
Frameworks: SOC 2 (network diagram; supports CC6.x), ISO 27001 A.8.20–A.8.22.
Effective Date: June 13, 2026
Reviewed: On material architecture change and at least annually
Frameworks: SOC 2 (network diagram; supports CC6.x), ISO 27001 A.8.20–A.8.22.
arbi-ai/arbi-app). It complements the SOC 2 System Description and the carve-out boundary described there.
Trust zones & data flow
Network segregation
- Single ingress, outbound-only tunnel: all external traffic enters through Cloudflare (TLS termination, WAF, Cloudflare Access). The
cloudflaredconnector runs inside the cluster and dials outbound to Cloudflare, so the cluster exposes no inbound ports, public IPs, or load balancers. Customer traffic reaches only the API; the in-cluster admin panel is reachable only behind Cloudflare Access (Zero Trust). - Separate customer and admin systems: the customer frontend (Next.js SPA) is a distinct system hosted on Vercel; the admin panel is a separate Next.js app running in the RKE2 cluster (not Vercel), gated by Cloudflare Access. They do not share a host.
- Internal-only services: the document-templates service is not externally accessible — it is reachable only from the backend API over the internal cluster network; no ingress path reaches it.
- Cluster isolation: API, worker, and template workloads run on self-managed Kubernetes (RKE2) with namespace isolation and network policies restricting east-west traffic; data stores (Postgres, OpenSearch, Redis) are reachable only from within the cluster network.
- Environment separation: staging (
develop) and production (main) are separate; deploys are gated (see Change Management). - Operator access: administrative/deploy access is via Cloudflare Access + GitHub-OIDC→Vault (no long-lived deploy credentials); the admin panel authenticates separately (better-auth).
Components (from the application repo)
| Layer | Technology |
|---|---|
| Edge / ingress | Cloudflare (TLS, WAF, Access/Zero Trust). The cloudflared tunnel connector runs in-cluster and establishes an outbound-only tunnel to Cloudflare — no inbound ports or public load balancers are exposed |
| API | FastAPI (Python 3.12+), uvicorn/gunicorn, on self-managed Kubernetes (RKE2) |
| Workers | Temporal.io activity workers (Temporal Cloud, mTLS) |
| Customer frontend | Next.js (React) SPA hosted on Vercel (edge); the browser-served app calls the backend API through Cloudflare. Separate system from the admin panel. |
| Admin panel | Separate Next.js app (better-auth) running in-cluster (RKE2), reachable only behind Cloudflare Access (Zero Trust) — not on Vercel and not publicly exposed. |
| Data | PostgreSQL, OpenSearch, Redis (reachable only from the cluster network); Vultr Object Storage (S3-compatible, managed) for resumes/exports/uploads — not in-cluster |
| Ingest | Kubernetes CronJob (monthly PDL → DuckDB → Postgres → OpenSearch) |
| Auth | WorkOS (OIDC/SSO, MFA); better-auth (admin) |
| Secrets | HashiCorp Vault (GitHub-OIDC); Kubernetes secrets; Fernet for at-rest credential encryption |
| Observability | Better Stack (OTLP traces + logs); Postgres audit-event log |
Reconciliation notes (flag for the System Description / Subprocessor List)
Notes on the architecture as reconciled with the product and the compliance docs:- Orchestration: all production deployments run on self-managed Kubernetes (RKE2). (The Docker Swarm compose in the application repo is the demo/reference environment, not production.) RKE2 is self-hosted on Neuroscale’s cloud compute (the underlying IaaS providers are in the Subprocessor List); it is not a managed Kubernetes service (EKS/VKE).
- Object storage: primary file storage (resumes, exports, uploads) is Vultr Object Storage (S3-compatible, US, managed — not in-cluster); a separate OVH (US) bucket holds LinkedIn avatar images. Both US-region; both in the subprocessor list.
- Subprocessors: the Subprocessor List is the source of truth; vendors that process Customer Personal Data (incl. Nylas, Unipile, OVH US, Stripe) are listed there. Tools that process no Customer Personal Data (e.g., Firecrawl, Perplexity, Bright Data, Logo.dev) are tracked in the Vendor Inventory but are not customer sub-processors.
- AI providers: Anthropic (default) + Cerebras (fallback) via Portkey are in the current backend config; OpenAI and xAI remain approved AI providers per the AI Acceptable Use Policy.
Cross-references
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | June 13, 2026 | Initial network & architecture diagram, derived from the arbi-app repository. | Cameron Wolfe | Ishan Jadhwani |