Document ID: DOC-009

Technical Specifications

System architecture, security controls, and technical infrastructure details for insurance carrier IT teams and compliance reviewers conducting due diligence.

Infrastructure Overview

Application Hosting

Vercel

Database

Supabase (AWS)

CDN

Vercel Edge Network

Primary Region

US-East-1 (primary)

Provider Certifications

SOC 2 Type II

Vercel

SOC 2 Type II

Supabase

PCI DSS Level 1

Stripe

ISO 27001

AWS

System Architecture

Layered architecture with security controls at each level.

Presentation Layer

Components

Next.js 14 FrontendReact Server ComponentsTailwindCSSVercel Edge Network

Security Controls

CSP HeadersXSS ProtectionHTTPS Only

Application Layer

Components

Next.js API RoutesServer ActionsAuthentication MiddlewareRate Limiting

Security Controls

JWT/Session AuthInput ValidationCORS Policy

Business Logic Layer

Components

Policy EngineRating CalculatorClaims ProcessorCompliance Engine

Security Controls

Role-Based AccessAudit LoggingData Validation

Data Layer

Components

PostgreSQL (Supabase)Redis CacheDocument StorageBackup Systems

Security Controls

Encryption at RestRow-Level SecurityConnection Encryption

Integration Layer

Components

Stripe PaymentsEmail ServicesCarrier APIsPartner Webhooks

Security Controls

API Key ManagementWebhook SignaturesTLS 1.3

Security Controls Summary

Key security controls implemented across the platform.

Encryption

Data in TransitTLS 1.3, HTTPS enforced

Data at RestAES-256-GCM

Database ConnectionsSSL/TLS required

API CommunicationsTLS 1.3

Authentication

User AuthNextAuth.js with secure sessions

API AuthAPI keys with scoped permissions

Admin AuthMFA required

Partner AuthOAuth 2.0 / API keys

Access Control

AuthorizationRole-based (RBAC)

DatabaseRow-level security (RLS)

Admin AccessPrinciple of least privilege

AuditAll access logged

Network Security

FirewallCloud WAF enabled

DDoS ProtectionVercel DDoS mitigation

Rate LimitingPer-IP and per-user limits

Bot ProtectionChallenge/CAPTCHA on forms

API Security Specifications

Endpoint	Authentication	Rate Limit	Encryption	Validation
Public API	API Key (header)	1000/hour	TLS 1.3	JSON Schema
Partner API	OAuth 2.0 / API Key	5000/hour	TLS 1.3	JSON Schema + Business Rules
Webhook Endpoints	HMAC-SHA256 Signature	N/A (inbound)	TLS 1.3	Signature + Schema
Admin API	Session + MFA	500/hour	TLS 1.3	Strict Schema + RBAC

Business Continuity & Disaster Recovery

Recovery objectives and backup procedures.

Recovery Point Objective

1 hour

Maximum acceptable data loss

Recovery Time Objective

4 hours

Maximum acceptable downtime

Backup Schedule

Continuous

Point-in-time recovery available

Backup Retention

30 days incremental, 1 year monthly

Backup Locations

Multi-region (US-East, US-West)

DR Testing

Quarterly

Performance Metrics

Metric	Target	Current
API Response Time (p50)	<100ms	~65ms
API Response Time (p99)	<500ms	~250ms
Page Load Time	<2s	~1.2s
Uptime SLA	99.9%	99.95%
Database Query Time	<50ms	~25ms

Data Flow Diagrams

Policy Purchase

1User submits quote request
2Data validated at edge
3Rating engine calculates premium
4User completes checkout
5Payment processed via Stripe
6Policy issued, documents generated
7Confirmation email sent
8Audit log entry created

Partner Integration (API)

1Partner authenticates via API key
2Request validated against schema
3Rate limit checked
4Business logic executed
5Response returned
6Webhook sent (if configured)
7Transaction logged

Related Documentation:Data Security Integration Compliance Glossary

System Architecture

Layered architecture with security controls at each level.

Presentation Layer

Components

Next.js 14 FrontendReact Server ComponentsTailwindCSSVercel Edge Network

Security Controls

CSP HeadersXSS ProtectionHTTPS Only

Application Layer

Components

Next.js API RoutesServer ActionsAuthentication MiddlewareRate Limiting

Security Controls

JWT/Session AuthInput ValidationCORS Policy

Business Logic Layer

Components

Policy EngineRating CalculatorClaims ProcessorCompliance Engine

Security Controls

Role-Based AccessAudit LoggingData Validation

Data Layer

Components

PostgreSQL (Supabase)Redis CacheDocument StorageBackup Systems

Security Controls

Encryption at RestRow-Level SecurityConnection Encryption

Integration Layer

Components

Stripe PaymentsEmail ServicesCarrier APIsPartner Webhooks

Security Controls

API Key ManagementWebhook SignaturesTLS 1.3

Security Controls Summary

Key security controls implemented across the platform.

Encryption

Data in TransitTLS 1.3, HTTPS enforced

Data at RestAES-256-GCM

Database ConnectionsSSL/TLS required

API CommunicationsTLS 1.3

Authentication

User AuthNextAuth.js with secure sessions

API AuthAPI keys with scoped permissions

Admin AuthMFA required

Partner AuthOAuth 2.0 / API keys

Access Control

AuthorizationRole-based (RBAC)

DatabaseRow-level security (RLS)

Admin AccessPrinciple of least privilege

AuditAll access logged

Network Security

FirewallCloud WAF enabled

DDoS ProtectionVercel DDoS mitigation

Rate LimitingPer-IP and per-user limits

Bot ProtectionChallenge/CAPTCHA on forms

API Security Specifications

Endpoint	Authentication	Rate Limit	Encryption	Validation
Public API	API Key (header)	1000/hour	TLS 1.3	JSON Schema
Partner API	OAuth 2.0 / API Key	5000/hour	TLS 1.3	JSON Schema + Business Rules
Webhook Endpoints	HMAC-SHA256 Signature	N/A (inbound)	TLS 1.3	Signature + Schema
Admin API	Session + MFA	500/hour	TLS 1.3	Strict Schema + RBAC

Business Continuity & Disaster Recovery

Recovery objectives and backup procedures.

Recovery Point Objective

1 hour

Maximum acceptable data loss

Recovery Time Objective

4 hours

Maximum acceptable downtime

Backup Schedule

Continuous

Point-in-time recovery available

Backup Retention

30 days incremental, 1 year monthly

Backup Locations

Multi-region (US-East, US-West)

DR Testing

Quarterly

Metric

Target

Current

API Response Time (p50)

<100ms

~65ms

API Response Time (p99)

<500ms

~250ms

Page Load Time

<2s

~1.2s

Uptime SLA

99.9%

99.95%

Database Query Time

<50ms

~25ms

Data Flow Diagrams

Policy Purchase

1User submits quote request
2Data validated at edge
3Rating engine calculates premium
4User completes checkout
5Payment processed via Stripe
6Policy issued, documents generated
7Confirmation email sent
8Audit log entry created

Partner Integration (API)

1Partner authenticates via API key
2Request validated against schema
3Rate limit checked
4Business logic executed
5Response returned
6Webhook sent (if configured)
7Transaction logged