An architecture built for trust.
Layered, observable, and isolated. Designed so the parts you depend on are the parts that fail safely.
Each layer does one thing well.
The shape of the platform is on purpose: small surfaces, clear boundaries, and observability at every layer.
Layered services
UI, application, data, and infrastructure live as separate layers with explicit contracts between them.
Tenant isolation
Workspaces are logically isolated with strong access controls and scoped data boundaries.
Encryption
Northwind is designed to use encryption in transit and encrypted storage across core systems, with platform-managed key practices.
Observable
Key layers emit structured logs, traces, and audit events. The same trail you use is the one we use.
Defense in depth
Multiple controls sit between the public surface and anything sensitive. Failure modes are contained, not catastrophic.
Recoverable
Backup and recovery controls are built into the platform architecture.
Versioned contracts
Internal contracts between layers are versioned. Releases stage behind contract changes so dependents do not break unexpectedly.
Independently deployable
Layers are designed to be deployable independently, so a fix or feature in one place does not require redeploying the rest.
Where each piece runs, and why.
The marketing site, the application UI, the API, the data plane, and the underlying infrastructure all live as separate layers. Each one is independently deployable, independently observable, and bounded by an explicit contract, not a shared object graph.
That separation matters when something goes wrong. A regression in a UI layer cannot escalate into a data corruption event, because the data layer does not trust UI inputs unconditionally; it validates against the same schema that ingestion produced. A deploy to the application layer does not change the audit format, because the audit format is owned by a different service.
You should not have to read this page to feel that the platform is solid. But if you do read it, the parts should line up with what your security team expects to find.
- Public surface kept narrow: most services are private and reachable only through a small audited gateway.
- Data plane is the source of truth: no important state lives in a side service.
- Audit format is owned by its own service: application releases do not change it.
Have a security questionnaire? We can fill it in.
Send us your standard SIG, CAIQ, or vendor-questionnaire template, and we can return it with cited responses based on current controls.