| Component | Function | Key Controls |
|---|
| Cloudflare | WAF, CDN, DDoS protection, DNS, rate limiting | TLS full-strict, DNSSEC, OWASP WAF rules |
| GCP Cloud Run (web) | Next.js frontend, BFF API routes, SSR/SSE proxy | Branch-based environments via Cloud Build, Doppler secrets, IAM-controlled deployments |
| Supabase | PostgreSQL, Auth, Row-Level Security | RLS by org_id, AES-256 at rest, PITR, env isolation |
| GCP Cloud Run (agents) | FastAPI agent service, LangGraph execution | Doppler secrets, branch-based environments via Cloud Build |
| Supabase Auth | Identity provider, MFA, SSO, OAuth, email/password | JWT tokens with custom_access_token_hook, RLS policy enforcement |
| Anthropic | Claude LLM (Cloud Run → Anthropic API) | TLS in transit, DPA governs data use |
| Doppler | Secrets management | Role-based access, audit trail, native sync to Cloud Run/Supabase |
┌─────────────────┐
│ Customer │
│ Browser │
└────────┬────────┘
│ HTTPS (TLS 1.2+)
▼
┌─────────────────┐
│ Cloudflare │
│ WAF / CDN / │
│ DDoS / DNS │
└────────┬────────┘
│ HTTPS (TLS 1.2+)
▼
┌─────────────────┐
│ GCP Cloud Run │
│ Next.js App │
│ BFF API Routes │
│ SSR / SSE Proxy │
└───┬─────────┬───┘
│ │
HTTPS │ │ HTTPS
(TLS 1.2+) │ │ (TLS 1.2+)
▼ ▼
┌──────────┐ ┌──────────────┐
│ Supabase │ │ GCP Cloud │
│ PostgreSQL│ │ Run (agents)│
│ Auth / RLS│ │ FastAPI / │
└──────────┘ │ LangGraph │
└──────┬───────┘
│ HTTPS (TLS 1.2+)
▼
┌──────────────┐
│ Anthropic │
│ Claude API │
└──────────────┘
┌───────────────────────────────────────────────┐
│ Supporting Services │
│ │
│ Doppler ─────── Secrets sync to all services │
│ Supabase Auth ─ Identity / Auth / OAuth │
│ CrowdStrike ─── Endpoint protection │
│ GCP Cloud Mon ─ Uptime / alerting / logging │
│ GitHub ──────── Source control / CI/CD │
│ 1Password ───── Team credential management │
│ Backblaze ───── Object storage / backups │
└───────────────────────────────────────────────┘
| Segment | Protocol |
|---|
| Browser → Cloudflare | TLS 1.2+ (Cloudflare managed) |
| Cloudflare → GCP Cloud Run | TLS 1.2+ (Cloudflare Origin CA) |
| GCP Cloud Run → Supabase | TLS 1.2+ |
| GCP Cloud Run (web) → GCP Cloud Run (agents) | TLS 1.2+ |
| GCP Cloud Run (agents) → Anthropic | TLS 1.2+ |
| GCP Cloud Run (agents) → Supabase | TLS 1.2+ |
| System | Method |
|---|
| Supabase (PostgreSQL) | AES-256 (Supabase managed) |
| Backblaze B2 | AES-256 server-side |
| Google Workspace | AES-256 (Google managed) |
| 1Password | AES-256 + Secret Key (zero-knowledge) |
| Doppler | AES-256 (Doppler managed) |
All customer data is scoped by org_id (organization ID from Supabase Auth custom_access_token_hook). Row-Level Security with current_setting('app.current_org_id') enforces this at the database layer — isolation is enforced by data policy, not by separate infrastructure.
| System | What It Monitors |
|---|
| CrowdStrike Falcon | Endpoint threats, malware, suspicious processes |
| GCP Cloud Monitoring | Uptime checks, API health, alert policies, log anomalies, SSL expiry |
| Dependabot | Dependency vulnerabilities |
| Google Workspace | Suspicious sign-ins, admin changes, DLP |
| 1Password Watchtower | Compromised credentials, weak passwords |
- No raw payment card data stored — Stripe handles all payment processing (PCI DSS compliant)
- Customer data residency: United States
- No customer data used for model training — governed by Anthropic DPA
- All administrative access requires MFA; no SSH or direct server access exists
- Infrastructure is fully serverless/managed — no OS-level patching required
- Information Security Policy
- Data Classification Policy
- Backup and Recovery Policy
- Incident Response Plan
Meridian Seven — Confidential
