Technical description for IT
Detailed information about the architecture, security and operations of ProfiBrew. Aimed at IT leads at customer sites and partners.
Summary
ProfiBrew is a modern cloud SaaS application built on Next.js + PostgreSQL + Supabase. We host in West EU (Ireland), data is isolated at the database level (RLS) and all traffic flows over HTTPS/TLS. Automatic daily backups, automatic security patching, no install at the customer.
1. Application layer
Next.js 14 (App Router) — full-stack framework by Vercel on top of React. TypeScript strict mode — type safety across the stack reduces runtime errors. UI: shadcn/ui + Tailwind CSS, localisation via next-intl (cs/en). All inputs validated with Zod.
2. Data layer
PostgreSQL running on Supabase — the long-standing standard for enterprise systems, ACID, wide ecosystem support. Drizzle ORM — type-safe access, no SQL injection from the application layer. Migrations versioned in Git, applied automatically in CI/CD.
3. Multi-tenant isolation
Three layers: (1) Database — Row Level Security (RLS) in PostgreSQL, a mandatory policy on every tenant-scoped table. An application bug can't lead to a cross-tenant leak. (2) API — middleware on every endpoint checks authentication, RBAC and module access (subscription gating). (3) Frontend — tenant context in React context, no sensitive identifiers in URLs or localStorage.
4. Authentication and authorisation
Supabase Auth — JWT, OAuth, magic links. RBAC: 5 system roles (owner, admin, brewer, sales, viewer) + a granular permissions matrix (module × operation × agenda). Module Access Control: 4 layers (middleware, layout, UI, API) — cannot be bypassed by direct API call. TOTP 2FA — enforced for superadmin, optional for others.
5. Hosting and infrastructure
App: Vercel — global edge network, automatic scaling, HTTPS with automatic certificate rotation. Database: Supabase on AWS, location West EU (Ireland). CI/CD: GitHub Actions — automated tests, migrations and deployment. Three strictly separated environments: local development, staging, production.
6. Backup and recovery
Automatic daily database backups at the infrastructure level. Versioned migrations — schema fully auditable.
7. GDPR compliance
All data in European data centres (West EU – Ireland). Data Processing Agreements (DPAs) with subprocessors (Vercel, Supabase). Mechanism for data export (CSV/Excel) and on-request tenant data deletion.
8. Encryption and transport
Transport: HTTPS/TLS, no plain traffic. At-rest: database and backups encrypted at the infrastructure level (Supabase / AWS). Sensitive tokens (CRON secret, API keys) in environment variables, never in the repo.
9. Monitoring and auditability
Structured logs for API calls. Audit trail of significant operations in the database (tenant_activity_log), visible to tenants. Error tracking for proactive detection and resolution of operational issues.
10. Operations model
No install at the customer. Zero admin on the brewery side. Zero-downtime updates — Vercel deployment is atomic, the deploy is invisible to users. SLA derived from Vercel and Supabase guarantees.