Frontend
Next.js
v16 · App Router
React 19 with Server Components, ISR for reports, and RSC for consistent UX.
Modern stack, secure BFF architecture, documented cloud deployment, and the same stack in demo and production. What your CIO needs to see before approving the purchase — without inflated marketing.
Technology stack
Every stack piece is a documented choice with rationale behind it. No legacy frameworks or abandoned dependencies.
Frontend
v16 · App Router
React 19 with Server Components, ISR for reports, and RSC for consistent UX.
UI Layer
v5 · strict mode
Strict TypeScript across the frontend. Shared types between client and server.
Backend
async · Python 3.12
Async backend with Pydantic v2 validation. Auto-generated OpenAPI.
Database
v16 · Neon hosted
Versioned schema, indexes verified on every deploy, automatic backups.
Object storage
Cloudflare R2
Photo evidence with free egress. Optional multi-region backup.
Integration
REST · OData · SQL
REST connector with OAuth2 or Basic Auth. Multi-connector via versioned profiles.
Hosting
+ Cloudflare
Cloud-native with auto-deploy from main. Global CDN for static assets.
Auth
HttpOnly · SameSite
BFF pattern: the token never reaches the browser as JS. SAML/OIDC SSO on the roadmap.
BFF architecture
Backend-for-Frontend: three layers, JWT in HttpOnly cookie, API never exposed to the client. ERP credentials live in Stocktech's backend, not in the user's browser JS.
User · Browser
Browser · React 19 SSR
HTTPS · HttpOnly cookie · Strict CSP
BFF layer · Next.js
Next.js 16 · App Router
Server Actions · Middleware · Rate limit · CSRF token
Backend API
FastAPI async · Python 3.12
REST · OpenAPI · Pydantic v2 · RBAC · audit
Internal services
PostgreSQL 16
Master + logs
S3 / R2
Photos · DUA · PDF
Async jobs
ERP sync · reports
External systems
ERP / DMS
REST · OAuth2
SMTP / Email
Resend · SES
WhatsApp Business
Cloud API
Security
BFF pattern, encrypted credentials, granular RBAC, immutable audit. No black boxes.
JWT in HttpOnly cookie, strict SameSite, configurable expiry, and refresh token. Verified in the middleware on every request.
ERP credentials never reach the browser. Encrypted at rest with authenticated symmetric encryption, accessed only by the authenticated backend.
Every status change, every ERP call, and every login is recorded with who, when, and what.
Point-in-Time Recovery (PITR) via Neon. Daily encrypted backups and a documented DR plan.
Multi-tenant with branch-level row isolation (RLS) and storage isolation. Enterprise tenants can be dedicated.
Role-based access control with 13 roles and 35 granular permissions. Branch scopes. Permission changes audited.
Deployment models
RECOMMENDED
Isolated tenants on shared infrastructure. Render + Cloudflare + Neon. Default choice: fast to provision, cost-efficient, demo-production parity.
ENTERPRISE · on demand
For customers with strict isolation or data residency policies: dedicated instance in your cloud (BYOC) or ours with separate infra. Same stack, same capabilities.
Performance and scale
0.0%
Uptime SLA
Target guaranteed by Enterprise contract.
<0ms
API P95
OLTP endpoints under load testing (k6). P99 < 500ms.
0k
Vehicles / tenant
Validated in the cloud demo. Scalable on demand.
<0min
Disaster recovery RPO
Recovery Point Objective with PITR. RTO < 4h.
The 2–4 week technical PoC validates integration, performance, and security in your context, with your real ERP/DMS, before any license commitment.