Technology · architecture · security

Serious SaaS. Not legacy in disguise.

Modern stack, secure BFF architecture, documented cloud deployment, and the same stack in demo and production. What your CIO needs to see before approving the purchase — without inflated marketing.

Next.js 16FastAPIPostgreSQLS3 / R2JWT cookieERP/DMS REST

Technology stack

Current technology. Explicit decisions.

Every stack piece is a documented choice with rationale behind it. No legacy frameworks or abandoned dependencies.

Frontend

Next.js

v16 · App Router

React 19 with Server Components, ISR for reports, and RSC for consistent UX.

UI Layer

TypeScript

v5 · strict mode

Strict TypeScript across the frontend. Shared types between client and server.

Backend

FastAPI

async · Python 3.12

Async backend with Pydantic v2 validation. Auto-generated OpenAPI.

Database

PostgreSQL

v16 · Neon hosted

Versioned schema, indexes verified on every deploy, automatic backups.

Object storage

S3 / R2

Cloudflare R2

Photo evidence with free egress. Optional multi-region backup.

Integration

ERP/DMS REST

REST · OData · SQL

REST connector with OAuth2 or Basic Auth. Multi-connector via versioned profiles.

Hosting

Render

+ Cloudflare

Cloud-native with auto-deploy from main. Global CDN for static assets.

Auth

JWT + Cookie

HttpOnly · SameSite

BFF pattern: the token never reaches the browser as JS. SAML/OIDC SSO on the roadmap.

BFF architecture

The browser never talks to your ERP/DMS. By design.

Backend-for-Frontend: three layers, JWT in HttpOnly cookie, API never exposed to the client. ERP credentials live in Stocktech's backend, not in the user's browser JS.

User · Browser

UX

Browser · React 19 SSR

HTTPS · HttpOnly cookie · Strict CSP

BFF layer · Next.js

BFF

Next.js 16 · App Router

Server Actions · Middleware · Rate limit · CSRF token

Backend API

API

FastAPI async · Python 3.12

REST · OpenAPI · Pydantic v2 · RBAC · audit

Internal services

DB

PostgreSQL 16

Master + logs

S3

S3 / R2

Photos · DUA · PDF

JOB

Async jobs

ERP sync · reports

External systems

ERP

ERP / DMS

REST · OAuth2

@

SMTP / Email

Resend · SES

WA

WhatsApp Business

Cloud API

Security

What IT asks before approving.

BFF pattern, encrypted credentials, granular RBAC, immutable audit. No black boxes.

Robust authentication

JWT in HttpOnly cookie, strict SameSite, configurable expiry, and refresh token. Verified in the middleware on every request.

  • Short-lived JWT + refresh token
  • Verified in the middleware on every request
  • Rate limiting on login (429 on abuse)
  • SAML/OIDC SSO on the roadmap

Protected credentials

ERP credentials never reach the browser. Encrypted at rest with authenticated symmetric encryption, accessed only by the authenticated backend.

  • Authenticated symmetric encryption at rest (Fernet)
  • TLS in transit · HSTS
  • Encryption key in an environment variable, outside the code
  • No secrets in logs or backups

Immutable audit

Every status change, every ERP call, and every login is recorded with who, when, and what.

  • Log of changes per vehicle (who, when, what)
  • Production errors and alerts via Sentry
  • Configurable retention
  • Search by user, event, or resource

Backups and recovery

Point-in-Time Recovery (PITR) via Neon. Daily encrypted backups and a documented DR plan.

  • Point-in-Time Recovery (PITR) via Neon
  • Target RPO / RTO in Enterprise contract
  • Documented restore procedure
  • Encrypted backups

Data isolation

Multi-tenant with branch-level row isolation (RLS) and storage isolation. Enterprise tenants can be dedicated.

  • Row-Level Security (RLS) per branch in PostgreSQL
  • Photo storage separated per tenant
  • Dedicated tenant option (Enterprise)
  • RLS isolation QA (demo + staging)

Access control

Role-based access control with 13 roles and 35 granular permissions. Branch scopes. Permission changes audited.

  • 13 preconfigured roles
  • Scopes per branch
  • Custom permissions in Enterprise
  • Immediate revocation

Deployment models

Cloud multitenant. Your cloud. Or our dedicated one.

RECOMMENDED

Stocktech multitenant cloud

Isolated tenants on shared infrastructure. Render + Cloudflare + Neon. Default choice: fast to provision, cost-efficient, demo-production parity.

Provisioning
<1 day
Updates
Continuous, zero downtime
Isolation
By organization_id + dedicated bucket
Regions
US-East · EU-West · LATAM (coming)
Cost
Included in license

ENTERPRISE · on demand

Dedicated tenant · your cloud or ours

For customers with strict isolation or data residency policies: dedicated instance in your cloud (BYOC) or ours with separate infra. Same stack, same capabilities.

Provisioning
2–4 weeks
Cloud
AWS · Azure · GCP · your account or ours
Data residency
Guaranteed specific region
VPN / PrivateLink
Available for on-prem ERP/DMS
Cost
NRE + monthly uplift on Enterprise

Performance and scale

Reference figures. Measured and target.

0.0%

Uptime SLA

Target guaranteed by Enterprise contract.

<0ms

API P95

OLTP endpoints under load testing (k6). P99 < 500ms.

0k

Vehicles / tenant

Validated in the cloud demo. Scalable on demand.

<0min

Disaster recovery RPO

Recovery Point Objective with PITR. RTO < 4h.

Want to validate the architecture in a technical PoC?

The 2–4 week technical PoC validates integration, performance, and security in your context, with your real ERP/DMS, before any license commitment.