Architecture & Security
Understand how EZ4YouTech.com protects data with BYOS, tenant isolation, and secure AI processing.
Secure Design Principles
Enterprise-ready patterns for BYOS AI, we do not claim SOC 2, ISO 27001, or HIPAA unless agreed in writing.
- Encryption: TLS in transit; AI subscription credentials encrypted at rest (Fernet in MongoDB)
- BYOS ownership: your organization's API keys; never logged or shared across tenants
- Tenant isolation: every request scoped by
tenant_idin JWT and storage paths - Role separation: tenant admins configure keys; agents run apps without handling secrets
Authentication and tenancy
- JWT on every authenticated API call: carries
tenant_id, industry, plan, and role - RBAC workspaces: platform ops, partner provisioning, tenant admin (BYOS only), agent app catalog
- Database and storage: all queries and Azure Blob paths prefixed by
tenant_id/ - bcrypt password hashing; login rate limiting per IP
BYOS and AI routing
- Tenant admin saves supported provider API keys once per tenant (OpenAI, Together, Groq, xAI Grok, and others — see supported providers)
- Keys encrypted at rest; decrypted only at runtime for the outbound provider call
- No API keys in application logs; agents select provider and model in the UI
- Training and retention follow your provider account policies: EZ4YouTech.com does not resell tokens or use your prompts to train public models
Application and data handling
- Plan-based gating: app catalog and agent seats enforced server-side
- Document and run history: tenant-scoped uploads and analysis history; not stored on consumer chat platforms
- Security headers in production: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, HSTS
- Revenue model: platform subscription; we do not capture or sell client content for advertising or model training
See also Platform → Security and FAQ: vs consumer AI.
Deployment Model
One multi-tenant codebase; isolated client workspaces; USA-first cloud path.
- Public site: static HTML on CDN (
ez4youtech.com) - SaaS application: Next.js workspace UI + FastAPI API on Azure Container Apps
- Data: MongoDB Atlas (M10) and Azure Blob per tenant
- AI: BYOS router to your chosen provider per request
Production topology (USA: May 2026)
| Layer | Component | Role |
|---|---|---|
| Edge | HTTPS + CDN | Marketing site, assets, tutorials (static) |
| Compute | Azure Container Apps | Next.js workspace UI + FastAPI API |
| Secrets | Azure Key Vault | JWT, encryption key, Mongo URI, not in git |
| Database | MongoDB Atlas (M10) | Tenants, users, encrypted subscription credentials, usage, feedback |
| Object storage | Azure Blob | tenant_id/ documents, workflows, error screenshots |
| AWS SES | Contact form (transactional) | |
| AI providers | BYOS | OpenAI, Together AI, Groq, Fireworks AI, DeepSeek, Mistral AI, xAI (Grok), OpenRouter, and Azure OpenAI, your provider account |
| Observability | Azure Monitor | Alerts; application logs redact PII and secrets |
Full technology stack & DevSecOps tables on the Security page.
Request flow (agent run)
- Agent signs in → JWT issued with
tenant_idand plan; optional AI use notice on first workspace entry each session. - Next.js workspace loads enabled apps from
GET /api/apps(plan-gated). - User completes intake (or uses Use sample inputs) → API loads tenant API key and routes to the selected provider.
- Provider returns output → stored under tenant scope; usage recorded for dashboards.
Multi-tenant and Enterprise
- One deployment serves many clients: isolation by
tenant_id, not separate codebases per SMB - Enterprise: custom integrations (CRM, carriers) on the shared platform; optional regional hosting in SOW
- Environments: local dev (in-memory or Atlas); production secrets via Key Vault and Container App configuration
Additional architecture and deployment detail available on request for security questionnaires and Enterprise SOWs.
Discuss architecture Full technology stack Platform security