SECURITY

Architecture Overview

Last updated: 21 April 2026v1

Architecture Overview

Version: 1.0
Last updated: April 2026
Contact: security@gatewaychecker.co.uk

Summary

Gatewaychecker is a serverless SaaS built on Next.js (App Router), Supabase, and Anthropic Claude Sonnet. Document analysis runs in a Supabase Edge Function outside the web-facing application server, eliminating serverless timeout constraints and isolating AI processing from the request path. All primary data remains within the EU.

System Architecture

┌─────────────────────────────────────────────────────────────────┐
│                      Customer Browser                            │
│           Next.js App Router  ·  React Server Components         │
└─────────────────────────────┬───────────────────────────────────┘
                              │  HTTPS / TLS 1.2+
                              ▼
┌─────────────────────────────────────────────────────────────────┐
│            Vercel Edge Network  ·  Frankfurt, EU                 │
│                                                                  │
│  Next.js 16 App Router  ·  Serverless Functions                  │
│  /api/extract   /api/analyse   /api/submissions   /api/*         │
└──────────────┬───────────────────────────────────┬──────────────┘
               │  PostgreSQL wire protocol           │  HTTPS
               │  (TLS encrypted)                    │
               ▼                                     ▼
┌──────────────────────────────┐    ┌────────────────────────────┐
│  Supabase  ·  AWS eu-west-1  │    │  Supabase Edge Functions   │
│                              │    │  Deno runtime  ·  eu-west-1│
│  ┌─────────────────────────┐ │    │                            │
│  │ PostgreSQL + pgVector   │ │    │  analyse-submission         │
│  │ RLS on all tables       │ │    │  LangGraph orchestration:  │
│  └─────────────────────────┘ │    │  · Fire strategy agent     │
│  ┌─────────────────────────┐ │    │  · Structural agent        │
│  │ Supabase Auth           │ │    │  · Competence checker      │
│  │ Magic link / JWT        │ │    │  · Change control agent    │
│  └─────────────────────────┘ │    │  · Cross-reference agent   │
│  ┌─────────────────────────┐ │    └──────────────┬─────────────┘
│  │ Supabase Storage        │ │                   │  HTTPS
│  │ (PDF files — planned)   │ │                   ▼
│  └─────────────────────────┘ │    ┌────────────────────────────┐
└──────────────────────────────┘    │  OpenRouter  ·  US         │
                                    │  Model routing layer       │
                                    │  No customer data retained │
                                    └──────────────┬─────────────┘
                                                   │  HTTPS
                                                   ▼
                                    ┌────────────────────────────┐
                                    │  Anthropic Claude Sonnet   │
                                    │  US API                    │
                                    │  No training on submitted  │
                                    │  data (API terms)          │
                                    └────────────────────────────┘

Technology Stack

Layer Technology Purpose
Frontend Next.js 16, React 19, TypeScript App Router, server components, streaming UI
Styling Tailwind CSS v4, shadcn/ui Design system and component primitives
Backend Next.js API Routes (serverless) REST endpoints for extract, analyse, submissions
Database Supabase PostgreSQL All application data, RLS-enforced
Vector search Supabase pgVector (IVFFlat index) Cross-reference similarity search across documents
Authentication Supabase Auth Magic link OTP, JWT sessions
File storage Supabase Storage PDF storage (planned)
Analysis runtime Supabase Edge Functions (Deno) Long-running analysis jobs (no Vercel timeout)
AI orchestration LangGraph StateGraph Parallel multi-agent coordination
AI model Anthropic Claude Sonnet (via OpenRouter) Document analysis against criteria ontology
PDF extraction pdfjs-dist, unpdf Server-side PDF text extraction
ZIP handling jszip Multi-document package extraction
Embeddings OpenAI text-embedding-3-small Chunk embeddings for pgVector cross-reference
Deployment Vercel Edge network, serverless functions, CI/CD
Payments Stripe Subscription billing (PCI-DSS Level 1)
Email Resend Magic links, notifications, team invites
Optional: Microsoft 365 Microsoft Graph API SharePoint / OneDrive document import

Analysis Pipeline

The analysis pipeline runs as a background job in a Supabase Edge Function, decoupled from the web-facing request path. Progress is streamed to the UI via polling.

Step 1 — Document ingestion
The customer uploads a PDF or ZIP archive via the Gatewaychecker web UI. Text is extracted server-side using pdfjs-dist and unpdf. For ZIP archives, each PDF is classified by document type (fire strategy, structural strategy, competence declaration, change control) using a Claude classification call. Extracted text is stored in the documents table in Supabase, scoped to the submitting organisation.

Step 2 — Embedding generation
Extracted text from each document is chunked into 400-word overlapping segments. Each chunk is embedded using OpenAI's text-embedding-3-small model (1536 dimensions) and stored in the document_chunks table with a pgVector column. An IVFFlat index enables sub-100ms similarity queries for the cross-reference stage.

Step 3 — Agent orchestration
A LangGraph StateGraph is initialised with all document contexts as shared state. Four specialist analysis agents are dispatched in parallel.

Step 4 — Parallel analysis (4 agents)
All four agents run concurrently against their respective document types:

Agent Criteria count Criteria range
Fire strategy agent 33 criteria F-001 to F-033
Structural strategy agent 25 criteria S-001 to S-025
Competence declaration checker 10 criteria C-001 to C-010
Change control analyser 7 criteria CC-001 to CC-007

Each agent calls Claude Sonnet per criterion and returns a structured JSON finding: { status, evidence_text, confidence, remediation, source_reference, severity }. Findings are written incrementally to the findings table as each agent completes.

Step 5 — Cross-reference analysis
After all four parallel agents complete, a cross-reference agent runs serially. It performs 9 consistency checks (CR-001 to CR-009) across document boundaries — for example: verifying that fire strategy assumptions are present in the structural strategy, that duty holder names are consistent across all documents, and that change control decisions are propagated into current document revisions. The cross-reference agent uses pgVector similarity search to retrieve relevant chunks from each document for comparison.

Step 6 — Aggregation and scoring
All findings are aggregated. A weighted risk score is calculated:

Severity Weight
Critical ×20 per failing criterion
Major ×8 per failing criterion
Minor ×3 per failing criterion

The score is normalised to 0–100. A RAG rating is assigned: red (< 40), amber (40–69), green (≥ 70). The submissions record is updated with the final score, rating, and status: completed. The UI polling loop detects completion and renders the full findings.

Data Storage

Data type Table / location Encryption Retention
User accounts Supabase Auth AES-256 (AWS KMS) Account lifetime
Organisation data organisations, organisation_members AES-256 (AWS KMS) Account lifetime
Projects projects AES-256 (AWS KMS) Account lifetime
Submissions and scores submissions AES-256 (AWS KMS) Account lifetime
Extracted document text documents AES-256 (AWS KMS) Account lifetime
Document embeddings document_chunks AES-256 (AWS KMS) Account lifetime
AI findings findings AES-256 (AWS KMS) Account lifetime
Human override notes correction_log AES-256 (AWS KMS) Account lifetime
Usage and audit events usage_events AES-256 (AWS KMS) 24 months
API keys api_keys (bcrypt hash) bcrypt + AES-256 Until revoked
OAuth tokens (Microsoft) microsoft_connections AES-256-GCM (app layer) + AES-256 (AWS KMS) Until disconnected
Raw PDF files Supabase Storage (planned) AES-256 (AWS KMS) Account lifetime

Third-Party Services

See the Sub-processors page for a complete list of third-party services, the data they process, their locations, and their compliance certifications.

Availability

Gatewaychecker is hosted on Vercel (global CDN) and Supabase (AWS eu-west-1). Target availability for the application tier is 99.9% uptime per calendar month.

Component SLA
Vercel application hosting 99.99% (Vercel SLA)
Supabase database 99.9% (Supabase Pro SLA)
Supabase Edge Functions 99.9% (Supabase Pro SLA)
OpenRouter / Anthropic API Best-effort (third-party; monitored)

Planned maintenance windows are announced via the status page with at least 48 hours notice.

Contact

Security: security@gatewaychecker.co.uk
Architecture questions: hello@gatewaychecker.co.uk

Questions about this document?

Contact security@gatewaychecker.co.uk