Architecture
Five planes. Fourteen services.
A cryptographic evidence pipeline engineered for regulated environments. Technical depth, not marketing overview.
The five planes
Veridra's backend is organized into five planes, each with a single responsibility. Services within a plane share infrastructure, on-call rotation, and release cadence.
Ingest
SDK endpoints, capture, canonicalize
Rust · gRPC
Cryptographic
Sign, log, key management
Rust · Trillian
Control
Policy, framework mapping
Go · OPA
Evaluation
Drift, eval, incidents
Python · Kafka
Experience
API, evidence packs, dashboard
Go · WebSockets
Data flow
1SDK captures decision
2sdk-gateway authenticates + rate-limits
3canonicalizer produces RFC 8785 form
4enricher joins policy + metadata
5signer signs via customer KMS
6log appends to Trillian tree
7drift/eval/incident downstream fan-out
8packs bundle into evidence artifact
Non-negotiables
- Append-only evidence — no update, no delete
- Deterministic canonicalization across SDKs
- Tenant isolation enforced architecturally
- Customer KMS holds every signing key
- Verifiable without trusting Veridra
Deep dives
Architecture overview
The 14 services and how they compose.
Read →
Transparency log
Merkle tree, Trillian, witnessing.
Read →
Cryptographic signing
Ed25519, BYOK, HSM paths.
Read →
Evidence pipeline
SDK → canonicalize → sign → log → pack.
Read →
Multi-region
US, EU, UK, Africa. Data residency.
Read →
Key management
AWS KMS, Azure, GCP, Vault.
Read →
Data security
Tenant isolation at every layer.
Read →
Architecture whitepaper
18 pages · cryptographic foundations, regulatory alignment, deployment model.