Architecture & security
Modern stack, PostgreSQL schema isolation, TLS 1.3 and AES-256 encryption, 90-day accessible audit trail.
Technical stack#
UpBoard builds on proven open-source components and architecture choices focused on sovereignty and traceability.
| Layer | Technologies |
|---|---|
| Frontend | Next.js 14 (App Router), React 18, TypeScript, TailwindCSS |
| Backend API | Python 3.12, FastAPI, async-first |
| Agent orchestration | LangGraph (StateGraph, native human-in-the-loop, checkpointing) |
| Databases | PostgreSQL 16 (multi-tenant), TimescaleDB (time series), Qdrant (vectors), Redis (cache) |
| Workflow scheduling | Temporal.io (recurring scans, alerts) |
| LLMs | Claude Sonnet 4 (reasoning), Claude Haiku (fast tasks), dynamic routing |
| Containerisation | Docker, Kubernetes |
| Hosting | Infomaniak Belgium (dedicated VPS) |
| Observability | OpenTelemetry, Prometheus metrics, structured logs |
Data isolation#
Isolation between customers is enforced at several levels:
PostgreSQL schema per tenant
Each customer has an isolated PostgreSQL schema. No shared tables. A malformed query for one customer cannot reach another's data.
Per-tenant encryption keys
Sensitive data (Odoo API keys, connected credentials) is encrypted with a dedicated per-tenant key derived from a master key stored outside the application.
Segmented network
Agents run in isolated containers. No shared memory or cache between tenants.
Per-tenant LLM memory
Each agent's contextual memory is strictly scoped to one tenant. No global model learning from all customers.
Encryption#
- In transit: TLS 1.3 required on all channels (UpBoard ↔ Odoo, UpBoard ↔ browser, UpBoard ↔ LLM providers)
- At rest: AES-256 on all persistent data (PostgreSQL, backups, logs)
- Application secrets: stored in HashiCorp Vault, accessible only to services that need them
- Odoo API keys: encrypted at rest with the tenant key, never logged in clear text
Audit trail#
All sensitive actions are logged:
- Logins and authentication (success and failure)
- Outbound Odoo requests (read/write)
- Agent-generated recommendations
- User validations and rejections
- Executed actions (email send, PO creation, min/max change…)
Logs are available for 90 days from the UpBoard UI, exportable as JSON or CSV. Beyond 90 days they are archived to cold storage for two years for potential investigation.
Penetration tests and certifications#
- Regular pen-tests: an external penetration test is scheduled at the start of the Business phase (Q3 2026)
- SOC 2 Type II: process started, certification targeted for end 2027
- ISO 27001: planned after SOC 2
Until then we apply SOC 2-style controls by default: code reviews, separated environments (dev / staging / prod), least privilege, MFA mandatory for admin access, secret rotation.
Incident notification#
If a security incident affects your data, you are notified by email within 24 hours of detection with:
- Nature of the incident
- Potentially affected data
- Remediation measures taken
- Recommended actions on your side
This notification is also a GDPR obligation for personal data breaches.
À lire ensuite
See UpBoard working on your Odoo data
30-minute live demo. Free. No commitment. € numbers visible from first connection.