Resources / Architecture deep dive

AI-SPM Architecture Deep Dive

Indexable mirror of the procurement PDF.

Long-form architecture write-up for evaluators who do not want to fill in a form to download a PDF. The same content the procurement bundle ships, rendered as HTML so it stays in the public corpus and search index.

Control plane

The Penaxtra control plane is a hosted multi-tenant application that owns the durable state: AI asset inventory, scan history, findings, audit log, signed rule-blob versions, billing, and authentication. It runs in the European Union (Germany region) and is shielded by an HTTP layer with HMAC-signed internal calls between web and worker tiers.

The control plane never directly talks to a customer LLM endpoint or proxies prompts. Its role is governance: it stores what the runtime gateway and the scan workers report, computes risk scores, maps findings to controls, and produces audit evidence.

Self-hosted runtime gateway

The runtime gateway is a Go forward-proxy agent that the customer installs inside their own network, in their own VPC. The agent receives the same Ed25519-signed rule blob that the control plane publishes; if the blob fails signature verification the agent refuses to load it.

The agent does multi-layer URL inspection, response normalisation, and DLP-pattern enforcement. Block decisions carry a stable block-reason taxonomy (around forty codes today) so SIEM rules stay portable across rule-blob versions.

Data flow

  1. An agent makes a call to a foundation-model provider through the gateway.
  2. The gateway inspects URL, method, headers, body. Applies the current signed rule blob.
  3. Decision is allow or block. Allow forwards the request upstream. Block returns a typed error.
  4. Either way, a redacted event is emitted to the control plane: timestamp, asset, decision, reason code, signed-blob version.
  5. Prompt content does not leave the customer network. Only the decision and redacted metadata flow upstream.
  6. The control plane updates the audit log and may trigger an adversarial scan run if the event matches a configured trigger.

Trust boundaries

  • Customer trust boundary: the customer VPC. Holds the runtime gateway, the prompt body, the response body, and the agent runtime. Penaxtra cannot see prompt content from this side.
  • Vendor trust boundary: the Penaxtra control plane. Holds the asset inventory, the redacted finding records, and the signed rule-blob distribution. The control plane never holds raw prompt or response content.
  • Wire: only redacted decisions, control-plane-bound API requests, and signed rule-blob fetches cross the wire. Outbound channel is bound to a documented endpoint over TLS 1.3.

Evidence loop

Every gateway decision and every scan finding ships to the append-only audit log. The same record drives the compliance evidence pack: a single finding maps to one or more control IDs across six frameworks, with twenty-two pre-computed cross-framework overlap pairs so one finding feeds the audit evidence pack for every framework the customer is held to.

Tenant isolation

  • Database-layer enforcement via row-level access policies. The tenant context is reset on every connection-pool checkout.
  • Five distinct database roles by purpose (web DML, scan-worker DML, migration DDL, read-only analytics, backup-only) so a leaked credential cannot exceed its scope.
  • Per-tenant rule-blob distribution. A tenant only ever sees its own signed blob version.
  • Per-tenant audit log retention from one day to ten years, configurable from the workspace settings.

Failure modes

  • Control plane unreachable: the runtime gateway continues to serve from its last signed rule blob. Decisions buffer locally; the buffer flushes when connectivity returns.
  • Rule-blob signature mismatch: the gateway refuses to load the new blob and continues with the previously-verified blob. An alert ships to the customer-declared on-call channel.
  • Judge provider rate limit: scan runs fall back to a documented degraded mode (two-judge consensus, low-confidence threshold raised). Findings emitted in this mode carry a degraded-mode flag.
  • Database failover: the control plane uses synchronous replication within the region; failover preserves the audit log boundary.

Deployment options

  • Standard (Starter and Growth tiers): self-hosted gateway, hosted control plane in the EU.
  • Enterprise: self-hosted gateway across Linux x86-64 and Windows x86-64, audit log retention up to ten years, custom subprocessor disclosure, named technical account contact. On-prem control plane is on the roadmap; not shipped today.

Related

Architecture review for procurement

A scoped walkthrough against your environment. NDA and DPA signed before any sensitive material moves.

Request a demo