Governance

Infrastructure & Operations

Fully Cloud-Hosted

IT Infrastructure Overview

Nuvion Engineering operates a fully cloud-hosted infrastructure with no on-premises hardware. All compute, storage, and networking components are managed via third-party PaaS and IaaS providers.

5+

Cloud Providers

6

Backend Services

4

Data Stores

2

Environments

The stack is split across two environments — Staging and Production — with strict branch-based promotion between them.

End-to-End Request Flow

Click each layer to see details about its role in the infrastructure

Infrastructure Diagram

Click a service to see its data store connections

Client
Cloudflare
AWS EC2
Heroku PaaS — Application Layer
Data Layer
MongoDB Atlas

Per-service DB

TigerBeetle

Ledgers · Wallets

Redis Cloud

Queues via BullMQ

ClickHouse

OLAP · Analytics

System Boundaries

The system is composed of four logical layers, each with a distinct trust level

  • All inbound traffic originates here
  • Cloudflare sits at this boundary: enforces latest TLS, blocks malicious traffic via WAF rules
  • Provides DDoS protection before traffic reaches our infrastructure

Services

Each service is fully self-contained with no shared databases or Redis instances

Core Service

Orchestrator for the platform. Handles onboarding, identity, and coordinates cross-service flows.

Acquiring Service

Processes inbound payments: card charges, Apple Pay, MoMo, M-Pesa, and other payment methods.

Payout Service

Manages outbound transfers and payouts to end users or providers.

Account Issuing Service

Issues and manages virtual bank accounts for customers.

Card Issuing Service

Issues and manages virtual cards for customers.

Blockchain Service

Manages all stablecoin and on-chain activities.

Each service is fully self-contained. No shared databases. No shared Redis instances.

Tech Stack

Click a category to explore the technologies used

Runtime / Compute

Heroku

PaaS hosting for all backend services. Connected to GitHub. Deployments triggered by branch merges.

AWS EC2

Reverse proxy layer providing dedicated static IPs.

Deployment Model

Branch-controlled deployment via GitHub + Heroku

Staging

dev branch

Merges into dev

Automatic deployment to Staging environment

Production

production branch (protected)

Merges into production

Automatic deployment to Production environment

Key Deployment Rules

The production branch is protected. Direct pushes are not permitted.
All deployments are traceable to a GitHub commit and pull request.
Conventional commits are enforced across all repositories.

Conventional Commits

Standardized commit message format enforced across all repositories

Learn more

Related Documents

security.md

Logical security, access management, PII/data handling, VAPT

sdlc.md

Secure development lifecycle, DevOps pipeline, change management

operations.md

Incident management, backup/DR, remote working, software licensing