Architecture & Data Flow
Understand how ComplyWise ingests cloud telemetry, evaluates controls, and surfaces compliance insights in real time.
On this page
High-Level Architecture
ComplyWise uses a modern, cloud-native serverless architecture designed for scalability and resilience. The platform consists of four layers: a secure API layer for request handling and authentication, an asynchronous Compliance Engine for parallel processing, an encrypted data layer for durability and fast queries, and a globally distributed web application. Requests are authenticated and routed to the appropriate service. Long-running scan jobs run in parallel across your connected integrations.
- Stateless, auto-scaling API layer for secure request handling
- Async scan workers for parallel cloud integration polling
- Multi-AZ relational database for durability and low-latency queries
- Object storage for evidence artifacts, scan archives, and generated reports
- Global CDN for edge distribution of the web application
Data Ingestion Pipeline
When a compliance scan is initiated, ComplyWise dispatches integration-specific scanner modules. Each module authenticates to the target platform (AWS, Azure, Okta, GitHub, etc.) using stored credentials encrypted with industry-standard encryption. Scanners pull configuration data, access policies, and resource inventories, then normalize findings into a unified internal schema. This normalized data is persisted and linked to the originating scan job.
- OAuth 2.0, API keys, and assume-role credentials supported per integration
- Credentials encrypted at rest using cloud-managed keys with per-tenant key scopes
- Retry logic with exponential backoff for transient API failures
- Rate limiting to respect third-party API quotas
Compliance Engine
The Compliance Engine is the core evaluation layer. Once raw scan data is ingested, the engine maps each finding to one or more controls across your active compliance frameworks using the Unified Control Framework (UCF). Controls are evaluated as passed, failed, or not-applicable based on customizable evaluation rules. The engine generates per-control evidence artifacts and stores them in S3, then updates the compliance scores in real time.
- UCF cross-maps controls across SOC 2, ISO 27001, HIPAA, CMMC, NIST CSF, PCI DSS, and HITRUST
- Evidence artifacts auto-generated and stored as immutable records
- Control evaluation rules are configurable per framework and per tenant
- Real-time score recalculation after every completed scan
Data Storage & Retention
All compliance data is stored in a multi-tenant relational database with row-level security. Tenant isolation is enforced at the query layer — every database operation is scoped to the authenticated user's organization. Evidence artifacts, scan archives, and generated report files are stored with server-side encryption. Data retention policies are configurable per tenant.
- Row-level tenant isolation on all database tables
- Automated database backups with extended retention
- Lifecycle policies for cost-efficient long-term storage
- Encryption at rest and in transit using industry-standard algorithms
Presentation Layer
The ComplyWise dashboard is a modern single-page application distributed via a global CDN. It communicates exclusively with the backend API via HTTPS. The SPA handles authentication, framework browsing, control drill-downs, evidence viewing, report generation, and administrative functions. Real-time updates are driven by polling on active scan jobs.
- Statically deployed and distributed via global CDN
- Token-based authentication with automatic refresh
- Responsive design supporting desktop, tablet, and mobile viewports
- Role-based UI rendering — admin, auditor, and standard user views