Technical Architecture

The Own360 Ecosystem.

Three layers. One runtime. Every data path governed. This document describes the technical architecture of the Own360 platform for engineering, security, and infrastructure teams.

01 — System Architecture

Three-layer architecture.

LAYER 03
OwnAgents
AI Agent Runtime
DealAgentHireAgentSpendAgentComplianceAgentSupportAgent
gRPC + Event Bus
mTLS · RBAC tokens · Audit events · Context injection
LAYER 02 — THE CORE
OwnCentral
Unified Control Plane
Identity OAuth 2.0 + PKCE
WebAuthn passkeys
SAML 2.0 SSO
RBAC Policy engine
Cascading perms
Agent scopes
Workflow DAG execution
Human-in-loop
Cross-app triggers
API Gateway Rate limiting
Auth enforcement
Request transform
Audit Immutable log
Event sourcing
Tamper detection
Observability Metrics + traces
Anomaly detection
Real-time dashboards
REST + GraphQL · Event streams · Auth tokens · Audit propagation
LAYER 01
OwnApps
19 Enterprise Modules
CRMERPHRMSITSMBIChat MeetWikiFinanceComplianceProjectsWorkflows HelpdeskVaultAuthMarketingSocialE-Sign Usage
PostgreSQL · Redis · S3-compatible storage
Key principle: No application communicates directly with another. All inter-module communication routes through OwnCentral. This ensures every data path is governed, audited, and observable.
02 — OwnCentral Internals

Control plane architecture.

Identity & Authentication

Multi-tenant identity provider with per-tenant branding. Supports federated SSO via SAML 2.0 and OIDC, plus native authentication with WebAuthn passkey support.

ProtocolOAuth 2.0 with PKCE
MFATOTP, WebAuthn, SMS OTP
SessionPer-device tracking, configurable TTL
TokenJWT with RS256, 15-min access, 7-day refresh
Agent authService tokens with scope-limited claims
Auth flow — Agent token request
POST /central/v1/auth/agent-token
Content-Type: application/json

{
  "agent_id": "deal-agent-01",
  "scopes": ["crm:read", "crm:write",
             "finance:read"],
  "context": {
    "workflow_id": "wf-pipeline-review",
    "initiated_by": "user:sarah@acme.com"
  },
  "ttl": 3600
}

// Response
{
  "token": "eyJhbG...",
  "scopes_granted": ["crm:read", "crm:write",
                      "finance:read"],
  "audit_id": "aud-7f3a9b2c",
  "expires_at": "2026-03-29T15:00:00Z"
}

Permission Model

Attribute-based access control (ABAC) layered on top of RBAC. Policies cascade from organization → department → team → user → agent. Agent permissions are a strict subset of the initiating user's permissions.

ModelRBAC + ABAC hybrid
CascadeOrg → Dept → Team → User → Agent
Evaluation<5ms p99, cached in Redis
Agent constraintCannot exceed initiator's permissions
Policy definition
// OwnCentral policy DSL
policy "deal-agent-crm-access" {
  subjects = ["agent:deal-agent-*"]
  resources = ["crm:deals", "crm:contacts",
               "finance:invoices"]
  actions = ["read", "update", "create"]
  conditions = {
    time_window = "business_hours"
    requires_human_approval = ["create"]
    max_records_per_hour = 500
  }
  audit_level = "full"
}

Workflow Engine

DAG-based workflow execution engine written in Rust. Supports 13 node types including human-in-the-loop approval, conditional branching, parallel execution, and cross-application triggers. Workflows are versioned, auditable, and resumable after failure.

Trigger
Action
HTTP
Router
Filter
Loop
Delay
Transform
Code
Error Handler
AI / LLM
Sub-Flow
Human Approval

Audit Log Architecture

Event-sourced, append-only log with cryptographic integrity verification. Every action by every user and every agent produces an immutable audit event. Hash-chain linking provides tamper detection equivalent to blockchain verification without the overhead.

StorageAppend-only, event-sourced
IntegritySHA-256 hash chain, tamper detection
RetentionConfigurable, default 7 years
Throughput>10K events/sec sustained
QueryFull-text + structured, <100ms p95
Audit event structure
{
  "event_id": "evt-9f2a7b3c",
  "timestamp": "2026-03-29T14:23:17Z",
  "actor": {
    "type": "agent",
    "id": "deal-agent-01",
    "initiated_by": "user:sarah@acme.com"
  },
  "action": "crm.deal.stage_advance",
  "resource": "deal:d-4521",
  "context": {
    "workflow_id": "wf-pipeline-review",
    "previous_stage": "qualification",
    "new_stage": "negotiation"
  },
  "hash": "a7f3...b92c",
  "prev_hash": "e1d4...f8a1"
}
03 — Data Flow

How data moves through the system.

User / Agent
API GatewayAuth · Rate limit · Transform · Log
OwnCentral RouterPermission check · Context injection · Audit event
CRM
ERP
HRMS
PostgreSQLPer-module schema isolation · Row-level security
Data isolation: Each OwnApps module operates in an isolated PostgreSQL schema. Cross-module queries are prohibited at the database level. All cross-module data access routes through OwnCentral's API layer with full permission evaluation and audit logging.

Event Bus Architecture

TransportRedis Streams (primary), NATS JetStream (optional)
PatternPublish-subscribe with consumer groups
OrderingPer-partition ordering guarantee
DeliveryAt-least-once with idempotency keys
RetentionConfigurable per stream, default 30 days
Throughput>50K events/sec per partition
04 — Agent Runtime

OwnAgents execution model.

OwnAgents is not an LLM wrapper. It is a governed execution runtime that orchestrates AI capabilities within the permission and audit boundaries defined by OwnCentral. Every agent action is: authorized before execution, logged during execution, and auditable after execution.

RuntimeSandboxed containers, ephemeral per-task
OrchestrationKubernetes-native, auto-scaling
LLMModel-agnostic (Anthropic, OpenAI, self-hosted)
ContextOwnCentral injects org context at runtime
GuardrailsOutput validation, action approval gates
RollbackEvery agent action is reversible via audit log
1
Trigger

Event, schedule, or user request initiates agent task

2
Authorize

OwnCentral evaluates permissions, issues scoped token

3
Context

Org context injected — relevant data from connected modules

4
Execute

Agent reasons, plans actions, requests approval if required

5
Act

Approved actions execute against target modules via API gateway

6
Audit

Every action logged with full context chain — who, what, why, when

05 — Integration Architecture

APIs, webhooks, and extension points.

REST API

Every OwnApps module exposes a versioned REST API. OpenAPI 3.1 specs auto-generated. All requests route through OwnCentral for auth and audit.

JSONVersioned (v1, v2)Paginated

GraphQL

Unified GraphQL endpoint for cross-module queries. Schema stitching across OwnApps modules. Field-level permission enforcement.

Schema stitchingField-level RBACBatched

Webhooks

Configurable outbound webhooks for every event type. Exponential backoff retry. HMAC-SHA256 signature verification on every payload.

HMAC signedRetry w/ backoffFilterable

Event Streams

Real-time event subscription via SSE or WebSocket. Consumer groups for distributed processing. Exactly-once semantics with idempotency.

SSE / WebSocketConsumer groupsAt-least-once

SDK

First-party SDKs for Node.js, Python, Go, and Java. Handles authentication, pagination, error handling, and type safety.

Node.jsPythonGoJava

Custom Modules

Build your own modules on the OwnCentral runtime. Full access to identity, permissions, workflow, and audit infrastructure. Deploy as containers.

Container-basedFull platform accessHot-deploy
06 — Security Architecture

Defense in depth.

Layer 1

Network

Private VPC deployment. No public endpoints except API gateway. mTLS between all internal services. Network policies enforce service-to-service communication rules.

Layer 2

Transport

TLS 1.3 for all external connections. mTLS for internal service mesh. Certificate rotation every 24 hours via internal CA. Perfect forward secrecy enforced.

Layer 3

Application

OWASP Top 10 hardened. Input validation at every boundary. SQL injection prevention via parameterized queries. XSS prevention via CSP headers. CSRF tokens on every mutation.

Layer 4

Data

AES-256-GCM encryption at rest. Argon2id key derivation. Per-tenant encryption keys. Row-level security in PostgreSQL. Encrypted backups with separate key hierarchy.

Layer 5

Identity

Zero-trust authentication. Every request re-evaluated. No implicit trust between services. Agent permissions are a strict subset of the initiating user. Session binding to device fingerprint.

Layer 6

Audit

Every action logged immutably. Hash-chain integrity. Tamper detection alerts. Real-time anomaly detection on access patterns. Compliance-ready exports for SOC 2, ISO 27001 (certifications in process).

07 — Deployment Architecture

Your infrastructure. Our software.

On-Premise

Bare metal or VMware. Kubernetes via k3s or upstream. Air-gapped deployment supported. No outbound internet required post-installation.

Compute16 vCPU, 64GB RAM minimum
Storage500GB SSD, expandable
OSUbuntu 22.04+, RHEL 9+

Private Cloud

Deploy in your own AWS, GCP, or Azure account. Terraform modules provided. We manage, you own the infrastructure and the data.

AWSEKS + RDS + ElastiCache
GCPGKE + Cloud SQL + Memorystore
AzureAKS + Azure DB + Redis Cache

Managed

Own360-managed deployment on dedicated infrastructure. 99.9% SLA. 24/7 monitoring. Automated backups, patching, and scaling. You own the licence, we run it.

SLA99.9% uptime
BackupsDaily, 30-day retention, encrypted
Support24/7 with 1-hour P1 response
08 — Technology Stack

What it's built with.

Backend Node.js (API services), Rust (workflow engine, performance-critical paths), Python (ML/AI pipelines)
Frontend React 18+ with TypeScript, Vite build, SSR where applicable
Database PostgreSQL 15+ (primary), per-module schema isolation, row-level security
Cache Redis 7+ (session, cache, event bus via Streams)
Search Elasticsearch / OpenSearch (full-text, audit log queries)
Storage S3-compatible (MinIO for on-prem, native S3/GCS/Azure Blob for cloud)
Orchestration Kubernetes (EKS, GKE, AKS, k3s), Helm charts, Terraform modules
Observability OpenTelemetry (traces + metrics), Prometheus, Grafana, custom dashboards
CI/CD GitHub Actions, Docker, Trivy (security scanning), automated rollbacks
AI/ML Model-agnostic runtime. Anthropic Claude, OpenAI, or self-hosted LLMs. vLLM for on-prem inference

Want the full technical deep-dive?

Architecture review. Live system walkthrough. Your infrastructure requirements discussed.

Schedule a technical session →