Azure Reference Architecture · Production target

Enterprise architecture

The demo you're seeing runs on a rapid-build stack. For production, DSP deploys on Microsoft Azure — combining regulated-workload primitives with Azure OpenAI agents for compliance, valuation, and payout orchestration.

Frontend & Edge
  • ·Azure Front Door + WAF (POPIA/PCI-aligned)
  • ·Static Web Apps or Azure Container Apps for portals
  • ·Progressive investor + admin + partner experiences
Identity & Trust
  • ·Microsoft Entra External ID (B2C) for investors
  • ·Entra ID for internal / partner / regulator roles
  • ·Conditional Access + MFA + step-up on payouts
  • ·KYC/AML: Onfido or Refinitiv via Logic Apps
Data Platform
  • ·Azure Database for PostgreSQL (Flexible Server, HA)
  • ·Cap table + token ledger, ACID-safe RPCs
  • ·Azure Blob Storage (immutable) for docs, KYC evidence
  • ·Azure Data Lake + Fabric for analytics/BI
Compute & Services
  • ·Azure Kubernetes Service (AKS) for microservices
  • ·APIs: Onboarding · Ledger · Payouts · Reporting
  • ·Azure API Management gateway
  • ·Event Grid + Service Bus for async ledger events
AI Agents (Azure OpenAI)
  • ·KYC-Reviewer agent — flags high-risk applicants
  • ·Compliance agent — FICA/POPIA/FSCA rule checks
  • ·Valuation agent — periodic asset revaluation
  • ·Payout agent — reconciles P&L → distribution amounts
  • ·Investor-Insight agent — plain-language portfolio Q&A
Security & Ops
  • ·Azure Key Vault + Managed Identities
  • ·Microsoft Defender for Cloud + Sentinel
  • ·Purview for data governance & lineage
  • ·Immutable audit log (append-only Blob + hash chain)

Contribution → token issuance flow

Investor portal
Static Web App
Entra External ID
OAuth + MFA
APIM gateway
Rate-limit + JWT
Onboarding svc
AKS
KYC + Compliance agents
Azure OpenAI
Ledger RPC
PostgreSQL (atomic)
Event: TokensIssued
Event Grid

Prototype → Azure mapping

Prototype (today)Azure production target
Postgres (managed)Azure Database for PostgreSQL — Flexible Server, geo-redundant
Auth (email + Google)Microsoft Entra External ID (B2C) + Conditional Access
Atomic contribute_to_project RPCSame signature, hosted on Azure PG; wrapped in AKS ledger service
run_distribution RPCPayout agent (Azure OpenAI) + Durable Functions orchestration
Web app on managed edgeAzure Front Door + Static Web Apps / Container Apps
Roles table + has_role()Entra ID app roles + PG row-level security
Toast notificationsAzure Communication Services (email + SMS to investors)
Manual admin KYCOnfido/Refinitiv via Logic Apps + KYC-Reviewer agent

Regulatory posture (South Africa)

POPIA
Data residency in Azure South Africa North / West. Purview handles lineage and consent tracking.
FICA / AML
KYC-Reviewer agent + Refinitiv screening. Immutable audit trail on Blob with hash chain.
FSCA / SARB
SPV-ring-fenced structure. Structured for exemption or Category I / IV licensing depending on channel.