Built for Enterprise Scale

Enterprise-Grade Architecture

13 Laravel 11 microservices behind a Kong 3.9 API gateway, running on K3s Kubernetes. The same manifests that run the demo scale to a full HA cluster in any cloud or on-premise environment. No vendor lock-in. No managed services required.

0
Microservices
Laravel 11, per-service MySQL, independent deployable units
0×
Performance Gain
TTFB from 170ms → 16ms after optimisation cycle
0KB
JS Bundle (gzip)
Was 260KB — Vue 3 + Vite + aggressive code splitting
0
AI CronJobs
Advisor, agents, health scores, drip campaigns, social, trash GC

Infrastructure

K3s Kubernetes Deployment

The full neXmis stack runs as Kubernetes workloads. The diagram below reflects the actual production layout including NodePorts, Kong routing, and per-service databases.

┌─────────────────────── K3s Cluster (Local / Cloud) ────────────────────────────┐ │ │ │ ┌──────────────────────────────────────────────────────────────────────────┐ │ │ │ Kong API Gateway (NodePort :30080 HTTP / :30443 HTTPS) │ │ │ │ Routes: /api/v1/*, /auth/*, /ws/*, /webhook/* │ │ │ └──────┬───────────────┬──────────────────┬──────────┬────────────────────┘ │ │ │ │ │ │ │ │ ┌──────▼──────┐ ┌─────▼─────┐ ┌────────▼────┐ ┌──▼─────────┐ │ │ │ Auth Svc │ │ Platform │ │ IntraLock │ │ Engage │ │ │ │ :8001 │ │ :8002 │ │ :8006 │ │ :8007 │ │ │ └─────────────┘ └───────────┘ └─────────────┘ └────────────┘ │ │ │ │ ┌──────────────┐ ┌───────────┐ ┌─────────────┐ ┌────────────┐ │ │ │ Attain LMS │ │ Conform │ │ Captivate │ │ Automate │ │ │ │ :8008 │ │ :8009 │ │ :8010 │ │ :8011 │ │ │ └──────────────┘ └───────────┘ └─────────────┘ └────────────┘ │ │ │ │ ┌──────────────┐ ┌───────────┐ ┌─────────────┐ ┌────────────┐ │ │ │ Register │ │ Sociable │ │ Reverb WS │ │ neXsite WP │ │ │ │ :8012 │ │ :8013 │ │ :8080 │ │ :30092 │ │ │ └──────────────┘ └───────────┘ └─────────────┘ └────────────┘ │ │ │ │ ┌──────────────────────────────────────┐ ┌────────────────────────────────┐ │ │ │ MySQL 8.0 (per-service databases) │ │ Redis Cache + Session Store │ │ │ │ nexmis_platform, nexmis_intralock │ │ Rate limiting, queue, pub/sub │ │ │ │ nexmis_attain, nexmis_conform, ... │ │ Laravel Horizon workers │ │ │ └──────────────────────────────────────┘ └────────────────────────────────┘ │ │ │ │ ┌──────────────────────────────────────────────────────────────────────────┐ │ │ │ cert-manager (Let's Encrypt) ─── nginx Ingress ─── HMAC Webhook Proxy │ │ │ └──────────────────────────────────────────────────────────────────────────┘ │ │ │ └─────────────────────────────────────────────────────────────────────────────────┘ External: Anthropic API ─┬─ OpenAI API ─┬─ Google Gemini ─┬─ Ollama (self-hosted) └──────────────┘ AiProviderService routes at runtime Stripe API ── Twilio ── Twitter OAuth ── Xero ── Google Calendar

Under the Hood

Technology Stack

Core Framework

Laravel 11 Vue 3 + Vite Tailwind CSS PHP 8.3 Inertia.js

Infrastructure

Kong 3.9 Gateway K3s / Kubernetes nginx Ingress cert-manager Docker

Data & Messaging

MySQL 8.0 Redis Laravel Reverb (WebSockets) Laravel Horizon (Queues) xAPI / TinCan

AI Engines

Anthropic Claude 3.5 OpenAI GPT-4 Google Gemini Pro Ollama (self-hosted) AiProviderService

Security

TOTP 2FA SAML 2.0 SSO JWT Auth HMAC Webhooks AES-256 at rest TLS 1.3 in transit

Payments & Integrations

Stripe SCA PayPal Xero QuickBooks Twilio Twitter OAuth 1.0a Google Calendar API DocuSign

Enterprise Security

Security & Compliance Architecture

Security is layered at every level — from network ingress to database row. No single point of failure, no shared secrets.

🔒

Authentication

TOTP-based 2FA on all accounts. SAML 2.0 for enterprise SSO. JWT tokens with short expiry and refresh rotation. No password stored in plaintext.

🔓

Authorisation

Role-based access control (RBAC) with per-module permission sets. Row-level scoping ensures users can only access their tenant's data.

📺

Audit Trail

Immutable, cryptographically signed event log. Every data read, write, export, and login is recorded with user, IP, timestamp, and entity reference.

📑

Data Privacy

GDPR-by-design. Consent management, right-to-erasure workflows, and Article 30 ROPA records generated automatically by Conform module.

🌐

Transport Security

TLS 1.3 enforced on all endpoints. cert-manager handles Let's Encrypt certificate rotation automatically. HSTS headers on all responses.

📊

Multi-Tenancy

Full tenant isolation at the database level. Each organisation's data lives in separate schema scopes. Cross-tenant queries are structurally impossible.

Webhooks

All outbound webhooks are HMAC-SHA256 signed. Receiving systems can verify authenticity without trusting the network path.

🌐

Self-Hosted Option

Enterprise customers can deploy on their own infrastructure with no data leaving the organisation's network boundary. Air-gap deployment supported.

Data Isolation

Multi-Tenancy Model

Schema-Level Isolation

Every tenant operates in its own MySQL schema namespace. The platform service enforces tenant context on every query via a global Eloquent scope. There is no shared table that could leak data between tenants.

RBAC Within Tenants

Inside a tenant, users are assigned roles (Super Admin, Admin, Manager, Standard) with per-module permission sets. Roles are additive — you can build custom permission profiles without code changes.

AI Context Scoping

All AI requests — whether to Claude, GPT-4, or Ollama — are assembled with a tenant-specific context snapshot. The AI never sees data from another tenant's records.

Resource Quotas (Enterprise)

Enterprise deployments can have Kubernetes resource quotas applied per tenant namespace, ensuring one high-traffic tenant cannot starve another. CPU, memory, and storage limits are independently configurable.

Want to go deeper?

Book a technical architecture call with our engineering team. We’ll walk through the full stack, answer security questionnaires, and discuss your deployment requirements.

💬 Book Tech Call ▶ Launch Live Demo