CDN & WAF
Global edge caching, DDoS protection, SSL termination
Client Apps
Web, Mobile, Desktop SDKs, Third-party integrations
Load Balancer
Multi-region routing, health checks, rate limiting
Auth Gateway
OAuth2/OIDC, JWT validation, RBAC enforcement
Content Service
Versioned articles, metadata, media assets, translations
AI Inference Engine
LLM routing, RAG pipelines, fact-checking, summarization
Search & Index
Semantic search, vector similarity, autocomplete, filters
Analytics & Telemetry
User behavior, query patterns, system metrics, alerts
PostgreSQL
Relational storage, transactions, user accounts, audit logs
Vector DB (Pinecone)
Embeddings, semantic indexing, multi-language vectors
Object Storage (S3)
Images, PDFs, datasets, backup archives, exports
Redis Cache
Session storage, rate limits, hot article caching, queues
1. Client Request Inbound
User submits query via API or UI. Request is routed through the global CDN and validated by the WAF. TLS termination occurs at the edge. Payload is authenticated via JWT inspection at the API Gateway.
2. Query Parsing & Routing Gateway
The API Gateway parses the request, applies rate limits, and routes to the appropriate microservice. Contextual metadata (user tier, language, region) is attached to the request envelope.
3. Semantic Processing AI Engine
The query is embedded using our multilingual embedding model. The AI Engine performs hybrid search (BM25 + Vector) against the index, retrieves relevant chunks, and runs a RAG pipeline for answer synthesis.
4. Fact Verification Quality Control
Generated responses pass through the Verification Service, which cross-references claims against primary sources, checks citation validity, and applies bias/accuracy scoring before final output.
5. Response Delivery Outbound
Final payload is serialized, cached in Redis for hot queries, and streamed back to the client via SSE or standard REST. Analytics events are asynchronously published to the telemetry pipeline.
🛡️ Identity & Access
- OAuth 2.0 / OpenID Connect compliance
- Role-Based Access Control (RBAC) + ABAC
- Multi-factor authentication (MFA) enforcement
- Short-lived JWTs with rotating refresh tokens
🔒 Data Protection
- AES-256 encryption at rest (KMS managed keys)
- TLS 1.3 in transit with HSTS enforcement
- PII masking & data minimization policies
- Immutable audit logs for all admin actions
🌐 Network & Infrastructure
- Zero-trust architecture with mTLS between services
- VPC isolation & private subnets for databases
- Web Application Firewall (WAF) + DDoS mitigation
- Automated vulnerability scanning & patch rotation
✅ Compliance & Audits
- SOC 2 Type II certified processes
- GDPR & CCPA data subject request automation
- Regular third-party penetration testing
- Content moderation & abuse detection pipelines
Core Technology Stack
Battle-tested infrastructure powering millions of queries daily.