Skip to main content

Architecture Overview

Wede is designed for regulated industries where security is not a feature - it is a precondition. Every architectural decision is made with the assumption that the data being transported is sensitive, the operations are critical, and the audit trail is legally required.
Wede transports payloads but never inspects them. Your data is encrypted by you before it reaches Wede. We handle delivery, integrity, and reconciliation - not content.

Authentication and Access

API Keys

Every tenant receives two API keys at onboarding - one for production (wede_live_), one for sandbox (wede_test_). Keys are:
  • Stored as bcrypt hashes - never in plain text, not even internally
  • Validated on every request with constant-time comparison
  • Scopeable per integration or environment
  • Rotatable at any time via POST /v1/tenant/api-keys/rotate with a configurable grace period
POST /v1/tenant/api-keys/rotate
{
  "environment": "production",
  "grace_hours": 24
}
The previous key remains valid for the configured grace period, allowing zero-downtime rotation.

JWT Sessions

User sessions are issued as signed JWT tokens:
  • Signed with a secret stored in GCP Secret Manager - never in environment variables
  • Expire after 8 hours
  • Include a token_version claim tied to the user record
  • Immediately invalidated when a user is suspended or their session is revoked - no waiting for expiry

Brute Force Protection

Login attempts are rate-limited at two levels:
  • Global rate limit - per tenant, configurable per plan
  • Per-account lockout - after 5 consecutive failed attempts, the account is locked for 15 minutes. The user can unlock immediately via password reset without admin intervention.

Transport Security

All communication with the Wede API is encrypted over TLS 1.2+. Unencrypted HTTP is rejected at the infrastructure level - not redirected. This applies to all delivery channels: REST, structured protocols, voice, LoRa, and satellite. Each channel has independent transport-level security appropriate to its protocol.

Role-Based Access Control

Wede implements a 7-level cascading RBAC model. No level can grant permissions it does not itself hold. Privilege escalation is mathematically impossible.
LevelRoleScopeCan configure?
1wede_global_adminFull platform — infrastructure, billing, all tenantsYes
2wede_tech_opsTechnical operations — no billing, no tenant configYes (technical)
3country_adminRegional management — assigned countries onlyYes (regional)
4company_adminFull tenant — teams, users, billing view, dispatchYes
5company_techTechnical — SDK, API keys, integrations, teams, dispatchYes
6operational_supervisorDispatch console, missions, backup — executes, does not configureNo
7field_operatorMission receipt, status updates, backup requests — executes onlyNo
operational_supervisor and field_operator are execution roles — they dispatch teams, update mission status, and request backup. They cannot create or modify parsers, catalogs, teams, or tenant settings. Assign company_tech or company_admin for configuration access.
wede_global_admin, wede_tech_ops, and country_admin are above-tenant roles — they do not belong to any specific organisation and cannot dispatch teams. Dispatch is always a tenant-level operation.
Every API route enforces the minimum required permission. Attempting to access a route without the required permission returns 403 Forbidden — the route does not exist from the caller’s perspective.

Cascade Principle

  • Wede Global Admin defines the full universe of available features
  • Each level receives a subset of the level above
  • Delegation is explicit — not included by default
  • Privilege escalation is structurally impossible — no level can grant what it does not hold

Audit Trail

Every mutating operation in Wede is written to an immutable audit log:
  • User identity and role
  • Action performed (create, update, delete, dispatch, suspend)
  • Resource type and ID
  • Timestamp (UTC)
  • IP address
  • User agent
  • Request ID for end-to-end traceability
Covered operations include: authentication, events, sync, webhooks, teams, dispatch, missions, parsers, users, zones, and tenant configuration changes. Audit logs are available via the API (GET /v1/audit) and the dashboard. They cannot be modified or deleted - not even by Wede Global Admin.

Data Isolation

Each tenant’s data is logically isolated at the database level. Every query is scoped to tenant_id. Cross-tenant data access is structurally impossible via the API - not just access-controlled. country_admin roles operate across tenants within their assigned countries via explicit country_admin_assignments - there is no implicit access.

Payload Opacity

Wede never reads, stores, or inspects the content of your event payloads. Encrypt before sending.
The payload field in every event is treated as an opaque binary blob. Wede transports it, preserves its integrity via SHA-256 hash, and delivers it - without ever accessing its content. This is by design and enforced at the architectural level. This means Wede is compatible with end-to-end encrypted workflows in healthcare, banking, and government without any changes.

Infrastructure

  • Cloud provider: GCP europe-west1 (Belgium)
  • Database: PostgreSQL 16 - Cloud SQL with automated backups
  • Secrets: GCP Secret Manager - all credentials, keys, and tokens
  • Container runtime: Cloud Run - auto-scaling, no persistent state
  • CDN and DNS: Cloudflare - DDoS protection, global PoPs
All infrastructure is within the EU. Data does not leave the EU unless explicitly configured for a multi-region deployment.

Compliance Alignment by Vertical

Banking and Fintech - DORA

The EU Digital Operational Resilience Act (DORA) applies to financial entities and their ICT providers. Wede is designed as a DORA-aligned ICT layer:
DORA RequirementWede Implementation
ICT risk managementMulti-channel fallback, zone connectivity monitoring, real-time alerts
Incident reportingImmutable audit log, webhook notifications, structured incident lifecycle
Operational continuityOffline-first SDK - operations continue without internet
Third-party ICT oversightFull API documentation, contractual SLAs, audit trail exportable to PDF/CSV
Resilience testingSandbox environment per tenant, connectivity simulation endpoints
Data integritySHA-256 hash per event, idempotency enforcement, reconciliation engine
Access controls7-level RBAC, API key rotation, JWT revocation, brute force protection
Audit trailImmutable logs with user, action, timestamp, IP, request ID
Wede operates as an ICT third-party provider under DORA Article 28. Full contractual documentation is available on request.

Healthcare - HIPAA and MDR

For healthcare deployments, Wede aligns with HIPAA Technical Safeguards (45 CFR § 164.312):
HIPAA SafeguardWede Implementation
Access Controls (§ 164.312(a))RBAC with unique user IDs, automatic session expiry, role-scoped API keys
Audit Controls (§ 164.312(b))Session-level and operation-level audit logs, tamper-evident, exportable
Integrity Controls (§ 164.312(c))SHA-256 per event, idempotency key, reconciliation without data loss
Transmission Security (§ 164.312(e))TLS 1.2+ enforced, no unencrypted fallback paths
AuthenticationJWT with token versioning, bcrypt passwords, brute force lockout
Wede does not store ePHI - payloads are opaque and pass through encrypted. This significantly reduces the compliance surface for healthcare integrators.
The 2025 proposed HIPAA Security Rule updates (expected final May 2026) make encryption at rest and in transit, MFA, and audit controls mandatory without exception. Wede meets all proposed requirements.

Government and Critical Infrastructure - NIS2

For government and infrastructure deployments:
NIS2 RequirementWede Implementation
Risk managementMulti-layer resilience, zone-level connectivity monitoring
Incident handlingStructured lifecycle, webhook notifications, audit export
Business continuityOffline-first SDK, multi-channel fallback, data sync on reconnection
Supply chain securityPrivate core repository, public SDK only - no proprietary algorithm exposure
Access controlCascading RBAC, session revocation, API key rotation
CryptographyTLS 1.2+, bcrypt, SHA-256, secrets in GCP Secret Manager
Data residencyConfigurable per country and per zone - EU by default

What Wede Does Not Do

To be explicit about scope:
  • Wede does not store payload content - payloads are opaque
  • Wede does not provide MFA for end users - this is your responsibility at the application layer
  • Wede does not perform penetration testing on your integration - you are responsible for your own security posture
  • Wede does not guarantee anonymisation - if your payload contains PII, you are responsible for encrypting it before sending

Security Contact

To report a security vulnerability: security@wede.pt We respond to all security reports within 24 hours. We do not operate a public bug bounty programme at this time.