Enterprise Hybrid Deployment

Enterprise Hybrid mode stores all session data in your infrastructure while automatically anchoring 32-byte commitment hashes to the Solana blockchain via Veriproof’s cloud commitment API.

This guide assumes you have received the enterprise deployment package from your Veriproof account manager and have an active vp_enterprise_... API key.

Architecture Summary

Your AI application uses the Veriproof SDK configured for EnterpriseHybrid mode
Session payloads are encrypted with AES-256 and stored in your Azure PostgreSQL instance
Encryption keys are managed in your Azure Key Vault
Only 32-byte commitment hashes are sent to api.veriproof.app/v1/enterprise/commitments
A self-hosted Customer Portal reads from your PostgreSQL database

Deployment Steps

Provision Azure Resources

Deploy the Veriproof Bicep templates from the enterprise package:


az deployment group create \
  --resource-group your-rg \
  --template-file veriproof-hybrid.bicep \
  --parameters \
    environment=production \
    postgresAdminPassword="<strong-password>" \
    keyVaultName="your-kv-name"

This provisions:

Azure Database for PostgreSQL Flexible Server
Azure Key Vault with soft delete and purge protection
Azure Functions deployment slots
Azure Static Web Apps resource (for the portal frontend)
Managed Identity with Key Vault access policies

Apply the Database Schema

Run the database migration scripts against your new PostgreSQL instance:


psql "postgresql://veriproof_admin:<password>@your-server.postgres.database.azure.com/veriproof" \
  -f migrations/001_initial_schema.sql \
  -f migrations/002_enterprise_tables.sql

Migrations are idempotent (use IF NOT EXISTS guards) and can be re-run safely.

Initialize the Pepper Key

Generate your tenant pepper key and store it in your Key Vault:


# Generate a 256-bit pepper key
PEPPER=$(openssl rand -hex 32)
 
az keyvault secret set \
  --vault-name your-kv-name \
  --name "veriproof-pepper" \
  --value "$PEPPER"

Store a copy of the pepper key in your organization’s secure backup facility. If the pepper key is permanently destroyed, all encrypted session data becomes permanently unreadable. There is no recovery path.

Deploy the Function Apps

Deploy the Customer Portal API and Ingest API Function Apps from the enterprise package:


# Customer Portal API
func azure functionapp publish your-customer-api-app
 
# Ingest API
func azure functionapp publish your-ingest-api-app

Configure each Function App’s Application Settings with:

Setting	Value
`DEPLOYMENT_MODE`	`EnterpriseHybrid`
`POSTGRES_CONNECTION_STRING`	Connection string to your PostgreSQL instance
`KEY_VAULT_URI`	`https://your-kv-name.vault.azure.net/`
`VERIPROOF_ENTERPRISE_API_KEY`	Your `vp_enterprise_...` API key
`VERIPROOF_COMMITMENT_ENDPOINT`	`https://api.veriproof.app/v1/enterprise/commitments`

Generate and Deploy the Signed Deployment Config

Generate the signed deployment-config.json using the enterprise tooling:


veriproof-enterprise config generate \
  --mode hybrid \
  --setup-complete false \
  --portal-url https://portal.your-domain.com \
  --signing-key $DEPLOYMENT_SIGNING_KEY \
  --output ./dist/deployment-config.json

Deploy this file to the static assets directory of your portal frontend. It is served alongside the React SPA.

Deploy the Portal Frontend

Deploy the portal frontend (React SPA) to Azure Static Web Apps or your Nginx host:


az staticwebapp deploy \
  --name your-portal-swa \
  --source ./dist

Ensure deployment-config.json is included in the deployment.

Complete Setup via the Portal

Navigate to your portal URL in a browser. Because isSetupComplete is false in the deployment config, the setup wizard appears.

Create the initial CustomerAdmin account
Connect the test Enterprise API key
Run the connection validation check
Mark setup as complete

After setup completion, regenerate the signed deployment config with --setup-complete true and redeploy it. This prevents the wizard from reappearing.

Configure the SDK

Update your AI application to use Enterprise Hybrid mode:


builder.Services.AddVeriproof(options =>
{
    options.Mode = DeploymentMode.EnterpriseHybrid;
    options.LocalDatabaseConnectionString = connectionString;
    options.LocalKeyVaultUri = "https://your-kv-name.vault.azure.net/";
    options.CommitmentOnlyEndpoint = "https://api.veriproof.app/v1/enterprise/commitments";
    options.ApiKey = "vp_enterprise_...";
});

Validate End-to-End

Send a test session and confirm:

Session data appears in your PostgreSQL tables
Commitment hash appears in the Veriproof commitment queue (check the portal)
Solana transaction signature is returned and verifiable

Networking Checklist

Requirement	Details
Egress to `api.veriproof.app:443`	From your AI application servers or Function Apps
No inbound from Veriproof required	Veriproof never initiates connections inward
TLS 1.2+ on all connections	Enforced by the platform
PostgreSQL accessible from Function Apps	Within VNet or via service endpoint
Key Vault accessible from Function Apps	Via Managed Identity (no connection string needed)

Maintenance

Scale: Scale the PostgreSQL instance vertically as session volume grows. The Function Apps autoscale on the Flex Consumption plan.
Backups: Enable point-in-time restore on the PostgreSQL instance (minimum 7-day window recommended).
Key rotation: Pepper key rotation is a staff-assisted operation. Contact support@veriproof.app to initiate.
Portal updates: New portal versions are delivered as updated Function App packages and SPA bundles. Follow the upgrade guide.