Infrastructure Components
VeriProof’s Standard Tier runs entirely on Azure. This page describes each infrastructure component, its role, and its security configuration.
Azure Functions (Isolated Worker)
All API endpoints and background processing run as .NET 10 Azure Functions using the isolated worker model. This separates the function execution process from the Azure Functions host process, providing:
- Independent dependency injection and middleware pipeline
- No shared memory surface with the Functions host
- Full control over authentication middleware placement
Deployed function apps:
| Function App | Purpose | Port (local) |
|---|---|---|
Veriproof.Ingest.Functions | Receives OTLP payloads from SDKs | 5100 |
Veriproof.CustomerPortal.Functions | Customer Portal API (sessions, keys, alerts) | 5101 |
Veriproof.StaffPortal.Functions | Internal staff operations API | 5102 |
Veriproof.Blockchain.Functions | Notary outbox processing and Solana anchoring | 5002 |
Veriproof.Treasury.Functions | Solana account management and fee handling | 7073 |
Authentication is enforced via middleware rather than per-function AuthorizationLevel. All functions are declared AuthorizationLevel.Anonymous and the middleware pipeline validates tokens before requests reach function handlers. See API Authentication for the middleware architecture.
PostgreSQL (via Neon / Azure PaaS)
Session data, governance events, API keys, and audit logs are stored in PostgreSQL. The schema is divided across four logical databases:
| Schema | Contains |
|---|---|
customerportal | Session traces, span records, governance events, API keys, applications, organizations |
notary | Notary outbox for pre-anchor batches |
worker | Blockchain transaction registry, workflow jobs, audit log |
ingest | Ingest-specific staging and validation tables |
Security configuration:
- Two database roles:
customer_role(RLS enforced) andstaff_role(RLS bypassed, audit-logged) - Row-Level Security policies on all session and governance tables
- Monthly table partitioning for performance at scale
- TDE (Transparent Data Encryption) enabled at the server level
Connection security: All connections use TLS. Connection strings are stored in Azure Key Vault and injected at runtime via Azure App Configuration. No connection string appears in application settings or environment variables in production.
Azure Blob Storage (WORM)
Encrypted audit logs for Enterprise Tier customers are stored in Azure Blob Storage configured with WORM (Write Once, Read Many) immutability policy:
- Immutability policy: Time-based retention lock, minimum 7 years
- Versioning: Enabled — overwrites create new versions, never delete
- Access: Managed Identity only — no storage account keys in application code
- Encryption: Azure-managed keys by default; customer-provided keys supported for Enterprise
Standard Tier customers do not use Azure Blob directly — all records stay in PostgreSQL.
Azure Key Vault
All secrets, API signing keys, and database connection strings are stored in Azure Key Vault:
| Secret type | Key Vault secret name pattern |
|---|---|
| PostgreSQL connection strings | {env}-pg-connection-{schema} |
| Deployment context signing key | {env}-deployment-context-signing-key |
| Solana wallet keypair | {env}-solana-treasury-keypair |
| HMAC signing key (webhooks) | {env}-webhook-hmac-key |
Applications access Key Vault using Azure Managed Identity — no credentials are stored in configuration files. Key rotation is handled through Key Vault’s built-in versioning; the ApiKeyProvider pattern in the .NET SDK caches the current key version and refreshes on a TTL.
Azure Static Web Apps
The Customer Portal (Veriproof.CustomerPortal.Web) and Staff Portal (Veriproof.StaffPortal.Web) are served from Azure Static Web Apps. Key configuration:
- HTTPS only — HTTP redirected at the CDN layer
- CSP headers configured to restrict script and frame sources
- No server-side rendering — the backend API handles all data access
- Custom domain with Azure Front Door for global CDN distribution
- The public docs site (
docs.veriproof.app) is also served from its own Azure Static Web Apps origin
Azure Service Bus / Storage Queues
Background work (Notary outbox processing, workflow retries) uses Azure Storage Queues for lightweight job passing. Enterprise Tier deployments have the option to use Azure Service Bus if more advanced messaging features (dead-letter queues, sessions) are required.
Queue access uses Managed Identity with queue-scoped RBAC rather than connection strings with full account access.
Azure Application Insights
Telemetry from all Function Apps is sent to Azure Application Insights for operational monitoring:
- Request traces, dependency calls, and exceptions
- Custom alert rules for export failures and circuit breaker events
- Live metrics stream for real-time operational visibility
- Log retention: 90 days (configurable)
Application Insights data is VeriProof-internal and is not shared with customers.
Solana (external)
Blockchain anchoring uses Solana Mainnet-Beta as the public ledger. VeriProof maintains a treasury account funded with SOL to pay transaction fees. The Blockchain Functions service submits Compressed Merkle Tree (CMT) transactions using the Solana RPC API.
Key parameters:
- Network: Solana Mainnet-Beta
- Program: Solana SPL Account Compression (
spl-account-compression) - Tree config:
max_depth=20,max_buffer_size=256 - Cost: approximately $0.000035 per session (amortized across batches)
See Blockchain Anchoring for full details.
Next steps
- Data Flow & Isolation — what data moves where
- Encryption at Rest — storage encryption configuration
- Azure Key Vault & HMAC Signing — key management details