Last updated: 2026-04-06

Reference

Technical Architecture¶

Technical overview of Dxtra's privacy compliance platform for developers integrating with our APIs.

Technical Resources

API: GraphQL API • Authentication • Webhooks

Implementation: First API Request • Integration Guide

View API Documentation Security Details

Platform Design¶

Dxtra is built as a cloud-native platform with these core principles:

Privacy by Design - Personal data is hashed and minimized at ingestion
Compliance-First - GDPR, CCPA, and PECR requirements built into the data model
API-First - Full platform functionality available via GraphQL API
Real-Time Processing - Webhook events processed and available immediately

API Architecture¶

Dxtra provides a GraphQL API for all platform operations:

graph LR
    subgraph "Your Application"
        App[Your App]
        Widget[Privacy Widgets]
    end

    subgraph "Dxtra Platform"
        API[GraphQL API<br/>api.dxtra.ai]
        Auth[Authentication<br/>auth.dxtra.ai]
    end

    App -->|GraphQL| API
    Widget -->|REST| API
    App -->|JWT| Auth

API Endpoints¶

Service	URL	Purpose
GraphQL API	`https://api.dxtra.ai/v1/graphql`	Primary data API
Authentication	`https://auth.dxtra.ai`	JWT token exchange
Integrations	`https://conduit.dxtra.ai`	Webhook receiver for third-party platforms

Core Data Types¶

The API provides access to these privacy data types:

Data Subjects - Customer privacy profiles with consent preferences
Processing Activities - Audit log of data processing events
Rights Requests - GDPR/CCPA rights request management
Consent Forms - Configurable consent collection
Privacy Notices - Policy document management

Security Architecture¶

Dxtra implements security at every layer:

graph TB
    subgraph "Security Layers"
        TLS[TLS 1.2+ Encryption]
        Auth[JWT Authentication]
        RBAC[Role-Based Access Control]
        Encrypt[Data Encryption at Rest]
    end

    TLS --> Auth
    Auth --> RBAC
    RBAC --> Encrypt

Security Controls¶

Layer	Protection
Transport	All traffic encrypted with TLS 1.2 or higher
Authentication	JWT tokens with configurable expiration
Authorization	Role-based access with row-level filtering
Data	Encryption at rest, hashed identifiers

Authentication Methods¶

Dxtra supports multiple authentication methods:

Email/password with optional MFA
Passwordless magic links
OAuth providers (GitHub)
WebAuthn/FIDO2 passkeys
API keys for server-to-server

Privacy-Preserving Design¶

Dxtra minimizes personal data storage:

graph TD
    subgraph "Data Ingestion"
        Raw[Incoming PII]
        Extract[Extract Required Fields]
        Hash[Generate SHA-256 Hash]
    end

    subgraph "Storage"
        Links[Privacy-Preserving Links<br/>Hashed identifiers only]
        Metadata[Processing Metadata<br/>Timestamps, sources]
    end

    Raw --> Extract
    Extract --> Hash
    Hash --> Links
    Extract --> Metadata

    Raw -.->|Not Stored| Discard[Discarded]

Key privacy features:

Raw PII is never stored - only hashed identifiers
Cross-platform identity matching via privacy-preserving hashes
Automatic data minimization at ingestion
Configurable retention periods

Integration Architecture¶

External platforms connect via webhooks:

graph LR
    subgraph "Your Platforms"
        Shopify[Shopify]
        Stripe[Stripe]
        Mailchimp[Mailchimp]
    end

    subgraph "Dxtra"
        Webhook[Webhook Handler]
        Process[Privacy Processing]
        Store[Compliance Database]
    end

    Shopify -->|HTTPS + HMAC| Webhook
    Stripe -->|HTTPS + Signature| Webhook
    Mailchimp -->|HTTPS| Webhook

    Webhook --> Process
    Process --> Store

Supported Integrations¶

Category	Platforms
E-commerce	Shopify, WooCommerce
Payments	Stripe, QuickBooks
Marketing	Mailchimp, Customer.io, Klaviyo
Events	Eventbrite, Survey Monkey

All webhooks are validated using platform-specific HMAC signatures.

Performance & Reliability¶

Dxtra is designed for enterprise reliability:

High Availability - Multi-region deployment with automatic failover
API Rate Limits - Fair usage limits to ensure consistent performance
Caching - Query results cached for fast response times
Monitoring - Real-time platform health monitoring

API Rate Limits¶

Endpoint	Limit
GraphQL queries	1000 requests/minute
Authentication	100 requests/minute
Webhooks	Unlimited (validated signatures)

Compliance Features¶

Built-in support for privacy regulations:

Regulation	Features
GDPR	Article 30 ROPA, consent management, rights processing
CCPA	Do Not Sell tracking, consumer rights portal
PECR	Cookie consent, marketing preferences

Text Only

classDef platform fill:#ede7f6,stroke:#4CAF50,stroke-width:2px,color:#311B92
classDef conduit fill:#ede7f6,stroke:#311B92,stroke-width:3px,color:#311B92
classDef security fill:#ede7f6,stroke:#F44336,stroke-width:3px,color:#311B92
classDef router fill:#ede7f6,stroke:#FF9800,stroke-width:2px,color:#311B92
classDef processor fill:#ede7f6,stroke:#2196F3,stroke-width:2px,color:#311B92
classDef scanner fill:#ede7f6,stroke:#9C27B0,stroke-width:2px,color:#311B92
classDef hasher fill:#ede7f6,stroke:#009688,stroke-width:2px,color:#311B92
classDef agent fill:#ede7f6,stroke:#311B92,stroke-width:3px,color:#311B92
classDef queue fill:#ede7f6,stroke:#795548,stroke-width:2px,color:#311B92
classDef storage fill:#ede7f6,stroke:#009688,stroke-width:2px,color:#311B92

```

Service Architecture¶

Microservices architecture with independent scaling and deployment capabilities:

Core Services¶

Service	Technology Stack	Purpose	Deployment
Hasura GraphQL Engine	Hasura v2.48.5-ce, PostgreSQL 17, Redis 7.4.6	GraphQL API layer with permissions	ECS Fargate with read replicas
dx-agent	Python 3.12, FastAPI, RabbitMQ 4.1	Privacy business logic and blockchain integration	ECS Fargate with auto-scaling
dx-strapi	Node.js 22, Strapi 5.29	Content and notice management	ECS Fargate container
dx-conduit	Node.js 22, Express 4.21, TypeScript 5.7, Zod 3.24	Third-party integration hub	ECS Fargate with load balancing
dx-pii-scanner	Python 3.11, Presidio 2.2.358	Personal data identification	Serverless Lambda functions
dx-drive-connector	Python 3.11, PyDrive2, boto3	Google Drive integration	Event-driven Lambda
Tag Manager API	Node.js 20, Express, MongoDB 6.0	Tag management and analytics	ECS Fargate with MongoDB cluster
Tag Manager Edge	Java 17, Micronaut 2.5.11	High-performance tag delivery	ECS Fargate optimized for throughput
Tag Manager UI	Next.js 12, React 17, Material-UI 5	Tag management interface	CloudFront + S3 static hosting

Blockchain Integration

DIDs are generated deterministically from PostgreSQL UUIDs using SHA3-256 hashing. No external blockchain infrastructure is required.

Infrastructure Stack¶

AWS InfrastructureContainer Architecture

```mermaid graph TB subgraph "Availability Zone 1" ECS1[ECS Cluster
Primary Services]:::ecs RDS1[RDS PostgreSQL 17
Primary Database]:::database Redis1[ElastiCache Redis 7.4.6
Distributed Locking]:::cache end

Text Only

subgraph "Availability Zone 2"
    ECS2[ECS Cluster<br/>Replica Services]:::ecs
    RDS2[RDS Read Replica<br/>Read Operations]:::database
    Redis2[ElastiCache Redis<br/>Replica Node]:::cache
end

subgraph "Global Services"
    ALB[Application Load Balancer<br/>SSL Termination]:::alb
    CloudFront[CloudFront CDN<br/>Global Distribution]:::cdn
    Route53[Route 53 DNS<br/>Health Checks]:::dns
end

subgraph "Security Services"
    WAF[AWS WAF<br/>Application Protection]:::security
    Secrets[Secrets Manager<br/>Credential Storage]:::security
    KMS[AWS KMS<br/>Encryption Keys]:::security
end

%% Traffic routing
Route53 --> CloudFront
CloudFront --> WAF
WAF --> ALB

%% Service distribution
ALB --> ECS1
ALB --> ECS2

%% Data replication
RDS1 -.->|Sync Replication| RDS2
Redis1 -.->|Cluster Mode| Redis2

%% Security integration
ECS1 --> Secrets
ECS2 --> Secrets
RDS1 --> KMS
RDS2 --> KMS

classDef ecs fill:#ede7f6,stroke:#FF9800,stroke-width:2px,color:#311B92
classDef database fill:#ede7f6,stroke:#2196F3,stroke-width:3px,color:#311B92
classDef cache fill:#ede7f6,stroke:#F44336,stroke-width:2px,color:#311B92
classDef alb fill:#ede7f6,stroke:#4CAF50,stroke-width:3px,color:#311B92
classDef cdn fill:#ede7f6,stroke:#9C27B0,stroke-width:2px,color:#311B92
classDef dns fill:#ede7f6,stroke:#795548,stroke-width:2px,color:#311B92
classDef security fill:#ede7f6,stroke:#311B92,stroke-width:3px,color:#311B92

```

```mermaid graph LR subgraph "Container Registry" ECR[AWS ECR
Container Images]:::registry Docker[Docker Hub
Public Images]:::registry end

Text Only

subgraph "Container Orchestration"
    ECS[AWS ECS Fargate<br/>Serverless Containers]:::orchestration
    TaskDef[Task Definitions<br/>Service Configurations]:::config
    Service[ECS Services<br/>Auto Scaling Groups]:::service
end

subgraph "Running Containers"
    API[GraphQL API<br/>Hasura Container]:::container
    Agent[Privacy Agent<br/>Python Container]:::container
    Conduit[Integration Hub<br/>Node.js Container]:::container
    Strapi[CMS Service<br/>Strapi Container]:::container
end

subgraph "Shared Resources"
    ALB[Application Load Balancer<br/>Service Discovery]:::alb
    RDS[RDS PostgreSQL<br/>Shared Database]:::database
    Redis[ElastiCache<br/>Distributed Locks]:::cache
end

%% Image management
ECR --> ECS
Docker --> ECS

%% Container deployment
ECS --> TaskDef
TaskDef --> Service
Service --> API
Service --> Agent
Service --> Conduit
Service --> Strapi

%% Load balancing
ALB --> API
ALB --> Agent
ALB --> Conduit
ALB --> Strapi

%% Shared resources
API --> RDS
Agent --> RDS
Strapi --> RDS
API --> Redis

classDef registry fill:#E8EAF6,stroke:#3F51B5,stroke-width:2px,color:#1A237E
classDef orchestration fill:#311B92,stroke:#221266,stroke-width:3px,color:#ffffff
classDef config fill:#FFF3E0,stroke:#FF9800,stroke-width:2px,color:#E65100
classDef service fill:#E0F2F1,stroke:#009688,stroke-width:2px,color:#004D40
classDef container fill:#F1F8E9,stroke:#8BC34A,stroke-width:2px,color:#33691E
classDef alb fill:#FCE4EC,stroke:#E91E63,stroke-width:3px,color:#880E4F
classDef database fill:#EFEBE9,stroke:#795548,stroke-width:3px,color:#3E2723
classDef cache fill:#FFEBEE,stroke:#F44336,stroke-width:2px,color:#B71C1C

```

Data Architecture¶

Privacy-preserving data architecture designed for compliance with global privacy regulations:

Privacy-Preserving Design¶

Privacy by Design Principles

Dxtra's data architecture implements Privacy by Design principles with technical safeguards for personal data protection.

Core Privacy Principles:

Data MinimizationCross-Platform Identity

```mermaid graph TD Raw[Raw Customer Data
Full PII Dataset]:::raw

Text Only

subgraph "Privacy Processing Pipeline"
    Extract[Extract Required Fields<br/>Minimal PII Selection]:::process
    Hash[Generate Privacy Hash<br/>SHA-256 + Unique Salt]:::hash
    Link[Create Privacy-Preserving Link<br/>Cross-Platform Identity]:::link
end

subgraph "Secure Storage"
    Hashes[Privacy Hashes<br/>No Reversible PII]:::storage
    Metadata[Processing Metadata<br/>Timestamps & Sources]:::metadata
    Consent[Consent Preferences<br/>Purpose-Specific]:::consent
end

Raw --> Extract
Extract --> Hash
Hash --> Link

Link --> Hashes
Extract --> Metadata
Raw --> Consent

Raw -.->|❌ Never Stored| X[Discarded Immediately]:::discard

classDef raw fill:#ede7f6,stroke:#F44336,stroke-width:3px,color:#311B92
classDef process fill:#ede7f6,stroke:#FF9800,stroke-width:2px,color:#311B92
classDef hash fill:#ede7f6,stroke:#2196F3,stroke-width:3px,color:#311B92
classDef link fill:#ede7f6,stroke:#9C27B0,stroke-width:2px,color:#311B92
classDef storage fill:#ede7f6,stroke:#4CAF50,stroke-width:3px,color:#311B92
classDef metadata fill:#ede7f6,stroke:#795548,stroke-width:2px,color:#311B92
classDef consent fill:#ede7f6,stroke:#E91E63,stroke-width:2px,color:#311B92
classDef discard fill:#ede7f6,stroke:#9E9E9E,stroke-width:1px,color:#311B92

```

```mermaid graph TD subgraph "Identity Sources" Email[Email Address
Primary Identifier]:::primary Phone[Phone Number
Secondary Identifier]:::secondary CustomerID[Platform Customer ID
System-Specific]:::system SessionID[Session Identifier
Temporary]:::temp end

Text Only

subgraph "Privacy Hashing"
    Salt[Unique Salt<br/>Per Data Controller]:::salt
    Hash1[SHA-256 Hash<br/>Email + Salt]:::hash
    Hash2[SHA-256 Hash<br/>Phone + Salt]:::hash
    Hash3[SHA-256 Hash<br/>Customer ID + Salt]:::hash
end

subgraph "Privacy Links"
    Link[Privacy-Preserving Link<br/>Cross-Platform Identity]:::link
    Activities[Processing Activities<br/>Hash-Based References]:::activity
    Rights[Rights Requests<br/>Identity Resolution]:::rights
end

%% Hashing process
Email --> Salt
Phone --> Salt
CustomerID --> Salt

Salt --> Hash1
Salt --> Hash2
Salt --> Hash3

%% Link generation
Hash1 --> Link
Hash2 --> Link
Hash3 --> Link

%% Privacy operations
Link --> Activities
Link --> Rights

%% Temporary data
SessionID -.->|❌ Not Persisted| X[Session Expiry]:::discard

classDef primary fill:#ede7f6,stroke:#311B92,stroke-width:3px,color:#311B92
classDef secondary fill:#ede7f6,stroke:#2196F3,stroke-width:2px,color:#311B92
classDef system fill:#ede7f6,stroke:#FF9800,stroke-width:2px,color:#311B92
classDef temp fill:#ede7f6,stroke:#9E9E9E,stroke-width:1px,color:#311B92
classDef salt fill:#ede7f6,stroke:#F44336,stroke-width:3px,color:#311B92
classDef hash fill:#ede7f6,stroke:#4CAF50,stroke-width:2px,color:#311B92
classDef link fill:#ede7f6,stroke:#9C27B0,stroke-width:3px,color:#311B92
classDef activity fill:#ede7f6,stroke:#795548,stroke-width:2px,color:#311B92
classDef rights fill:#ede7f6,stroke:#E91E63,stroke-width:2px,color:#311B92
classDef discard fill:#ede7f6,stroke:#9E9E9E,stroke-width:1px,color:#311B92

```

Performance Architecture¶

High-performance architecture designed for global scale and low-latency privacy operations:

Caching Strategy¶

Cache Layer	Technology	Purpose	Configuration
CDN Cache	CloudFront	Static assets, widget delivery	Edge locations worldwide
API Cache	Redis 7.4.6	GraphQL query results	Configurable TTL per query
Database Cache	PostgreSQL Buffer	Query result caching	Database-managed buffer pool
Distributed Locks	Redis Cluster (3 nodes)	Redlock consensus for webhook deduplication	30s lock duration, 5 retry attempts
Webhook Cache	In-Memory	HMAC validation, rate limiting	10-minute TTL

Redis Cluster Configuration

Production Redis uses a 3-node ElastiCache cluster (cache.t4g.small instances) implementing Redlock distributed locking. This ensures webhook deduplication and prevents concurrent processing conflicts across multiple ECS tasks.

Scaling Strategy¶

Service ScalingDatabase Scaling

Dxtra services use AWS ECS auto-scaling based on CloudWatch metrics. Scaling policies are configured per service based on workload characteristics:

Core Services: - dx-agent: Scales based on RabbitMQ queue depth and CPU utilization - dx-conduit: Scales based on request rate and memory utilization - Hasura GraphQL: Scales based on connection count and query latency - Tag Manager Edge: Scales based on request throughput and response time

Auto-scaling ensures services can handle traffic spikes while minimizing costs during low-usage periods.

Component	Read Scaling	Write Scaling	Backup Strategy
PostgreSQL 17	Multi-AZ read replicas	Primary with automated failover	Automated daily snapshots, 7-day retention
Redis 7.4.6	3-node cluster mode	Multi-node consensus (Redlock)	AOF persistence with daily snapshots
ClickHouse 24.12	Distributed query execution	Sharded writes with replication	S3 storage with lifecycle policies
MongoDB 6.0	3-node replica set	Primary with secondary replication	Automated daily backups to S3

Monitoring & Observability¶

Comprehensive monitoring for privacy operations, security, and performance: mermaid graph TB subgraph "Application Monitoring" Logs[Application Logs Structured JSON]:::logs Metrics[Custom Metrics Privacy KPIs]:::metrics Traces[Distributed Tracing Request Flow]:::traces Health[Health Checks Service Status]:::health end subgraph "Infrastructure Monitoring" CloudWatch[AWS CloudWatch System Metrics]:::aws Alarms[CloudWatch Alarms Automated Alerts]:::alarms Dashboard[Monitoring Dashboard Real-Time Visibility]:::dashboard end subgraph "Security Monitoring" GuardDuty[AWS GuardDuty Threat Detection]:::security Config[AWS Config Compliance Validation]:::compliance Trail[CloudTrail API Audit Logs]:::audit end subgraph "Privacy Monitoring" Rights[Rights Request SLA 30-Day Compliance]:::privacy Consent[Consent Sync Status Cross-Platform]:::privacy Breach[Breach Detection Privacy Incidents]:::privacy GDPR[GDPR Compliance Regulatory Metrics]:::privacy end %% Monitoring flow Logs --> CloudWatch Metrics --> CloudWatch Traces --> CloudWatch Health --> CloudWatch CloudWatch --> Alarms CloudWatch --> Dashboard %% Security monitoring GuardDuty --> Alarms Config --> Dashboard Trail --> Dashboard %% Privacy monitoring Rights --> Dashboard Consent --> Dashboard Breach --> Alarms GDPR --> Dashboard classDef logs fill:#ede7f6,stroke:#795548,stroke-width:2px,color:#311B92 classDef metrics fill:#ede7f6,stroke:#2196F3,stroke-width:2px,color:#311B92 classDef traces fill:#ede7f6,stroke:#9C27B0,stroke-width:2px,color:#311B92 classDef health fill:#ede7f6,stroke:#4CAF50,stroke-width:2px,color:#311B92 classDef aws fill:#ede7f6,stroke:#FF9800,stroke-width:3px,color:#311B92 classDef alarms fill:#ede7f6,stroke:#F44336,stroke-width:3px,color:#311B92 classDef dashboard fill:#ede7f6,stroke:#311B92,stroke-width:3px,color:#311B92 classDef security fill:#ede7f6,stroke:#E91E63,stroke-width:2px,color:#311B92 classDef compliance fill:#ede7f6,stroke:#009688,stroke-width:2px,color:#311B92 classDef audit fill:#ede7f6,stroke:#607D8B,stroke-width:2px,color:#311B92 classDef privacy fill:#ede7f6,stroke:#311B92,stroke-width:2px,color:#311B92

Deployment Architecture¶

Continuous Deployment Pipeline¶

graph LR
    subgraph "Development"
        Code[Source Code<br/>GitHub]:::source
        PR[Pull Request<br/>Code Review]:::review
        Test[Automated Tests<br/>Jest, Pytest, Vitest]:::test
    end

    subgraph "CI/CD Pipeline"
        Build[Docker Build<br/>Multi-Stage Images]:::build
        Security[Security Scan<br/>Snyk, Trivy]:::security
        Deploy[AWS CDK Deploy<br/>Infrastructure as Code]:::deploy
    end

    subgraph "Staging Environment"
        StagingECS[ECS Staging<br/>Pre-Production]:::staging
        StagingDB[Staging Database<br/>Anonymized Data]:::staging
        E2E[End-to-End Tests<br/>Cypress, Playwright]:::test
    end

    subgraph "Production Environment"
        ProdECS[ECS Production<br/>Multi-AZ Deployment]:::production
        ProdDB[Production Database<br/>Encrypted Storage]:::production
        Monitor[Production Monitoring<br/>Real-Time Alerts]:::monitoring
    end

    %% Development flow
    Code --> PR
    PR --> Test
    Test --> Build

    %% CI/CD flow
    Build --> Security
    Security --> Deploy
    Deploy --> StagingECS

    %% Staging validation
    StagingECS --> StagingDB
    StagingDB --> E2E
    E2E --> ProdECS

    %% Production deployment
    ProdECS --> ProdDB
    ProdDB --> Monitor

    %% Feedback loops
    Monitor -.->|Alerts| Code
    E2E -.->|Test Failures| PR

    classDef source fill:#ede7f6,stroke:#311B92,stroke-width:2px,color:#311B92
    classDef review fill:#ede7f6,stroke:#311B92,stroke-width:2px,color:#311B92
    classDef test fill:#ede7f6,stroke:#311B92,stroke-width:2px,color:#311B92
    classDef build fill:#ede7f6,stroke:#311B92,stroke-width:2px,color:#311B92
    classDef security fill:#ede7f6,stroke:#311B92,stroke-width:2px,color:#311B92
    classDef deploy fill:#ede7f6,stroke:#311B92,stroke-width:2px,color:#311B92
    classDef staging fill:#ede7f6,stroke:#311B92,stroke-width:2px,color:#311B92
    classDef production fill:#ede7f6,stroke:#311B92,stroke-width:2px,color:#311B92
    classDef monitoring fill:#ede7f6,stroke:#311B92,stroke-width:2px,color:#311B92

Architecture Documentation¶

Technical References¶

API Reference

Complete GraphQL schema and authentication details

API Documentation
Integrations

Connect your platforms to Dxtra

Integration Guide
Security

Security controls and best practices

Security Details