Architecture

Architecture

Claresia is six logical layers running across three deployment modes. This page is the procurement-ready reference; the Security Whitepaper is the deeper dive.

Six logical layers

Layer	Location	SLA	Description
Identity & Access	Always Claresia Cloud	99.99%	WorkOS-fronted SSO, SCIM provisioning, RBAC, JWT issuance.
Intelligence Hub	Claresia A/B · Customer C	99.9% A/B	cc-050 canonical org memory. 6 record types: output, decision, governance_event, artifact, employee_profile, telemetry_event.
Distribution Plane	Always Claresia Cloud	99.9% · <60s p99 publish	cc-063/065/070/071 — Skill IR transpilers + per-LLM admin-API publishers.
Telemetry Pipeline	Claresia · Customer-side redaction in Mode C	99.9% · <5min p95 surface	cc-064/066/070 — pulls LLM-platform audit logs into fn_telemetry_event.
Command Center	Always Claresia Cloud	99.95%	cc-059 IT-admin console + customer-facing Onboarding Portal.
End-User Surfaces	Inside customer LLM tenant	Customer-managed	cc-067 Teams app, cc-071 Slack app, cc-069 Browser Extension, cc-068 Adaptive Cards.

Mode A

Claresia Cloud (Shared SaaS)

Multi-tenant SaaS with Row-Level Security per tenant. 24-hour time-to-go-live. 99.5% SLA. Recommended for organisations under 200 seats with no residency requirement.

Mode A — shared SaaS topology with RLS-isolated Postgres, customer LLM, and Claresia Cloud control plane. — Customer-side install: zero. Paste an Anthropic Admin API key. No agents, no daemons, no code in customer infra.

Mode B

Claresia Cloud Dedicated

Dedicated Postgres cluster per tenant with customer-managed encryption key, regional pinning, dedicated subnet, IP allowlisting, and Customer Lockbox for operator access. 5-day go-live. 99.9% SLA.

Mode B — dedicated tenant Postgres with CMEK, regional pin, dedicated subnet. — EU-pinned dedicated tenant with CMEK, GDPR Schrems II compliant, BAA optional.

Mode C

Customer Cloud (BYOC)

Hub data plane lives entirely in your cloud. Only telemetry envelopes (no payloads) flow back over mTLS to Claresia. Deployed via Terraform modules: claresia/aws-byoc, azure-byoc, gcp-byoc. 2-6 weeks go-live.

Mode C — control plane in Claresia, data plane in customer cloud, mTLS envelope-only flow back. — Customer-owned Hub data plane. Customer-managed encryption. Customer-issued mTLS certs. Claresia operator access via Customer Lockbox.

Identity flow showing user → WorkOS → customer IdP → token → JWT, plus SCIM 2.0 lifecycle. — Customer IdP is the source of truth. SCIM 2.0 propagates user changes (deprovision, group changes, department moves) in under 30 seconds.

Architecture review on demand

For procurement-stage architecture deep-dives, Claresia engineering will join your security review on a 60-minute call to walk through the diagrams above with your network, identity, and AppSec leads. No customer-specific deck required.

Schedule a review

Six logical layers

Claresia Cloud (Shared SaaS)

Mode A topology

Claresia Cloud Dedicated

Mode B topology

Customer Cloud (BYOC)

Mode C topology

Identity & Permission Flow

Architecture review on demand