TRUST CENTER - INFRASTRUCTUUR & ARCHITECTUUR

Onesurance Infrastructuur & Architectuur
Laatst bijgewerkt: December 2024

Ons Platform

Onesurance draait op een moderne, cloud-native architectuur die is geoptimaliseerd voor schaalbaarheid, beveiliging en hoge beschikbaarheid. We maken gebruik van Microsoft Azure's enterprise-grade infrastructure, specifiek de West-Europa regio, om te verzekeren dat alle data binnen de EU blijft en lage latentie biedt voor onze Europese klanten.

Cloud Infrastructure

Microsoft Azure - West-Europe
• Regio: West-Europe (Amsterdam, Nederland)
• Availability Zones: Gebruik van meerdere availability zones voor redundantie
• Data residency: 100% binnen EU, geen data buiten Europa
• Compliance: ISO 27001, ISO 27017, ISO 27018, SOC 2, GDPR-compliant
• SLA: 99.99% uptime guarantee van Microsoft
• Fysieke beveiliging: Biometrische toegang, 24/7 monitoring, multi-layer security

Waarom Azure?
• Enterprise-grade security en compliance
• Uitgebreide compliance certificeringen
• GDPR en DORA compliance out-of-the-box
• Geavanceerde beveiligingstools (Security Center, Sentinel)
• Hoge beschikbaarheid en disaster recovery mogelijkheden
• EU data residency garanties
• Uitstekende performance en lage latency voor EU-klanten

Platform Architectuur

High-Level Architectuur

[Input Sources] 
    ↓
[API Gateway + WAF]
    ↓
[Application Layer]
    ├─ Risk Engine
    ├─ Defend Agent (AI)
    ├─ Churn Model
    ├─ CLV Calculator
    └─ Next Best Product
    ↓
[Data Layer]
    ├─ Azure SQL Database
    ├─ Blob Storage
    └─ Cache (Redis)
    ↓
[Output/Integration Layer]

Componenten

1. API Gateway Layer

• Azure API Management

• Request routing, rate limiting, authentication

• Web Application Firewall (WAF) voor protection

• DDoS protection

2. Application Services

• Azure App Services / Container Instances

• Auto-scaling based on load

• Health monitoring en auto-healing

• Blue-green deployments voor zero-downtime updates

3. Processing Layer

• Risk Engine: Risicoanalyses en berekeningen

• Defend Agent: AI-driven customer service

• Churn Model: Predictive analytics voor klantbehoud

• CLV Calculator: Customer lifetime value berekeningen

• Next Best Product: Product aanbevelingen

4. Data Storage

• Azure SQL Database: Primaire data opslag

• Azure Blob Storage: Documents, files, backups

• Azure Cache for Redis: Performance optimization

• Azure Key Vault: Secrets en encryptie keys

5. Monitoring & Logging

• Azure Monitor: Application en infrastructure monitoring

• Azure Log Analytics: Centralized logging

• Azure Application Insights: Performance monitoring

• Azure Sentinel: Security information and event management (SIEM)

Netwerk Architectuur

Virtual Network (VNet)
• Geïsoleerd netwerk binnen Azure
• Subnets voor segregatie:

• Front-end subnet (API Gateway)

• Application subnet (App Services)

• Database subnet (private, no internet access)

• Management subnet (admin access)

Network Security
• Network Security Groups (NSGs): Firewall rules per subnet
• Azure Firewall: Centralized network filtering
• Private Endpoints: Databases not exposed to internet
• Service Endpoints: Secure connection to Azure services
• No public IP addresses voor sensitive resources

Connectivity
• Internet ingress: Via Azure Front Door met WAF
• Client VPN: Available voor enterprise customers
• Azure ExpressRoute: Optie voor dedicated private connection
• API endpoints: RESTful APIs over HTTPS only

High Availability & Redundantie

Availability Zones
• Multi-zone deployment: Resources verdeeld over 3 availability zones
• Failover: Automatische failover tussen zones bij storing
• No single point of failure: Alle kritieke componenten redundant
• SLA: 99.99% uptime (52 minuten downtime per jaar max)

Load Balancing
• Azure Load Balancer: Traffic distributie over instances
• Health probes: Constant controleren van instance health
• Auto-healing: Unhealthy instances worden automatisch vervangen
• Geographic distribution: Traffic routing naar dichtstbijzijnde healthy instance

Database Redundancy
• Azure SQL Database: Automatische geo-replication
• Read replicas: Voor performance en disaster recovery
• Point-in-time restore: Elke 5 minuten backup
• Long-term retention: Wekelijkse backups tot 10 jaar
• Automatic failover groups: Bij database failure

Prestaties & Schaalbaarheid

Auto-Scaling
• Horizontal scaling: Meer instances bij hoge load
• Vertical scaling: Groter instance type indien nodig
• Metrics-based: CPU, memory, request count triggers
• Schedule-based: Preemptive scaling voor verwachte pieken
• Scale-in protection: Gradual scale-down om stabiliteit te waarborgen

Performance Optimization
• Caching: Azure Cache for Redis voor frequently accessed data
• CDN: Azure CDN voor static assets
• Database indexing: Optimized queries en indexes
• Connection pooling: Efficient database connections
• Asynchronous processing: Non-blocking operations waar mogelijk

Capacity Planning
• Monitoring: Continuous monitoring van resource utilization
• Alerts: Proactieve alerts bij nearing capacity
• Regular reviews: Kwartaalse capacity planning sessies
• Growth projections: Forecasting gebaseerd op trends
• Headroom: Maintain 30% headroom voor onverwachte spikes

Beveiliging (Zie ook Template 03)

Defense in Depth

1. Perimeter: Azure Firewall, DDoS Protection, WAF

2. Network: NSGs, VNet isolation, Private Endpoints

3. Application: Secure coding, input validation, auth/authz

4. Data: Encryption at rest (AES-256), in transit (TLS 1.3)

5. Identity: Azure AD, MFA, RBAC, PIM

6. Monitoring: Azure Security Center, Sentinel, 24/7 SOC

Security Tools
• Azure Security Center: Security posture management
• Azure Sentinel: SIEM en threat detection
• Azure Defender: Advanced threat protection
• Azure Policy: Compliance enforcement
• Azure Blueprints: Governance at scale

Data Protection
• Encryption at rest: AES-256 op all storage
• Encryption in transit: TLS 1.3 minimum
• Key management: Azure Key Vault met HSM
• Backup encryption: Separate encryption keys
• No data export: Buiten EU zonder explicit consent

Backup & Disaster Recovery

Backup Strategie

Database Backups
• Frequency: Automatische backups elk 5 minuten
• Retention:

• Point-in-time restore: 35 dagen

• Long-term backups: Weekly voor 10 jaar
  • Geo-redundant: Replicated naar paired Azure region (binnen EU)
  • Encryption: Alle backups encrypted AES-256
  • Testing: Maandelijkse restore tests

Application & Configuration Backups
• Infrastructure as Code: Terraform/ARM templates in Git
• Configuration: Versioned en backed up
• Container images: Stored in Azure Container Registry
• Frequency: Continuous (upon change)
• Retention: Indefinite (version history)

File Storage Backups
• Blob storage: Geo-redundant replication
• Versioning: Enabled voor recover van overwrites
• Soft delete: 30 dagen retention
• Immutable storage: Voor compliance-critical data

Disaster Recovery Plan

RTO & RPO Targets
• Recovery Time Objective (RTO): 4 uur
• Recovery Point Objective (RPO): 5 minuten
• Meaning: Maximum 4 uur downtime, maximum 5 minuten data loss

DR Strategy
• Active-passive: Primair in West-Europe, failover naar North-Europe (binnen EU)
• Automated failover: Voor databases en critical services
• Manual failover: Voor volledige site failover (na assessment)
• Failback: Gecontroleerd proces na primary recovery

DR Testing
• Frequency: Semi-annual (twee keer per jaar)
• Scope: Full DR simulation, failover en failback
• Documentation: Runbooks bijgewerkt na elke test
• Lessons learned: Improvements geïmplementeerd

Disaster Scenarios

1. Availability Zone failure: Automatische failover (minuten)

2. Region failure: Manual failover to paired region (uren)

3. Data corruption: Point-in-time restore (minuten tot uren)

4. Ransomware: Restore from immutable backups (uren)

5. Major Azure outage: Escalation naar Microsoft, contingency plans

Monitoring & Observability

Application Monitoring
• Azure Application Insights: Performance, availability, usage
• Metrics: Response times, error rates, throughput
• Distributed tracing: End-to-end request tracking
• Dependency tracking: External service calls
• Real user monitoring: Client-side performance

Infrastructure Monitoring
• Azure Monitor: Metrics voor alle resources
• Log Analytics: Centralized log aggregation
• Metrics collected:

• CPU, memory, disk, network utilization

• Request rates, error rates

• Database performance metrics

• Cache hit rates
  • Retention: 90 dagen online, 1 jaar archived

Alerting
• Multi-level alerting: Info, Warning, Error, Critical
• Notification channels: Email, SMS, PagerDuty, Teams
• On-call rotation: 24/7 coverage voor critical alerts
• Escalation paths: Defined escalation bij non-response
• Alert fatigue management: Regular review en tuning

Dashboards
• Executive dashboard: High-level metrics (uptime, performance)
• Operations dashboard: Detailed system health
• Security dashboard: Security events, threats, compliance
• Custom dashboards: Per team/function
• Public status page: www.onesurance.ai/status

Compliance & Governance

Infrastructure Compliance
• Compliance frameworks: ISO 27001, GDPR, DORA
• Azure Policy: Enforced security baselines
• Regulatory compliance dashboard: Azure Security Center
• Audit logs: Alle configuration changes logged
• Immutable logs: Logs cannot be modified or deleted

Change Management
• Change approval: Alle production changes reviewed
• Change windows: Scheduled maintenance windows
• Rollback procedures: Documented voor alle changes
• Post-change verification: Health checks na deployment
• Change log: Audit trail van alle infrastructuur changes

Asset Management
• Inventory: Alle resources tagged en tracked
• Classification: Per criticality en data sensitivity
• Ownership: Assigned owners per resource
• Lifecycle management: Decommissioning procedures
• Cost tracking: Per resource, per team, per customer

Development & Operations

DevOps Practices
• CI/CD: Automated build, test, deploy pipelines
• Infrastructure as Code: Terraform voor reproducibility
• GitOps: All config in version control
• Automated testing: Unit, integration, security tests
• Blue-green deployments: Zero-downtime updates

Environments
• Development: Isolated, feature branches
• Staging: Production-like, for final testing
• Production: Live environment
• Data: Anonymized in non-production environments
• Access: Strictly controlled per environment

Release Process

1. Code review en approval

2. Automated security scans

3. Deployment naar staging

4. Automated en manual testing

5. Approval voor production

6. Deployment naar production (blue-green)

7. Post-deployment verification

8. Monitoring voor issues

Performance & Availability SLA

Service Level Agreement
• Uptime: 99.9% monthly uptime guarantee
• Calculation: (Total minutes - downtime) / Total minutes
• Exclusions: Planned maintenance (outside business hours)
• Measurement: Automated external monitoring
• Reporting: Monthly SLA reports beschikbaar

Planned Maintenance
• Frequency: Monthly maintenance windows
• Schedule: Announced minimum 7 days in advance
• Timing: Outside business hours (20:00 - 06:00 CET)
• Duration: Maximum 4 uur
• Zero-downtime: Gebruikt blue-green deployments waar mogelijk

Incident Response (Zie Template 06)
• Detection: Automated monitoring + manual reporting
• Response: <15 minuten voor critical issues
• Communication: Status updates elk uur tijdens incident
• Post-mortem: Binnen 5 werkdagen na major incident

Technology Stack

Languages & Frameworks
• Backend: Python, Node.js
• Frontend: React, TypeScript
• Data processing: Python (pandas, scikit-learn)
• Infrastructure: Terraform, ARM templates

Databases & Storage
• Relational: Azure SQL Database
• Caching: Azure Cache for Redis
• Blob storage: Azure Blob Storage
• Search: Azure Cognitive Search

AI/ML Stack
• Training: Azure Machine Learning
• Inference: Azure Container Instances
• Models: TensorFlow, PyTorch, scikit-learn
• MLOps: Azure DevOps voor model lifecycle

Third-Party Services (Zie Template 08)
• Cloud infrastructure: Microsoft Azure
• Development tools: GitHub, Azure DevOps
• Monitoring: Azure Monitor, Application Insights
• Security: Azure Security Center, Sentinel

Toekomstplannen

Short-term (6-12 maanden)
• Kubernetes migration voor improved orchestration
• Enhanced observability met distributed tracing
• Additional availability zone expansions
• Improved auto-scaling algoritmes
• Expanded monitoring en alerting

Long-term (1-2 jaar)
• Multi-region active-active setup (indien klantbehoefte)
• AI/ML model improvements
• Advanced analytics capabilities
• IoT integration possibilities
• Edge computing voor ultra-low latency (indien relevant)

Klanttoegang

API Documentation
• OpenAPI (Swagger) specs beschikbaar
• Interactive API docs: Try-it-out functionality
• Code samples: Python, JavaScript, cURL
• Postman collection: Voor easy testing
• Webhooks: Real-time notificaties

Integration Support
• Dedicated integration support
• Sandbox environment voor testing
• Rate limits: Clearly communicated
• SLA voor API uptime: 99.9%
• Version deprecation: 12 maanden notice

Contact

Voor technische vragen en architectuur:
• Technical Team: dpo@onesurance.ai
• API Support: dpo@onesurance.ai
• Infrastructure Incidents: dpo@onesurance.ai (24/7)

Laatst bijgewerkt: December 2024
Onesurance B.V. | Breda, Nederland | KvK: 87521997