Backend Architecture
CEREBRAL STRATUM is a multi-tenant GPS tracking SaaS platform with AI-powered anomaly detection, geofencing, and a notification system — designed as an intelligent layer of services, communications, and protocols.
Tenancy Model
The platform uses a schema-per-tenant PostgreSQL model. Each tenant (B2B organisation) has an isolated schema. BlueGuardian Co operates its own schema (blueguardian) which serves as the tenant for:
Residential/consumer customers (not associated with any org)
Unassociated or unowned fleet devices
Fleet managed on behalf of organisations that have purchased a managed service
User Tiers
Tier | Description | Scope |
|---|---|---|
Platform Operator | BlueGuardian Co staff | Cross-tenant, privileged |
Tenant Operator | B2B org admin/fleet manager | Within their tenant schema |
Tenant User | End user within a B2B org (driver, field worker) | Within their tenant schema |
Consumer | Residential customer | Within the |
Privileged Access
Platform operators require step-up authentication for elevated access, implemented via Keycloak using a token/user impersonation flow that requires explicit end-user approval. Key constraints:
Audit log entries must record both the acting platform operator and the impersonated user
Notifications read during an impersonation session must not mark the end user's notifications as read
The impersonation request and approval events are themselves notification-worthy
Service Architecture
The backend is composed of five services:
1. Primary Backend
Technology: Quarkus, Hibernate ORM, PostgreSQL (PostGIS)
Responsibilities:
Exposes all REST API endpoints consumed by the frontend
Consumes GPS ping and device status messages from AMQ Streams (Kafka) via SmallRye Reactive Messaging (
@Incoming) and persists them to PostgreSQLServes notification and entitlement data to the frontend — it does not own the generation or sync of these, only the read path
2. Anomaly Detection
Technology: Python, scikit-learn (Isolation Forest)
Responsibilities:
Subscribes to the
gps.pingsKafka topicRuns per-tenant, per-device Isolation Forest models to score incoming pings
Publishes anomaly score events to the
anomaly.scorestopicTenant and model isolation is strictly maintained — no cross-tenant data paths
3. Notification Dispatch
Technology: TBD
Responsibilities:
Subscribes to multiple Kafka topics and evaluates trigger conditions
Writes notification records and per-recipient delivery rows to the appropriate tenant schema
Fans out push notifications via FCM (Android + Web) and APNs (iOS)
Manages push token lifecycle — removes stale tokens on FCM/APNs rejection
4. Device Onboarding & Registration
Technology: TBD
Responsibilities:
Handles device provisioning, certificate management, and tenant association
Distinct deployment and scaling lifecycle from real-time tracking components
Tighter audit controls around registration events
5. Billing & Entitlement Sync
Technology: TBD
Responsibilities:
Shopify is the source of truth for all subscription and billing data
Receives Shopify webhooks (order created, subscription updated, payment failed, etc.) with HMAC verification
Runs a periodic reconciliation job — diffs Shopify state against locally cached entitlement values and flags discrepancies
Writes canonical entitlement state back to the relevant tenant/user profile, including a
subscription_synced_attimestamp for staleness diagnosticsPublishes entitlement change events to the
subscription.updatesKafka topicDoes not serve entitlement data directly to the frontend — that is the primary backend's responsibility
Does not make billing decisions — it reflects what Shopify says
Message Bus
All inter-service event flow is via Eclipse Hono → AMQ Streams (Kafka). All device traffic arrives structured and typed; no classification layer is required.
Notification System
Data Model
Notifications follow an event + recipient pattern: one notification record is created per event occurrence, with separate per-recipient rows tracking delivery and read state.
Design notes:
target_audienceis an array to support notifications targeting multiple tiers simultaneouslymetadataJSONB keeps the schema stable as new event types are addedCross-tenant platform-level notifications are written to the
blueguardianschema's notification tablesSubscription threshold notifications require deduplication
Notification Event Triggers
Kafka Topic | Trigger Condition | Target Audience |
|---|---|---|
| No ping received for device within threshold window |
|
| Score exceeds configured threshold |
|
| Device entry or exit event |
|
| Registration success/failure, device online/offline |
|
| Utilisation ≥ 80%, utilisation = 100%, subscription lapsed |
|
Internal | Impersonation access requested by platform operator |
|
Internal | Impersonation access approved by user |
|
Push Dispatch Flow
API Endpoints (Primary Backend)
Subscription & Entitlement Model
Shopify is the authoritative source for all billing and entitlement data
The database holds a local cache of entitlement state (
subscription_entitlement,subscription_used,subscription_synced_at) for fast query and diagnosticsPlatform operators can view both the Shopify-sourced values and the DB-cached values to diagnose discrepancies
subscription_synced_atallows platform operators to immediately identify a stale cache during support investigationsB2B orgs may have one or more Shopify billing accounts; consumers have a single account — the billing sync service handles both models
Key Design Principles
Tenant isolation at every layer — DB schemas, Kafka consumers, ML models, and notification tables all respect the tenant boundary with no cross-tenant data paths
Least-privilege DB roles — separate roles scoped tightly to their function
Offline/air-gapped compatibility — no external CDN or runtime dependencies for core platform operation
Shopify as billing source of truth — the platform reflects Shopify state, never diverges from it as the authoritative record
Audit trail for privileged access — all impersonation sessions are logged with both the platform operator and end user identity; end-user approval is required before access is granted
UTC storage — all timestamps stored in UTC; timezone conversion is handled at the application layer