Reference Architecture
A condensed reference architecture for vendor-risk reviewers. The full data-flow diagrams and trust-boundary maps are available under NDA.
Component overview
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ PARTNER (bank / ISO) โ
โ โโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโ โ
โ โ Bank CRM โ โ Bank merchant โ โ Bank support โ โ
โ โ (server-side โ โ portal embeds โ โ AI agent โ โ
โ โ REST calls) โ โ our iframe โ โ uses MCP โ โ
โ โโโโโโโโโฌโโโโโโโโโ โโโโโโโโโโฌโโโโโโโโโโ โโโโโโโโฌโโโโโโโโ โ
โโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโ
โ X-API-Key โ X-API-Key โ X-API-Key
โผ โผ โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ API Gateway (api.complianceassessmenttool.com) โ
โ + Lambda Function URLs (long-running) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโ
โผ โผ โผ
โโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโ
โ cat-api-server โ โ cat-mcp-whitelabel โ โ Fill_SAQ_PDF + โ
โ (Lambda) โ โ (Lambda) โ โ prefill durable โ
โโโโโโโโโโฌโโโโโโโโ โโโโโโโโโโโฌโโโโโโโโโโโ โ step-fn (Lambda) โ
โ โ โโโโโโโโโโโโฌโโโโโโโโโโ
โ โ โ
โผ โผ โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ DynamoDB (us-east-1, KMS-encrypted) โ
โ CATPartner CATPartnerMerchant CATPaymentMethod โ
โ CATSAQAttempt CATSAQResponse CATAuditEvent โ
โ CATApiUsage CATComplianceSession โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ S3 (us-east-1, SSE-S3 + KMS) โ
โ saq-pdfs (field mappings) saq-pdfs-final (sealed) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ (HTTPS API call, no-training)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ OpenAI Responses API (gpt-5-nano + assistant for prefill) โ
โ DPA in force; org-JZrfeV5ZWRQ4S6T7MfWaO4pC โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Trust boundaries
- Partner โ CAT: HTTPS with TLS 1.2+, partner API key in
X-API-Keyheader (or short-lived deep-link URL). - CAT โ OpenAI: HTTPS, bearer token; API data not used for training, retained โค30 days by OpenAI. Payload limited to PCI control text + the merchant's natural-language answers โ never CHD.
- CAT โ AWS services: IAM role-based, least privilege, scoped per Lambda. No long-lived static credentials.
- CAT โ Partner webhook URL: HTTPS, HMAC-SHA256 signed, partner-supplied secret.
Data flow โ typical merchant flow (chat / iframe / REST)
- Partner authenticates the merchant on the partner's portal.
- Partner embeds our iframe (or 302-redirects to it) with
?apiKey=โฆ&merchantId=โฆ. - Merchant completes onboarding โ payment method โ SAQ determination โ section answers โ AoC review โ signature โ finalize.
- On finalize, we mirror responses into the existing SaaS pipeline, run the durable prefill (one OpenAI call per PDF page), promote winning rows to pdf-final, and invoke Fill_SAQ_PDF to stamp the official PCI templates into S3.
- Permanent auth-gated download URLs (under
/v1/merchants/…/documents/saq.pdfand…/documents/aoc.pdf) are returned in the API response and the same documents are emailed to the merchant. - The partner receives webhooks for
saq.submittedand, if applicable,merchant.compliant.
What never crosses the wire
- Cardholder data (PAN, CVV, track, PIN) โ our schema does not accept it and our system prompts refuse it.
- End-merchant credentials to the partner โ we never see how the merchant authenticated to the bank.
- Partner's bank-side production systems โ we only receive webhook receipts when a partner is configured.
Resiliency
Stateless Lambda + DynamoDB design tolerates instance-level failure transparently. DynamoDB point-in-time recovery enabled (35-day window). S3 versioning enabled. RTO target 4 hours, RPO target 1 hour. We do not currently run multi-region active-active; cross-region recovery uses the documented procedure in our BCP/DR plan.