Technical Architecture and Infrastructure Manual
1. Implementation Methods
Safe offers total flexibility to adapt to the organisation's data security policies, allowing processing to remain wherever it is most efficient.
• On‑premises (100% Local): Installation of a dedicated server at each site. All AI processing and video storage remain within the client's private network, eliminating reliance on the cloud for critical operations.


• Hybrid Model: Deployment of Edge Servers at each plant for immediate video processing (AI), reducing latency and bandwidth consumption. These connect to a central point (Private or Public Cloud) that consolidates alerts and reports from multiple sites.
2. Technology Stack Overview
Safe uses a modular architecture based on containerised microservices, enabling agile deployment both on local servers (On-premises) and in hybrid environments. Unlike heavier infrastructures, our native stack eliminates unnecessary layers of abstraction, maximising hardware performance.

2.1. Client Layer and External Sources
• CLIENT (Browser): Main user interface. Consumes live video and displays events.
• VIDEO SOURCES: IP cameras (via RTSP) or webcams that feed the system from outside.
2.2. Ingress Layer (Edge)
• ENTRY GATEWAY (API Gateway / Reverse Proxy):
· Single entry point for all external traffic (HTTP/HTTPS, WebSockets).
· Routes requests to the corresponding internal services.
2.3. Services Layer (Backend/Microservices)
• WEB APPLICATION (Core):
· Serves the Frontend.
· Provides the REST API for management.
· Handles Authentication and Authorization.
· Entity management: users, cameras, streams, events.
· Connects to: Database and Object Storage.
• STREAMING SERVER:
· Video ingestion.
· Video output to the client (HLS/WebRTC).
· Stream protection via token.
• EMAIL SERVER (Optional):
· Sending notifications and alerts by email.
• INFERENCE API (AI):
· Captures video streams from cameras.
· Performs object detection, pose analysis and tracking.
· Connects to: Message Queue (publishes results).
• REAL-TIME EVENT SERVER:
· Handles WebSocket connections.
· Pushes processed events to the client.
2.4. Processing and Orchestration Layer
• MESSAGE QUEUE:
· Intermediate buffer that receives raw detections from the AI.
• ORCHESTRATOR (Business logic core):
· Consumes detections from the Message Queue.
· Reads camera and zone configuration from the Database.
· Evaluates complex business rules to create events and alarms.
· Manages the state (start/stop) of analysis per camera.
· Connects to: Database, Object Storage, Event Server (to notify the client) and Email Server.
2.5. Persistence Layer (Storage)
• DATABASE (Relational/Document):
· Stores structured data: Users, Organisations, Camera/Stream/Zone configuration, Event History, Sessions.
• OBJECT STORAGE (Files):
· Stores unstructured data: Event images, user avatars, generated reports.
3. Infrastructure and Deployment
Safe is deployed on Linux systems using Docker Compose, which facilitates portability and consistency across environments, and natively on Windows.
3.1. Environment Segregation (SDLC)
To ensure service stability, Safe's development follows a lifecycle (SDLC) with fully isolated runtime environments:
• Development/Test Environment:
Where new analytics or features are validated without affecting the live plant.
• Production Environment:
Configuration optimised for high availability and maximum hardware performance.
3.2. Layered Security
• Network Isolation:
on Linux, containers run on a private internal Docker network, exposing only the necessary services (80/443) through Traefik.
• Access Management:
Administrative access to the infrastructure is done via secure protocols such as SSH (port 22) with mandatory authentication.
4. Persistence and Recovery Management
• Database (PostgreSQL):
Stores camera configuration, users and historical alert records.
• Object Storage:
Acts as a local S3 repository to store video clips and evidence of security violations.
• Continuity:
In critical configurations, data replication is recommended to minimise the Recovery Point Objective (RPO) in the event of hardware failure.
5. Data Segregation and Multi-tenancy
For clients with multiple sites or departments, Safe guarantees total logical security where data is never mixed.
• Unique Tenant ID:
Each system entity (cameras, alerts, recordings and users) is irrevocably linked to a unique client identifier (Tenant ID).
• Automatic Tenancy Filter:
The system automatically applies a filter on every database query or file request; this ensures a user can only view or manage resources that strictly belong to their "tenant".
6. High-Availability Video Management
For delay-free camera viewing, Safe implements a viewer using MediaMTX. This component enables:
• Ingestion:
Receiving streams from IP cameras via RTSP or browser webcams.
• Multi-format Output:
Dynamic conversion to HLS or WebRTC, enabling smooth playback in any modern browser with low latency
7. Sub-processors and Compliance Table
In line with our transparency policy, we detail the third-party services used for auxiliary functions and their security certifications.
| Sub-processor / Third Party | Function in the Stack | Data Processed / Transferred | Security Certifications |
|---|---|---|---|
| Cloudflare | CDN, WAF protection and web asset caching. | Traffic metadata (IP, browser), static assets (JS, CSS). | SOC 2 Type II, ISO 27001, PCI DSS.+1 |
| Resend / SMTP | Sending alert notifications and diagnostics. | Email addresses, alert content and evidence screenshots. | SOC 2 Type II, GDPR Compliance. |
| PostHog | Usage analytics and user experience. Web demo only | Navigation events, clicks and user identification (optional). | SOC 2, ISO 27001, HIPAA. |
| Vercel Analytics | Performance metrics and Speed Insights. Web demo only | Load times, web vitals metrics and application usage. | SOC 2 Type II, ISO 27001. |
| Sentry | Real-time error and stability monitoring. | Error traces, session context and code failure logs. | SOC 2 Type II, ISO 27001, HIPAA. |
Note for Full On-Premise installations: In 100% local deployments, these services are replaced by the client's internal services to guarantee full data sovereignty.
Contact & Support
For technical questions about hardware compatibility or custom quotes, contact us at:
• Technical Support: support@safe.ai
• Sales: commercial@safe.ai

