Architecture and Technical Design

Kwik Vault ships as a unified platform with clear capability boundaries inside a single deployable core. Supporting data and infrastructure services run alongside the application tier.

Overview

Each bank receives a dedicated Deployment Instance. The platform ingests documents from integrated source systems (KYC flows, document services, branch uploads), stores file content in object storage, indexes metadata in a search index, routes approvals through a workflow engine, and records an append-only audit chain in a relational store.

High-Level Architecture

Pan, scroll, or pinch to zoom · use controls for fit and zoom

Platform Capabilities

Capability	Role
Ingest	Accept uploads; validate metadata; store blobs; create versions
Metadata	Document schema definition and validation
Search	Federated customer and document discovery
Workflow	Approval state machine and durable lifecycle orchestration
Audit	Append-only audit entries with integrity chain
Tenancy	Organization, department, and branch scope
Access Control	Permission checks and department-scoped RBAC
Identity	User provisioning and integrator credential management
AI	Pluggable natural-language discovery over governed corpus

Metadata and access control are shared foundations consumed by other capabilities; they do not expose a separate public interface.

Infrastructure Layer

Component	Role
Web Portal	Upload, documents, approvals, audit, and configuration UI
Core Platform API	REST API surface for portal and integrators
Workflow Processor	Runs approval and lifecycle workflows
Relational Store	Documents, tenants, workflow state, and audit chain
Object Storage	Versioned document blob store
Search Index	Metadata and full-text retrieval
Workflow Engine	Durable orchestration for multi-step approvals
Identity Service	SSO federation and machine-to-machine authentication

Tenancy Model

One Organization per Deployment Instance.
One Operational Tenant plus zero or more Restricted Tenants for compliance, audit, and treasury isolation.
Federated Search returns only documents in tenants the user is authorized to access.
Cross-tenant access is always logged in the Audit Trail.

Document Identity

Concept	Description
DMS ID	System UUID for each Document; shown in Documents and Audit tables
Business Key	`source_tag` + `external_id` (e.g. `vkyc:session-123`)
Version	Re-ingest with the same Business Key creates a new version
Current Version	Latest `approved` version; pending amendments do not replace it

Logical Folder Structure

Documents are stored under a deterministic logical hierarchy (not a user-managed folder tree):

{organization}/{department}/{document_category}/{customer_id}/{business_key}/v{version}

Segment	Maps to	Example
Customer ID	CIF, PAN, or account number from `customer_refs`	`12345678`
Document type	`document_category` ingest field	`kyc_vkyc`
Parent ID	`external_id` or `custom_attributes.parent_id` for child documents	`loan-app-456`

Re-ingesting with the same Business Key creates a new version on the same DMS ID without overwriting prior blobs. See Storage and Lifecycle for ILM tiering and Operations Guide for department onboarding.

Version Approval State Machine

Benefits

Scalable design: Core capabilities can scale independently as document volume grows.
Proven infrastructure patterns: Object storage, search indexing, workflow orchestration, and identity federation use industry-standard roles.
Bank-grade isolation: Dedicated instance per bank prevents data commingling across institutions.

Next Steps

Security and Compliance: encryption and access controls
Storage and Lifecycle: ILM tiers and retention policies
Login: identity and SSO configuration
Deployment: service health monitoring and capacity planning
Integration APIs: ingest contract and REST endpoints
Introduction: back to Kwik Vault overview

Architecture

On this page