Sepfluor - Community Impact Visibility Platform - Technical Overview
Sepfluor: Technical Overview
Section titled “Sepfluor: Technical Overview”Community Impact Visibility Platform
Section titled “Community Impact Visibility Platform”Purpose: Provide comprehensive technical documentation for IT/security stakeholders evaluating the Community Impact Visibility Platform for mining SLP compliance, impact storytelling, and industry recognition.
Audience: IT Directors, Security Officers, Database Administrators, Compliance Teams
Executive Technical Summary
Section titled “Executive Technical Summary”Platform Type: Cloud-native SaaS platform with optional on-premise deployment
Technology Stack:
- Backend: Python 3.11+ (FastAPI framework)
- Database: PostgreSQL 15+ (relational database with PostGIS extension for geospatial data)
- Frontend: Next.js 14+ (React framework with server-side rendering)
- Caching: Redis 7+ (in-memory data store)
- Hosting: Railway.app (built on Google Cloud Platform / AWS)
- Data Residency: Hetzner Cape Town (South African data center - POPIA compliant)
- File Storage: S3-compatible object storage (encrypted at rest)
Deployment Model:
- Pilot (Recommended): Multi-tenant SaaS (dedicated database schema, shared infrastructure)
- Production: Single-tenant SaaS (dedicated infrastructure, optional VPC)
- Enterprise: On-premise deployment (full control, requires IT infrastructure)
Security Certifications:
- ISO 27001 (Hetzner Cape Town data center)
- POPIA compliant (South African data residency, encryption, access controls)
- SOC 2 Type II (in progress - Q2 2025 target)
Key Technical Differentiators:
- ✅ South African data residency (Hetzner Cape Town - POPIA compliance out-of-box)
- ✅ Open-source stack (no vendor lock-in, portable to any cloud or on-premise)
- ✅ RESTful APIs (easy integration with HR systems, ERP, document management)
- ✅ Scalable architecture (handles 400,000+ users proven at SACE)
- ✅ Mobile-first responsive design (accessible from mine sites, remote locations)
Architecture Overview
Section titled “Architecture Overview”High-Level System Architecture
Section titled “High-Level System Architecture”┌─────────────────────────────────────────────────────────────────┐│ End Users ││ (Community Relations, ESG Manager, CEO/Chairman, Communities) │└────────────┬────────────────────────────────────┬───────────────┘ │ │ ▼ ▼┌────────────────────────┐ ┌────────────────────────────┐│ Web Application │ │ Public Impact Portal ││ (Internal Dashboards)│ │ (community.sepfluor.co.za) ││ │ │ ││ - SLP Dashboards │ │ - GIS Project Map ││ - Mining Indaba │ │ - Beneficiary Stories ││ - DMRE Reports │ │ - Impact Counters ││ - GRI 14 Tracking │ │ - Multi-Language │└────────────┬───────────┘ └────────────┬───────────────┘ │ │ │ HTTPS/TLS 1.3 │ ▼ ▼┌─────────────────────────────────────────────────────────────────┐│ Application Layer ││ (Railway.app - Load Balanced) ││ ││ ┌──────────────────────────────────────────────────────────┐ ││ │ FastAPI Backend (Python) │ ││ │ │ ││ │ - RESTful APIs │ ││ │ - Authentication & Authorization │ ││ │ - Business Logic (SLP compliance, beneficiary tracking) │ ││ │ - PDF Generation (Mining Indaba, DMRE reports) │ ││ │ - ML Risk Prediction (production phase) │ ││ │ - Data Validation & ETL │ ││ └──────────────────────────────────────────────────────────┘ ││ ││ ┌──────────────────────────────────────────────────────────┐ ││ │ Next.js Frontend (React) │ ││ │ │ ││ │ - Server-Side Rendering (SSR) │ ││ │ - Client-Side Routing │ ││ │ - Responsive UI/UX (mobile-first) │ ││ │ - Chart Libraries (Recharts for dashboards) │ ││ │ - GIS Mapping (Leaflet/Mapbox for project locations) │ ││ └──────────────────────────────────────────────────────────┘ │└─────────────┬───────────────────────────────┬───────────────────┘ │ │ ▼ ▼┌──────────────────────────┐ ┌────────────────────────────────┐│ Data Layer │ │ Caching Layer ││ (Hetzner Cape Town) │ │ (Redis) ││ │ │ ││ PostgreSQL 15+ │ │ - Session Storage ││ - SLP Data │ │ - Dashboard Cache ││ - Beneficiary Records │ │ - API Response Cache ││ - Evidence Metadata │ │ - Rate Limiting ││ - User Accounts │ └────────────────────────────────┘│ - Audit Logs ││ ││ PostGIS Extension ││ - Geospatial Data ││ - Mine-Site Locations ││ - Community Boundaries ││ - Project GPS Coords │└──────────────────────────┘ │ ▼┌──────────────────────────────────────────────────────────────┐│ File Storage Layer ││ (S3-Compatible Object Storage) ││ ││ - Evidence Files (photos, PDFs, videos, agreements) ││ - Generated Reports (Mining Indaba submissions, DMRE PDFs) ││ - User Uploads (community consultation records) ││ - Encrypted at Rest (AES-256) │└──────────────────────────────────────────────────────────────┘ │ ▼┌──────────────────────────────────────────────────────────────┐│ Backup & DR Layer ││ (Geo-Redundant Storage) ││ ││ - Hourly Incremental Backups ││ - Daily Full Backups ││ - 30-Day Retention ││ - Cape Town (Primary) + Johannesburg (Secondary) ││ - <4 Hour Recovery Time Objective (RTO) ││ - <1 Hour Recovery Point Objective (RPO) │└──────────────────────────────────────────────────────────────┘Data Flow
Section titled “Data Flow”1. SLP Activity Logging (Community Relations Team):
User Login → Authentication → Dashboard → "Log Activity"→ Form Entry (Beneficiary, Project, Budget, Evidence Files)→ Data Validation → PostgreSQL Storage → Cache Invalidation→ Real-Time Dashboard Update2. Mining Indaba Submission Generation:
Dashboard → "Generate Award Submission" → Select Award Category→ Backend Aggregates Data (Beneficiaries, Projects, Evidence)→ PDF Generation (ReportLab) → S3 Storage → Download Link → User Downloads 25-Page PDF3. Public Portal Access (Communities, Investors, Judges):
Public URL (community.sepfluor.co.za) → No Authentication Required→ Public Data Only (No Sensitive Info) → GIS Map + Impact Counters + Success Stories→ Multi-Language Display (English/Ndebele/Sepedi) → Mobile-Responsive View4. DMRE Report Automation:
Dashboard → "Generate DMRE Report" → Select Year + 5 Focus Areas→ Backend Aggregates Compliance Data (Budget, Beneficiaries, Evidence)→ PDF Generation (DMRE Format) → Audit Trail Appendix → DownloadTechnology Stack Deep Dive
Section titled “Technology Stack Deep Dive”Backend: FastAPI (Python)
Section titled “Backend: FastAPI (Python)”Why FastAPI:
- High performance (async/await support, comparable to Node.js, Go)
- Automatic OpenAPI documentation (Swagger UI for API testing)
- Type safety (Pydantic models prevent runtime errors)
- Easy integration (Python ecosystem for ML, data processing, PDF generation)
Key Libraries:
- FastAPI: Web framework
- SQLAlchemy: ORM for PostgreSQL (database abstraction)
- Pydantic: Data validation and serialization
- Alembic: Database migrations (version control for schema changes)
- ReportLab: PDF generation (Mining Indaba submissions, DMRE reports)
- Pandas: Data processing (aggregations, exports, analytics)
- Scikit-learn: ML models for risk prediction (production phase)
- Celery: Background task processing (large reports, data exports)
API Design:
- RESTful architecture (GET, POST, PUT, DELETE verbs)
- JSON request/response format
- JWT authentication (stateless, scalable)
- Rate limiting (prevent abuse, DoS protection)
- Versioned endpoints (/api/v1/slp-data, /api/v2/…)
Database: PostgreSQL 15+
Section titled “Database: PostgreSQL 15+”Why PostgreSQL:
- Open-source (no licensing fees, portable)
- ACID compliant (data integrity guarantees)
- Advanced features (JSON support, full-text search, geospatial with PostGIS)
- Battle-tested at scale (SACE: 400,000 users, millions of records)
Schema Design (Pilot Scope):
Core Tables:
users- User accounts (Community Relations, ESG Manager, CEO/Chairman, Admins)beneficiaries- 2,340+ beneficiaries (name, program, impact metrics, consent for public stories)projects- Community development projects (education, infrastructure, healthcare, LED)slp_activities- Logged SLP activities (training sessions, consultations, procurements)evidence_files- Metadata for photos, PDFs, videos, agreements (1,247+ files)budgets- Budget tracking (5% wage skills, 2-3% EBITDA LED, allocations)stakeholder_communications- Generated newsletters, investor briefings, DMRE reportsaudit_logs- Every user action tracked (who, what, when, IP address)
PostGIS Extension (Geospatial):
- Mine-site boundaries (Nokeng polygon)
- Community boundaries (8 communities served)
- Project GPS coordinates (schools, water points, community centers)
- Proximity calculations (local procurement within 50km radius)
Performance Optimizations:
- Indexes on frequently queried columns (beneficiary_id, project_id, date ranges)
- Materialized views for complex aggregations (dashboard KPIs pre-calculated)
- Connection pooling (reuse database connections, reduce overhead)
Frontend: Next.js 14+ (React)
Section titled “Frontend: Next.js 14+ (React)”Why Next.js:
- Server-side rendering (fast initial page load, SEO-friendly for public portal)
- React framework (component reusability, strong ecosystem)
- File-based routing (intuitive URL structure)
- Image optimization (automatic lazy loading, responsive images)
- Built-in API routes (optional backend logic in frontend codebase)
Key Libraries:
- React: UI component library
- Tailwind CSS: Utility-first CSS framework (responsive design, Sepfluor branding)
- Recharts: Dashboard charting library (line charts, bar charts, KPI cards)
- Leaflet / Mapbox: GIS mapping library (interactive project maps)
- React Hook Form: Form handling (SLP activity logging, data entry)
- SWR / React Query: Data fetching and caching (optimistic UI updates)
Responsive Design:
- Mobile-first (accessible from mine sites, remote locations via tablets/phones)
- Progressive Web App (PWA) capabilities (offline access to cached dashboards)
- Low-bandwidth optimization (image compression, lazy loading)
Caching: Redis 7+
Section titled “Caching: Redis 7+”Use Cases:
- Session Storage: User login sessions (JWT token validation cache)
- Dashboard Cache: Pre-calculated KPIs (invalidate on data update)
- API Response Cache: Frequently accessed data (beneficiary lists, project summaries)
- Rate Limiting: Prevent API abuse (track request counts per user/IP)
Cache Strategy:
- Time-to-Live (TTL): Dashboard cache expires after 5 minutes (balance freshness vs. performance)
- Cache Invalidation: On data update (beneficiary added, project logged), invalidate relevant cache keys
- Fallback: If Redis unavailable, fetch from PostgreSQL (degraded performance, not broken system)
Security & Compliance
Section titled “Security & Compliance”Data Residency & POPIA Compliance
Section titled “Data Residency & POPIA Compliance”South African Data Hosting:
- Primary: Hetzner Cape Town data center (South African soil, POPIA compliant)
- Why It Matters: POPIA requires personal data remain in South Africa or approved jurisdictions
- Sepfluor Compliance: Beneficiary personal data (names, photos, testimonials) never leaves South Africa
Hetzner Cape Town Certifications:
- ISO 27001 (Information Security Management)
- ISO 27017 (Cloud Security)
- ISO 27018 (Personal Data Protection in Cloud)
- Tier III+ data center (99.982% uptime guarantee)
POPIA-Specific Features:
- Consent Management: Beneficiaries opt-in/opt-out for photo use, testimonials, public stories
- Data Minimization: Only collect necessary fields (name, program participation, impact metrics - no unnecessary personal data)
- Right to Erasure: Beneficiaries can request data deletion (POPIA Section 24 compliance)
- Access Requests: Export beneficiary data in machine-readable format (CSV, JSON)
- Retention Policies: Auto-delete after DMRE requirement period (7 years for SLP records)
Encryption
Section titled “Encryption”Data at Rest:
- Database: AES-256 encryption (PostgreSQL Transparent Data Encryption)
- File Storage: AES-256 encryption (S3-compatible object storage, encrypted volumes)
- Backups: AES-256 encryption (geo-redundant backups encrypted separately)
- Disk Encryption: Full disk encryption on all servers (Hetzner default)
Data in Transit:
- HTTPS: TLS 1.3 (latest protocol, strongest ciphers)
- Certificate: Let’s Encrypt SSL certificates (auto-renewed, wildcard for subdomains)
- API Calls: All API requests encrypted over HTTPS (no unencrypted HTTP endpoints)
Password Security:
- Hashing: Bcrypt with salt (irreversible, industry standard)
- Password Requirements: Minimum 12 characters, complexity rules (uppercase, lowercase, number, special character)
- No Plaintext Storage: Passwords never stored in plaintext (only hashed versions)
Authentication & Authorization
Section titled “Authentication & Authorization”Authentication Methods:
- Username/Password: Primary authentication (bcrypt hashed passwords)
- Multi-Factor Authentication (MFA): Optional for administrators (TOTP-based, Google Authenticator compatible)
- Single Sign-On (SSO): Available in production (SAML 2.0, Azure AD integration if Sepfluor uses Microsoft)
Session Management:
- JWT Tokens: Stateless authentication (no server-side session storage required)
- Token Expiry: 24-hour access tokens, 30-day refresh tokens
- Automatic Logout: 2-hour inactivity timeout (configurable)
- Secure Cookies: HttpOnly, Secure, SameSite flags (prevent XSS, CSRF attacks)
Role-Based Access Control (RBAC):
| Role | Permissions | Typical Users |
|---|---|---|
| Public | - View public impact portal only (community.sepfluor.co.za) - No login required - No access to sensitive beneficiary data | Communities, investors, Mining Indaba judges, general public |
| Executive | - View dashboards (read-only) - Download reports (Mining Indaba, DMRE, stakeholder communications) - No data entry or editing | CEO (Hendrik Snyman), Chairman (Dr. Lelau Mohuba), Board members |
| Analyst | - View dashboards - Download reports - Generate custom reports - No data entry (read-only analyst role) | ESG Manager, Finance (budget tracking), Compliance |
| Admin | - Full access (data entry, editing, deletion) - User management (create users, assign roles) - Evidence file upload (photos, PDFs, videos) - Log SLP activities (beneficiaries, projects, consultations) - Generate reports | Community Relations Lead, Community Relations team |
| Super Admin | - All Admin permissions - System configuration - Audit log access - Database management (technical tasks) | iSu Technologies support team (production support only, with Sepfluor approval) |
IP Whitelisting (Optional):
- Restrict access to Sepfluor office IPs, Nokeng mine site IPs
- Additional security layer (prevent unauthorized access even with credentials)
- Configurable per role (e.g., Admins must be on-site, Executives can access remotely)
Audit Logging
Section titled “Audit Logging”What’s Logged:
- User Actions: Login, logout, data entry, data edits, data deletions, report generation, file uploads
- Who: User ID, username, email
- When: Timestamp (ISO 8601 format, UTC timezone)
- Where: IP address, user agent (browser/device)
- What: Action type, affected resources (beneficiary ID, project ID, file ID)
- Changes: Before/after values for data edits (audit trail for DMRE compliance)
Log Retention:
- Duration: 7 years (aligns with DMRE SLP record retention requirement)
- Storage: Separate database table, indexed for fast search
- Access: Admin and Super Admin roles only (audit logs are sensitive)
Use Cases:
- DMRE Audits: Prove who entered data, when, and what changes were made
- Security Incidents: Investigate unauthorized access attempts, suspicious activity
- Compliance: Demonstrate POPIA compliance (data access logs, deletion confirmations)
Vulnerability Management
Section titled “Vulnerability Management”Security Practices:
- Dependency Scanning: Automated weekly scans (Snyk, Dependabot) for known vulnerabilities in Python/JavaScript libraries
- Penetration Testing: Annual third-party penetration test (OWASP Top 10 coverage)
- Vulnerability Patching: Critical vulnerabilities patched within 7 days, high within 30 days, medium within 90 days
- Security Headers: HSTS, CSP, X-Frame-Options, X-Content-Type-Options (prevent common web attacks)
OWASP Top 10 Mitigation:
- Injection (SQL, NoSQL): Parameterized queries (SQLAlchemy ORM), input validation
- Broken Authentication: JWT tokens, bcrypt hashing, MFA, rate limiting
- Sensitive Data Exposure: AES-256 encryption, HTTPS/TLS 1.3, secure cookies
- XML External Entities (XXE): No XML parsing (JSON-only API)
- Broken Access Control: RBAC, role validation on every API endpoint
- Security Misconfiguration: Secure defaults, regular security audits
- Cross-Site Scripting (XSS): Input sanitization, Content Security Policy headers
- Insecure Deserialization: No deserialization of untrusted data
- Using Components with Known Vulnerabilities: Dependency scanning, automated updates
- Insufficient Logging & Monitoring: Comprehensive audit logs, real-time monitoring
Infrastructure & Hosting
Section titled “Infrastructure & Hosting”Deployment Architecture
Section titled “Deployment Architecture”Pilot (Multi-Tenant SaaS):
Railway.app (Auto-Scaling)├── Application Containers (FastAPI + Next.js)│ ├── Auto-scaling (CPU >70% → add container)│ ├── Load balancing (distribute requests)│ └── Zero-downtime deployments (rolling updates)├── PostgreSQL Database (Dedicated Schema for Sepfluor)│ ├── Shared database instance (cost-effective)│ ├── Dedicated schema (sepfluor_*)│ └── Row-level security (isolation)├── Redis Cache (Shared, Namespaced)└── S3 Storage (Sepfluor-specific bucket)
Hetzner Cape Town (Data Residency)└── PostgreSQL Backup Storage (Geo-redundant)Production (Single-Tenant SaaS - Recommended):
Railway.app (Dedicated Infrastructure)├── Dedicated Application Containers (Sepfluor only)│ ├── Vertical scaling (increase CPU/RAM as needed)│ ├── Horizontal scaling (add containers for high traffic)│ └── VPC (Virtual Private Cloud - network isolation)├── Dedicated PostgreSQL Database (Sepfluor only)│ ├── Vertical scaling (increase storage, CPU, RAM)│ ├── Read replicas (optional - for high query loads)│ └── Point-in-time recovery (restore to any second within 30-day window)├── Dedicated Redis Cache (Sepfluor only)└── Dedicated S3 Bucket (Sepfluor evidence files only)
Hetzner Cape Town (Data Residency)└── PostgreSQL Backup Storage (Geo-redundant, 30-day retention)Enterprise (On-Premise - If Required):
Sepfluor Data Center / Cloud Infrastructure├── Application Servers (Docker containers or VMs)│ ├── Sepfluor IT team manages infrastructure│ ├── iSu Technologies provides Docker images + deployment scripts│ └── Ongoing support via iSu Technologies├── PostgreSQL Database (Sepfluor-managed)├── Redis Cache (Sepfluor-managed)└── S3-Compatible Storage (Sepfluor-managed, e.g., MinIO)
Requirements:- Ubuntu 22.04 LTS servers (minimum 3: app, database, storage)- 16GB RAM, 4 CPU cores per server (minimum)- 500GB storage for database, 2TB for file storage- Network: 100 Mbps minimum, HTTPS/TLS 1.3 support- Sepfluor IT team responsible for: OS patching, backups, monitoring, scaling- iSu Technologies provides: Software updates, bug fixes, feature releases, technical supportPerformance Specifications
Section titled “Performance Specifications”Response Times (SLA):
- Dashboard Load: <3 seconds (95th percentile)
- API Response: <200ms (95th percentile)
- Report Generation: <30 seconds for Mining Indaba submission (25-page PDF)
- DMRE Report: <15 seconds (annual compliance PDF)
- Public Portal: <2 seconds (optimized for low-bandwidth community access)
Scalability:
- Concurrent Users: 50-100 users (pilot), 200-500 users (production)
- Database Size: 50GB (pilot), 200GB (production - includes 1,247+ evidence files metadata)
- File Storage: 10GB (pilot), 50GB (production - includes photos, PDFs, videos)
- Proven Scale: SACE platform handles 400,000 users, millions of records (Sepfluor is well within capacity)
Uptime SLA:
- Pilot: 99.0% uptime (7.3 hours/month downtime maximum)
- Production: 99.5% uptime (3.65 hours/month downtime maximum)
- Enterprise (On-Premise): Depends on Sepfluor IT team infrastructure (iSu Technologies provides software support, not infrastructure SLA)
Backup & Disaster Recovery
Section titled “Backup & Disaster Recovery”Backup Strategy:
- Frequency: Hourly incremental backups, daily full backups
- Retention: 30-day backup history (restore to any point in time within 30 days)
- Geographic Redundancy: Cape Town (primary) + Johannesburg (secondary) storage
- Encryption: AES-256 encrypted backups (separate encryption keys from production data)
Recovery Objectives:
- RTO (Recovery Time Objective): <4 hours from failure to fully restored
- RPO (Recovery Point Objective): <1 hour data loss maximum (hourly backups)
Disaster Recovery Scenarios:
| Scenario | Impact | Recovery Process | RTO |
|---|---|---|---|
| Application Container Failure | Platform unavailable | Automatic failover to healthy container (Railway auto-healing) | <5 minutes |
| Database Server Failure | Platform unavailable | Automatic failover to standby replica (if configured) | <30 minutes |
| Data Center Outage (Cape Town) | Platform unavailable | Switch to Johannesburg backup, restore latest backup | <4 hours |
| Data Corruption | Incorrect data displayed | Restore from latest clean backup (hourly incremental) | <4 hours |
| Cyber Attack (Ransomware) | Data encrypted/deleted | Isolate systems, restore from geo-redundant backups (encrypted separately) | <24 hours |
| Accidental Data Deletion | Beneficiary/project deleted | Restore from audit log + backup (point-in-time recovery) | <2 hours |
Business Continuity Plan:
- Incident Response Team: iSu Technologies support team (24/7 on-call for production)
- Communication Plan: Email + SMS notifications to Sepfluor stakeholders (CEO, Community Relations Lead, IT contact)
- Failover Testing: Quarterly disaster recovery drills (validate backups, test restore procedures)
Integration Capabilities
Section titled “Integration Capabilities”Data Integration Approaches
Section titled “Data Integration Approaches”Option 1: Standalone (Pilot Recommended):
- Approach: Platform works independently, minimal IT involvement
- Data Entry: Manual logging (5-10 minutes per SLP activity)
- Best For: Quick pilot launch (Week 2 operational), validate value before integration complexity
- Migration: Import existing data (Excel, PDFs, shared drives) in Week 2-4
Option 2: Integrated (Production Phase):
-
HR System Integration: Pull employee data, training records, certifications automatically
- Compatible Systems: SAP SuccessFactors, Workday, BambooHR, local HRIS, generic HR databases
- Data Sync: Real-time (webhook-triggered) or daily batch (scheduled sync)
- Data Flow: HR system → iSu Platform (one-way read, no data written back to HR system)
- Use Case: Skills development tracking (47 employees in training, 5% wage target automation)
-
Accounting/ERP Integration: Budget tracking, procurement spend (LED suppliers)
- Compatible Systems: SAP, Oracle, Sage, Pastel, QuickBooks, generic accounting systems
- Data Sync: Daily batch (budget allocations, supplier invoices, purchase orders)
- Data Flow: ERP system → iSu Platform (one-way read)
- Use Case: Budget compliance tracking (5% wage skills, 2-3% EBITDA LED, real-time burn rate)
-
Document Management Integration: Auto-index files from shared drives, SharePoint, Google Drive
- Approach: Watch folders, auto-import with metadata tagging (SLP focus area, project, date)
- Compatible Systems: SharePoint, Google Drive, OneDrive, local network shares (SMB/CIFS)
- Use Case: Evidence library automation (1,247+ files indexed without manual uploads)
Option 3: Hybrid (Most Common):
- Core Data: Integrated (HR for employees, accounting for budgets)
- Community Programs: Manual entry (unique to SLP, no existing system to integrate)
- Evidence Files: Automated indexing (photos, agreements, certificates from shared drives)
Integration Methods:
| Method | Use Case | Frequency | Technical Approach |
|---|---|---|---|
| RESTful API | Real-time data sync (HR employee updates) | On-demand, webhook-triggered | HTTP POST/GET requests, JSON payload, JWT authentication |
| CSV/Excel Bulk Import | One-time data migration, periodic updates | Weekly/monthly batch | Upload CSV file, validate schema, import to database |
| Database Connection | Direct database queries (read-only) | Daily batch | PostgreSQL foreign data wrapper, read-only user, scheduled queries |
| SFTP File Transfer | Automated evidence file uploads | Hourly/daily | Watch SFTP folder, auto-import files, metadata extraction |
| Webhooks | Event-driven sync (new employee hired → add to platform) | Real-time | Subscribe to HR system events, receive HTTP POST on event, process |
API Documentation
Section titled “API Documentation”RESTful API Endpoints (Sample):
Authentication:
POST /api/v1/auth/loginPOST /api/v1/auth/logoutPOST /api/v1/auth/refreshBeneficiaries:
GET /api/v1/beneficiaries # List all beneficiaries (paginated)GET /api/v1/beneficiaries/{id} # Get beneficiary detailsPOST /api/v1/beneficiaries # Create new beneficiaryPUT /api/v1/beneficiaries/{id} # Update beneficiaryDELETE /api/v1/beneficiaries/{id} # Delete beneficiary (soft delete, audit logged)Projects:
GET /api/v1/projects # List all projects (SLP focus area filtering)GET /api/v1/projects/{id} # Get project details (beneficiaries, budget, evidence)POST /api/v1/projects # Create new projectPUT /api/v1/projects/{id} # Update projectSLP Compliance:
GET /api/v1/slp/dashboard # Get SLP compliance KPIs (5 focus areas, budget status)GET /api/v1/slp/budget # Get budget tracking (5% wage, 2-3% EBITDA, forecasts)GET /api/v1/slp/audit-trail # Get DMRE audit trail (evidence completeness, gaps)Reports:
POST /api/v1/reports/mining-indaba # Generate Mining Indaba submission PDFPOST /api/v1/reports/dmre # Generate DMRE annual compliance report PDFPOST /api/v1/reports/stakeholder # Generate stakeholder communication (newsletter, briefing)Evidence Files:
GET /api/v1/evidence # List evidence files (filterable by project, date, type)POST /api/v1/evidence/upload # Upload evidence file (photo, PDF, video, agreement)GET /api/v1/evidence/{id}/download # Download evidence fileDELETE /api/v1/evidence/{id} # Delete evidence fileAPI Authentication:
- Method: JWT Bearer token in Authorization header
- Format:
Authorization: Bearer <jwt_token> - Token Lifespan: 24 hours (access token), 30 days (refresh token)
API Rate Limiting:
- Authenticated Users: 1,000 requests/hour
- Public API (if enabled): 100 requests/hour per IP address
- Exceeded Limit Response: HTTP 429 Too Many Requests, retry after X seconds
OpenAPI Documentation:
- Swagger UI: Available at
/api/docs(interactive API testing) - ReDoc: Available at
/api/redoc(readable API documentation) - OpenAPI Spec: Available at
/api/openapi.json(machine-readable API definition)
Monitoring & Support
Section titled “Monitoring & Support”Platform Monitoring
Section titled “Platform Monitoring”Metrics Tracked:
- Uptime: Platform availability (99.5% SLA target)
- Response Times: Dashboard load (<3s), API response (<200ms)
- Error Rates: HTTP 5xx errors, database connection failures
- Database Performance: Query execution times, connection pool usage
- Cache Hit Rate: Redis cache effectiveness (target: >80% hit rate)
- Disk Usage: Database storage, file storage growth trends
- User Activity: Active users, peak usage times, feature adoption
Monitoring Tools:
- Application Monitoring: Sentry (error tracking, performance monitoring)
- Infrastructure Monitoring: Railway.app built-in metrics (CPU, RAM, network)
- Uptime Monitoring: Uptime Robot (5-minute checks, SMS/email alerts if down)
- Database Monitoring: PostgreSQL slow query log, pg_stat_statements extension
Alerting:
-
Critical Alerts: Platform down, database unavailable, high error rate (>5%)
- Notification: SMS + Email to iSu Technologies on-call engineer
- Response Time: 30 minutes (acknowledge), 4 hours (resolve)
-
Warning Alerts: Slow response times (>5s), cache hit rate <60%, disk usage >80%
- Notification: Email to iSu Technologies support team
- Response Time: 24 hours (investigate), 72 hours (resolve)
Support Model
Section titled “Support Model”Pilot Support (30 Days Post-Launch):
- Included: Bug fixes, user questions, performance monitoring, minor adjustments
- Channels: Email (support@isutech.co.za), video calls (as needed)
- Response Times:
- Critical (platform down): 30-minute response, 4-hour resolution target
- High (feature broken): 2-hour response, 24-hour resolution target
- Medium (usability issue): 4-hour response, 48-hour resolution target
- Low (question, enhancement): 1-business-day response
- Hours: Business hours (Monday-Friday, 8am-6pm SAST) for non-critical issues, 24/7 for critical issues
Production Support (Annual Subscription):
-
Investment: R300K-R400K/year (R25K-R33K/month)
-
Included:
- Bug fixes and issue resolution
- Security patches and dependency updates
- Quarterly feature releases (new GRI 14 topics, award template updates, UI improvements)
- Performance monitoring and optimization
- User support (email, video call, on-site if needed)
- 99.5% uptime SLA with financial penalties if missed
- Mining Indaba submission support (annual - September deadline assistance)
- Quarterly check-ins (strategy reviews, optimization opportunities)
-
Response Times (SLA):
- Critical (platform down): 30-minute response, 4-hour resolution target
- High (feature broken, Mining Indaba submission issue): 2-hour response, 24-hour resolution target
- Medium (usability issue): 4-hour response, 48-hour resolution target
- Low (enhancement request): 1-business-day response, quarterly release cycle
-
Penalties for SLA Misses:
- Uptime <99.5%: 5% monthly credit per 0.1% below SLA (e.g., 99.3% uptime = 10% credit)
- Critical support response >30 minutes: 10% monthly credit per incident
- High support response >2 hours: 5% monthly credit per incident
Enterprise Support (On-Premise Deployments):
- Custom SLA: Negotiated based on infrastructure (Sepfluor-managed servers)
- Software Support: iSu Technologies provides software updates, bug fixes, technical guidance
- Infrastructure Support: Sepfluor IT team responsible for servers, database, backups, monitoring
- On-Site Assistance: Available (additional cost, travel expenses)
Data Ownership & Portability
Section titled “Data Ownership & Portability”Data Ownership
Section titled “Data Ownership”You Own Your Data:
- Sepfluor retains full ownership of all SLP data, beneficiary records, evidence files, generated reports
- iSu Technologies is a data processor, not data controller (POPIA terminology)
- Contractual guarantee: Sepfluor owns data, iSu Technologies cannot use for other purposes
Data Export
Section titled “Data Export”Export Capabilities:
- Full Database Export: CSV/JSON export of all tables (beneficiaries, projects, budgets, evidence metadata)
- Evidence Files Export: Zip archive of all uploaded files (photos, PDFs, videos, agreements)
- Generated Reports Export: All Mining Indaba submissions, DMRE reports, stakeholder communications (PDF archives)
- Frequency: On-demand (anytime via dashboard), scheduled (weekly/monthly automated exports)
Export Formats:
- CSV: For spreadsheet import (Excel, Google Sheets)
- JSON: For API integration, data analysis (Pandas, R)
- PDF: For generated reports (Mining Indaba, DMRE)
- SQL Dump: For database migration (PostgreSQL backup format)
Vendor Lock-In Mitigation
Section titled “Vendor Lock-In Mitigation”No Proprietary Formats:
- Standard CSV/JSON (not custom iSu Technologies formats)
- PostgreSQL SQL dump (compatible with any PostgreSQL instance - AWS RDS, Azure Database, on-premise)
- Standard file formats (JPEG, PNG, PDF, MP4 - not custom encodings)
Source Code Escrow:
- What It Is: Third-party holds complete source code (updated quarterly)
- Trigger Events: iSu Technologies ceases operations, declares bankruptcy, fails to support for 90+ days
- Your Access: If triggered, Sepfluor receives full codebase + deployment instructions
- Benefit: Sepfluor can self-host or hire another developer to maintain
- Cost: Included in production contract (no additional fee)
Migration Support:
- If Sepfluor chooses to migrate to alternative vendor (Power BI, SAP, custom build):
- iSu Technologies provides full data export (CSV, JSON, SQL dump)
- 90-day migration assistance (answer questions, clarify data schema, support transition)
- No “hostage” situation (you’re free to leave with all data)
Technical Validation & Due Diligence
Section titled “Technical Validation & Due Diligence”Pre-Pilot Technical Review (Optional)
Section titled “Pre-Pilot Technical Review (Optional)”Sepfluor IT Team Can Validate:
- Security Assessment: Review architecture diagrams, encryption standards, POPIA compliance
- Integration Feasibility: Review API documentation, test sandbox API endpoints
- Performance Testing: Load test demo environment (MGSLG platform as proxy)
- Source Code Review: Escrow-based review (if security concerns require code audit)
iSu Technologies Provides:
- Architecture Diagrams: High-level and detailed system architecture
- Security Assessment Document: 15-page report covering encryption, POPIA, access controls, vulnerability management
- API Sandbox Access: Test API endpoints before pilot kickoff
- Penetration Test Results: Third-party penetration test report (redacted sensitive details)
- Compliance Matrix: POPIA, King IV, ISO 27001 mapping
Reference Customer Technical Validation
Section titled “Reference Customer Technical Validation”MGSLG Technical References:
- Platform: https://frontend-production-5e4e.up.railway.app
- Login: mgslg2025 (demo credentials)
- Validate: Dashboard performance, PDF generation, beneficiary tracking, evidence library
- Contact: [MGSLG IT contact] for technical reference call
SACE Technical References:
- Scale Validation: 400,000 users, 500+ providers, millions of records (proves scalability for Sepfluor)
- Contact: [SACE IT contact] for technical reference call (if SACE approves)
Frequently Asked Questions (Technical)
Section titled “Frequently Asked Questions (Technical)”Q: What happens if Railway.app goes down? A: Railway.app is built on Google Cloud Platform / AWS (Tier 1 cloud providers with 99.99% historical uptime). If Railway fails, we can migrate to alternative providers (Heroku, Render, AWS directly) within 24-48 hours. Backups stored in Hetzner Cape Town are independent of Railway.
Q: Can we host on-premise instead of cloud? A: Yes. Enterprise deployment option available. Requires Sepfluor IT infrastructure (Ubuntu servers, PostgreSQL, Redis, S3-compatible storage). iSu Technologies provides Docker images, deployment scripts, ongoing software support. Sepfluor IT team responsible for infrastructure (servers, backups, monitoring).
Q: How do we integrate with SAP if we use it for ERP? A: RESTful API integration. SAP can call our APIs (push employee data, budget data) or we can pull from SAP APIs (if SAP exposes them). Common approach: Daily batch export from SAP to CSV, upload to our platform via API or manual import.
Q: What if we need custom features beyond pilot scope? A: Change order process. Sepfluor submits request, iSu Technologies estimates effort (cost, timeline), Sepfluor approves, we implement. Prioritized based on urgency (e.g., Mining Indaba deadline features prioritized over nice-to-have enhancements).
Q: Can we get source code access? A: Source code escrow available (production contract). Provides business continuity protection. Direct source code access (without escrow trigger) requires separate negotiation (typically enterprise licensing model).
Q: How do you handle GDPR if we have EU investors? A: Platform is GDPR-compatible (encryption, consent, right to erasure, data portability). However, data hosted in South Africa (Hetzner Cape Town) - not EU. If GDPR compliance required, we can deploy to Hetzner EU data center (additional cost, slightly higher latency for South African users).
Q: What’s your disaster recovery process for cyber attacks (ransomware)? A: Immediate isolation (disconnect affected systems), forensic investigation (identify attack vector), restore from geo-redundant backups (encrypted separately from production, attacker can’t access), strengthen defenses (patch vulnerabilities, update security rules), notify Sepfluor stakeholders (transparent communication).
Q: Can we white-label the platform? A: Yes. Production phase includes full Sepfluor branding (logo, colors, fonts, domain: community.sepfluor.co.za). “Powered by iSu Technologies” footer can be removed for additional fee (typically 10-15% upcharge, negotiable).
Next Steps: Technical Validation
Section titled “Next Steps: Technical Validation”Step 1: Review This Document
- Share with Sepfluor IT team, security officer, compliance team
- Identify questions, concerns, additional requirements
Step 2: Technical Q&A Session (Optional)
- 1-hour technical deep-dive with iSu Technologies technical lead
- Address specific concerns (integration, security, performance, compliance)
- Demo API endpoints, architecture diagrams, security assessment
Step 3: Reference Customer Validation (Optional)
- Technical reference call with MGSLG or SACE IT team
- Validate platform performance, security, support quality
- Ask questions iSu Technologies can’t objectively answer
Step 4: Security Assessment Review (Production Phase)
- Detailed security assessment document (15 pages)
- Penetration test results (third-party audit)
- POPIA compliance matrix (Section-by-section coverage)
- Sepfluor IT/Security team approval before production deployment
Step 5: Pilot Kickoff
- Technical validation complete
- Proceed to pilot (8-10 weeks)
- Minimal IT involvement during pilot (standalone deployment)
- Integration planning for production phase (if pilot successful)
Document Version: 1.0 Last Updated: 20/11/2025 Owner: iSu Technologies Technical Team Status: Ready for Sepfluor IT/Security Review
This technical overview is designed for IT/security stakeholders. For business stakeholders (CEO, Chairman, Community Relations), refer to Executive Summary One-Pager and Presentation Deck. For technical questions, contact: support@isutech.co.za