Skip to content

Sepfluor - Community Impact Visibility Platform - Technical Overview

Purpose: Provide comprehensive technical documentation for IT/security stakeholders evaluating the Community Impact Visibility Platform for mining SLP compliance, impact storytelling, and industry recognition.

Audience: IT Directors, Security Officers, Database Administrators, Compliance Teams


Platform Type: Cloud-native SaaS platform with optional on-premise deployment

Technology Stack:

  • Backend: Python 3.11+ (FastAPI framework)
  • Database: PostgreSQL 15+ (relational database with PostGIS extension for geospatial data)
  • Frontend: Next.js 14+ (React framework with server-side rendering)
  • Caching: Redis 7+ (in-memory data store)
  • Hosting: Railway.app (built on Google Cloud Platform / AWS)
  • Data Residency: Hetzner Cape Town (South African data center - POPIA compliant)
  • File Storage: S3-compatible object storage (encrypted at rest)

Deployment Model:

  • Pilot (Recommended): Multi-tenant SaaS (dedicated database schema, shared infrastructure)
  • Production: Single-tenant SaaS (dedicated infrastructure, optional VPC)
  • Enterprise: On-premise deployment (full control, requires IT infrastructure)

Security Certifications:

  • ISO 27001 (Hetzner Cape Town data center)
  • POPIA compliant (South African data residency, encryption, access controls)
  • SOC 2 Type II (in progress - Q2 2025 target)

Key Technical Differentiators:

  • ✅ South African data residency (Hetzner Cape Town - POPIA compliance out-of-box)
  • ✅ Open-source stack (no vendor lock-in, portable to any cloud or on-premise)
  • ✅ RESTful APIs (easy integration with HR systems, ERP, document management)
  • ✅ Scalable architecture (handles 400,000+ users proven at SACE)
  • ✅ Mobile-first responsive design (accessible from mine sites, remote locations)

┌─────────────────────────────────────────────────────────────────┐
│ End Users │
│ (Community Relations, ESG Manager, CEO/Chairman, Communities) │
└────────────┬────────────────────────────────────┬───────────────┘
│ │
▼ ▼
┌────────────────────────┐ ┌────────────────────────────┐
│ Web Application │ │ Public Impact Portal │
│ (Internal Dashboards)│ │ (community.sepfluor.co.za) │
│ │ │ │
│ - SLP Dashboards │ │ - GIS Project Map │
│ - Mining Indaba │ │ - Beneficiary Stories │
│ - DMRE Reports │ │ - Impact Counters │
│ - GRI 14 Tracking │ │ - Multi-Language │
└────────────┬───────────┘ └────────────┬───────────────┘
│ │
│ HTTPS/TLS 1.3 │
▼ ▼
┌─────────────────────────────────────────────────────────────────┐
│ Application Layer │
│ (Railway.app - Load Balanced) │
│ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ FastAPI Backend (Python) │ │
│ │ │ │
│ │ - RESTful APIs │ │
│ │ - Authentication & Authorization │ │
│ │ - Business Logic (SLP compliance, beneficiary tracking) │ │
│ │ - PDF Generation (Mining Indaba, DMRE reports) │ │
│ │ - ML Risk Prediction (production phase) │ │
│ │ - Data Validation & ETL │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Next.js Frontend (React) │ │
│ │ │ │
│ │ - Server-Side Rendering (SSR) │ │
│ │ - Client-Side Routing │ │
│ │ - Responsive UI/UX (mobile-first) │ │
│ │ - Chart Libraries (Recharts for dashboards) │ │
│ │ - GIS Mapping (Leaflet/Mapbox for project locations) │ │
│ └──────────────────────────────────────────────────────────┘ │
└─────────────┬───────────────────────────────┬───────────────────┘
│ │
▼ ▼
┌──────────────────────────┐ ┌────────────────────────────────┐
│ Data Layer │ │ Caching Layer │
│ (Hetzner Cape Town) │ │ (Redis) │
│ │ │ │
│ PostgreSQL 15+ │ │ - Session Storage │
│ - SLP Data │ │ - Dashboard Cache │
│ - Beneficiary Records │ │ - API Response Cache │
│ - Evidence Metadata │ │ - Rate Limiting │
│ - User Accounts │ └────────────────────────────────┘
│ - Audit Logs │
│ │
│ PostGIS Extension │
│ - Geospatial Data │
│ - Mine-Site Locations │
│ - Community Boundaries │
│ - Project GPS Coords │
└──────────────────────────┘
┌──────────────────────────────────────────────────────────────┐
│ File Storage Layer │
│ (S3-Compatible Object Storage) │
│ │
│ - Evidence Files (photos, PDFs, videos, agreements) │
│ - Generated Reports (Mining Indaba submissions, DMRE PDFs) │
│ - User Uploads (community consultation records) │
│ - Encrypted at Rest (AES-256) │
└──────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────┐
│ Backup & DR Layer │
│ (Geo-Redundant Storage) │
│ │
│ - Hourly Incremental Backups │
│ - Daily Full Backups │
│ - 30-Day Retention │
│ - Cape Town (Primary) + Johannesburg (Secondary) │
│ - <4 Hour Recovery Time Objective (RTO) │
│ - <1 Hour Recovery Point Objective (RPO) │
└──────────────────────────────────────────────────────────────┘

1. SLP Activity Logging (Community Relations Team):

User Login → Authentication → Dashboard → "Log Activity"
→ Form Entry (Beneficiary, Project, Budget, Evidence Files)
→ Data Validation → PostgreSQL Storage → Cache Invalidation
→ Real-Time Dashboard Update

2. Mining Indaba Submission Generation:

Dashboard → "Generate Award Submission" → Select Award Category
→ Backend Aggregates Data (Beneficiaries, Projects, Evidence)
→ PDF Generation (ReportLab) → S3 Storage → Download Link → User Downloads 25-Page PDF

3. Public Portal Access (Communities, Investors, Judges):

Public URL (community.sepfluor.co.za) → No Authentication Required
→ Public Data Only (No Sensitive Info) → GIS Map + Impact Counters + Success Stories
→ Multi-Language Display (English/Ndebele/Sepedi) → Mobile-Responsive View

4. DMRE Report Automation:

Dashboard → "Generate DMRE Report" → Select Year + 5 Focus Areas
→ Backend Aggregates Compliance Data (Budget, Beneficiaries, Evidence)
→ PDF Generation (DMRE Format) → Audit Trail Appendix → Download

Why FastAPI:

  • High performance (async/await support, comparable to Node.js, Go)
  • Automatic OpenAPI documentation (Swagger UI for API testing)
  • Type safety (Pydantic models prevent runtime errors)
  • Easy integration (Python ecosystem for ML, data processing, PDF generation)

Key Libraries:

  • FastAPI: Web framework
  • SQLAlchemy: ORM for PostgreSQL (database abstraction)
  • Pydantic: Data validation and serialization
  • Alembic: Database migrations (version control for schema changes)
  • ReportLab: PDF generation (Mining Indaba submissions, DMRE reports)
  • Pandas: Data processing (aggregations, exports, analytics)
  • Scikit-learn: ML models for risk prediction (production phase)
  • Celery: Background task processing (large reports, data exports)

API Design:

  • RESTful architecture (GET, POST, PUT, DELETE verbs)
  • JSON request/response format
  • JWT authentication (stateless, scalable)
  • Rate limiting (prevent abuse, DoS protection)
  • Versioned endpoints (/api/v1/slp-data, /api/v2/…)

Why PostgreSQL:

  • Open-source (no licensing fees, portable)
  • ACID compliant (data integrity guarantees)
  • Advanced features (JSON support, full-text search, geospatial with PostGIS)
  • Battle-tested at scale (SACE: 400,000 users, millions of records)

Schema Design (Pilot Scope):

Core Tables:

  • users - User accounts (Community Relations, ESG Manager, CEO/Chairman, Admins)
  • beneficiaries - 2,340+ beneficiaries (name, program, impact metrics, consent for public stories)
  • projects - Community development projects (education, infrastructure, healthcare, LED)
  • slp_activities - Logged SLP activities (training sessions, consultations, procurements)
  • evidence_files - Metadata for photos, PDFs, videos, agreements (1,247+ files)
  • budgets - Budget tracking (5% wage skills, 2-3% EBITDA LED, allocations)
  • stakeholder_communications - Generated newsletters, investor briefings, DMRE reports
  • audit_logs - Every user action tracked (who, what, when, IP address)

PostGIS Extension (Geospatial):

  • Mine-site boundaries (Nokeng polygon)
  • Community boundaries (8 communities served)
  • Project GPS coordinates (schools, water points, community centers)
  • Proximity calculations (local procurement within 50km radius)

Performance Optimizations:

  • Indexes on frequently queried columns (beneficiary_id, project_id, date ranges)
  • Materialized views for complex aggregations (dashboard KPIs pre-calculated)
  • Connection pooling (reuse database connections, reduce overhead)

Why Next.js:

  • Server-side rendering (fast initial page load, SEO-friendly for public portal)
  • React framework (component reusability, strong ecosystem)
  • File-based routing (intuitive URL structure)
  • Image optimization (automatic lazy loading, responsive images)
  • Built-in API routes (optional backend logic in frontend codebase)

Key Libraries:

  • React: UI component library
  • Tailwind CSS: Utility-first CSS framework (responsive design, Sepfluor branding)
  • Recharts: Dashboard charting library (line charts, bar charts, KPI cards)
  • Leaflet / Mapbox: GIS mapping library (interactive project maps)
  • React Hook Form: Form handling (SLP activity logging, data entry)
  • SWR / React Query: Data fetching and caching (optimistic UI updates)

Responsive Design:

  • Mobile-first (accessible from mine sites, remote locations via tablets/phones)
  • Progressive Web App (PWA) capabilities (offline access to cached dashboards)
  • Low-bandwidth optimization (image compression, lazy loading)

Use Cases:

  • Session Storage: User login sessions (JWT token validation cache)
  • Dashboard Cache: Pre-calculated KPIs (invalidate on data update)
  • API Response Cache: Frequently accessed data (beneficiary lists, project summaries)
  • Rate Limiting: Prevent API abuse (track request counts per user/IP)

Cache Strategy:

  • Time-to-Live (TTL): Dashboard cache expires after 5 minutes (balance freshness vs. performance)
  • Cache Invalidation: On data update (beneficiary added, project logged), invalidate relevant cache keys
  • Fallback: If Redis unavailable, fetch from PostgreSQL (degraded performance, not broken system)

South African Data Hosting:

  • Primary: Hetzner Cape Town data center (South African soil, POPIA compliant)
  • Why It Matters: POPIA requires personal data remain in South Africa or approved jurisdictions
  • Sepfluor Compliance: Beneficiary personal data (names, photos, testimonials) never leaves South Africa

Hetzner Cape Town Certifications:

  • ISO 27001 (Information Security Management)
  • ISO 27017 (Cloud Security)
  • ISO 27018 (Personal Data Protection in Cloud)
  • Tier III+ data center (99.982% uptime guarantee)

POPIA-Specific Features:

  • Consent Management: Beneficiaries opt-in/opt-out for photo use, testimonials, public stories
  • Data Minimization: Only collect necessary fields (name, program participation, impact metrics - no unnecessary personal data)
  • Right to Erasure: Beneficiaries can request data deletion (POPIA Section 24 compliance)
  • Access Requests: Export beneficiary data in machine-readable format (CSV, JSON)
  • Retention Policies: Auto-delete after DMRE requirement period (7 years for SLP records)

Data at Rest:

  • Database: AES-256 encryption (PostgreSQL Transparent Data Encryption)
  • File Storage: AES-256 encryption (S3-compatible object storage, encrypted volumes)
  • Backups: AES-256 encryption (geo-redundant backups encrypted separately)
  • Disk Encryption: Full disk encryption on all servers (Hetzner default)

Data in Transit:

  • HTTPS: TLS 1.3 (latest protocol, strongest ciphers)
  • Certificate: Let’s Encrypt SSL certificates (auto-renewed, wildcard for subdomains)
  • API Calls: All API requests encrypted over HTTPS (no unencrypted HTTP endpoints)

Password Security:

  • Hashing: Bcrypt with salt (irreversible, industry standard)
  • Password Requirements: Minimum 12 characters, complexity rules (uppercase, lowercase, number, special character)
  • No Plaintext Storage: Passwords never stored in plaintext (only hashed versions)

Authentication Methods:

  • Username/Password: Primary authentication (bcrypt hashed passwords)
  • Multi-Factor Authentication (MFA): Optional for administrators (TOTP-based, Google Authenticator compatible)
  • Single Sign-On (SSO): Available in production (SAML 2.0, Azure AD integration if Sepfluor uses Microsoft)

Session Management:

  • JWT Tokens: Stateless authentication (no server-side session storage required)
  • Token Expiry: 24-hour access tokens, 30-day refresh tokens
  • Automatic Logout: 2-hour inactivity timeout (configurable)
  • Secure Cookies: HttpOnly, Secure, SameSite flags (prevent XSS, CSRF attacks)

Role-Based Access Control (RBAC):

RolePermissionsTypical Users
Public- View public impact portal only (community.sepfluor.co.za)
- No login required
- No access to sensitive beneficiary data
Communities, investors, Mining Indaba judges, general public
Executive- View dashboards (read-only)
- Download reports (Mining Indaba, DMRE, stakeholder communications)
- No data entry or editing
CEO (Hendrik Snyman), Chairman (Dr. Lelau Mohuba), Board members
Analyst- View dashboards
- Download reports
- Generate custom reports
- No data entry (read-only analyst role)
ESG Manager, Finance (budget tracking), Compliance
Admin- Full access (data entry, editing, deletion)
- User management (create users, assign roles)
- Evidence file upload (photos, PDFs, videos)
- Log SLP activities (beneficiaries, projects, consultations)
- Generate reports
Community Relations Lead, Community Relations team
Super Admin- All Admin permissions
- System configuration
- Audit log access
- Database management (technical tasks)
iSu Technologies support team (production support only, with Sepfluor approval)

IP Whitelisting (Optional):

  • Restrict access to Sepfluor office IPs, Nokeng mine site IPs
  • Additional security layer (prevent unauthorized access even with credentials)
  • Configurable per role (e.g., Admins must be on-site, Executives can access remotely)

What’s Logged:

  • User Actions: Login, logout, data entry, data edits, data deletions, report generation, file uploads
  • Who: User ID, username, email
  • When: Timestamp (ISO 8601 format, UTC timezone)
  • Where: IP address, user agent (browser/device)
  • What: Action type, affected resources (beneficiary ID, project ID, file ID)
  • Changes: Before/after values for data edits (audit trail for DMRE compliance)

Log Retention:

  • Duration: 7 years (aligns with DMRE SLP record retention requirement)
  • Storage: Separate database table, indexed for fast search
  • Access: Admin and Super Admin roles only (audit logs are sensitive)

Use Cases:

  • DMRE Audits: Prove who entered data, when, and what changes were made
  • Security Incidents: Investigate unauthorized access attempts, suspicious activity
  • Compliance: Demonstrate POPIA compliance (data access logs, deletion confirmations)

Security Practices:

  • Dependency Scanning: Automated weekly scans (Snyk, Dependabot) for known vulnerabilities in Python/JavaScript libraries
  • Penetration Testing: Annual third-party penetration test (OWASP Top 10 coverage)
  • Vulnerability Patching: Critical vulnerabilities patched within 7 days, high within 30 days, medium within 90 days
  • Security Headers: HSTS, CSP, X-Frame-Options, X-Content-Type-Options (prevent common web attacks)

OWASP Top 10 Mitigation:

  1. Injection (SQL, NoSQL): Parameterized queries (SQLAlchemy ORM), input validation
  2. Broken Authentication: JWT tokens, bcrypt hashing, MFA, rate limiting
  3. Sensitive Data Exposure: AES-256 encryption, HTTPS/TLS 1.3, secure cookies
  4. XML External Entities (XXE): No XML parsing (JSON-only API)
  5. Broken Access Control: RBAC, role validation on every API endpoint
  6. Security Misconfiguration: Secure defaults, regular security audits
  7. Cross-Site Scripting (XSS): Input sanitization, Content Security Policy headers
  8. Insecure Deserialization: No deserialization of untrusted data
  9. Using Components with Known Vulnerabilities: Dependency scanning, automated updates
  10. Insufficient Logging & Monitoring: Comprehensive audit logs, real-time monitoring

Pilot (Multi-Tenant SaaS):

Railway.app (Auto-Scaling)
├── Application Containers (FastAPI + Next.js)
│ ├── Auto-scaling (CPU >70% → add container)
│ ├── Load balancing (distribute requests)
│ └── Zero-downtime deployments (rolling updates)
├── PostgreSQL Database (Dedicated Schema for Sepfluor)
│ ├── Shared database instance (cost-effective)
│ ├── Dedicated schema (sepfluor_*)
│ └── Row-level security (isolation)
├── Redis Cache (Shared, Namespaced)
└── S3 Storage (Sepfluor-specific bucket)
Hetzner Cape Town (Data Residency)
└── PostgreSQL Backup Storage (Geo-redundant)

Production (Single-Tenant SaaS - Recommended):

Railway.app (Dedicated Infrastructure)
├── Dedicated Application Containers (Sepfluor only)
│ ├── Vertical scaling (increase CPU/RAM as needed)
│ ├── Horizontal scaling (add containers for high traffic)
│ └── VPC (Virtual Private Cloud - network isolation)
├── Dedicated PostgreSQL Database (Sepfluor only)
│ ├── Vertical scaling (increase storage, CPU, RAM)
│ ├── Read replicas (optional - for high query loads)
│ └── Point-in-time recovery (restore to any second within 30-day window)
├── Dedicated Redis Cache (Sepfluor only)
└── Dedicated S3 Bucket (Sepfluor evidence files only)
Hetzner Cape Town (Data Residency)
└── PostgreSQL Backup Storage (Geo-redundant, 30-day retention)

Enterprise (On-Premise - If Required):

Sepfluor Data Center / Cloud Infrastructure
├── Application Servers (Docker containers or VMs)
│ ├── Sepfluor IT team manages infrastructure
│ ├── iSu Technologies provides Docker images + deployment scripts
│ └── Ongoing support via iSu Technologies
├── PostgreSQL Database (Sepfluor-managed)
├── Redis Cache (Sepfluor-managed)
└── S3-Compatible Storage (Sepfluor-managed, e.g., MinIO)
Requirements:
- Ubuntu 22.04 LTS servers (minimum 3: app, database, storage)
- 16GB RAM, 4 CPU cores per server (minimum)
- 500GB storage for database, 2TB for file storage
- Network: 100 Mbps minimum, HTTPS/TLS 1.3 support
- Sepfluor IT team responsible for: OS patching, backups, monitoring, scaling
- iSu Technologies provides: Software updates, bug fixes, feature releases, technical support

Response Times (SLA):

  • Dashboard Load: <3 seconds (95th percentile)
  • API Response: <200ms (95th percentile)
  • Report Generation: <30 seconds for Mining Indaba submission (25-page PDF)
  • DMRE Report: <15 seconds (annual compliance PDF)
  • Public Portal: <2 seconds (optimized for low-bandwidth community access)

Scalability:

  • Concurrent Users: 50-100 users (pilot), 200-500 users (production)
  • Database Size: 50GB (pilot), 200GB (production - includes 1,247+ evidence files metadata)
  • File Storage: 10GB (pilot), 50GB (production - includes photos, PDFs, videos)
  • Proven Scale: SACE platform handles 400,000 users, millions of records (Sepfluor is well within capacity)

Uptime SLA:

  • Pilot: 99.0% uptime (7.3 hours/month downtime maximum)
  • Production: 99.5% uptime (3.65 hours/month downtime maximum)
  • Enterprise (On-Premise): Depends on Sepfluor IT team infrastructure (iSu Technologies provides software support, not infrastructure SLA)

Backup Strategy:

  • Frequency: Hourly incremental backups, daily full backups
  • Retention: 30-day backup history (restore to any point in time within 30 days)
  • Geographic Redundancy: Cape Town (primary) + Johannesburg (secondary) storage
  • Encryption: AES-256 encrypted backups (separate encryption keys from production data)

Recovery Objectives:

  • RTO (Recovery Time Objective): <4 hours from failure to fully restored
  • RPO (Recovery Point Objective): <1 hour data loss maximum (hourly backups)

Disaster Recovery Scenarios:

ScenarioImpactRecovery ProcessRTO
Application Container FailurePlatform unavailableAutomatic failover to healthy container (Railway auto-healing)<5 minutes
Database Server FailurePlatform unavailableAutomatic failover to standby replica (if configured)<30 minutes
Data Center Outage (Cape Town)Platform unavailableSwitch to Johannesburg backup, restore latest backup<4 hours
Data CorruptionIncorrect data displayedRestore from latest clean backup (hourly incremental)<4 hours
Cyber Attack (Ransomware)Data encrypted/deletedIsolate systems, restore from geo-redundant backups (encrypted separately)<24 hours
Accidental Data DeletionBeneficiary/project deletedRestore from audit log + backup (point-in-time recovery)<2 hours

Business Continuity Plan:

  • Incident Response Team: iSu Technologies support team (24/7 on-call for production)
  • Communication Plan: Email + SMS notifications to Sepfluor stakeholders (CEO, Community Relations Lead, IT contact)
  • Failover Testing: Quarterly disaster recovery drills (validate backups, test restore procedures)

Option 1: Standalone (Pilot Recommended):

  • Approach: Platform works independently, minimal IT involvement
  • Data Entry: Manual logging (5-10 minutes per SLP activity)
  • Best For: Quick pilot launch (Week 2 operational), validate value before integration complexity
  • Migration: Import existing data (Excel, PDFs, shared drives) in Week 2-4

Option 2: Integrated (Production Phase):

  • HR System Integration: Pull employee data, training records, certifications automatically

    • Compatible Systems: SAP SuccessFactors, Workday, BambooHR, local HRIS, generic HR databases
    • Data Sync: Real-time (webhook-triggered) or daily batch (scheduled sync)
    • Data Flow: HR system → iSu Platform (one-way read, no data written back to HR system)
    • Use Case: Skills development tracking (47 employees in training, 5% wage target automation)
  • Accounting/ERP Integration: Budget tracking, procurement spend (LED suppliers)

    • Compatible Systems: SAP, Oracle, Sage, Pastel, QuickBooks, generic accounting systems
    • Data Sync: Daily batch (budget allocations, supplier invoices, purchase orders)
    • Data Flow: ERP system → iSu Platform (one-way read)
    • Use Case: Budget compliance tracking (5% wage skills, 2-3% EBITDA LED, real-time burn rate)
  • Document Management Integration: Auto-index files from shared drives, SharePoint, Google Drive

    • Approach: Watch folders, auto-import with metadata tagging (SLP focus area, project, date)
    • Compatible Systems: SharePoint, Google Drive, OneDrive, local network shares (SMB/CIFS)
    • Use Case: Evidence library automation (1,247+ files indexed without manual uploads)

Option 3: Hybrid (Most Common):

  • Core Data: Integrated (HR for employees, accounting for budgets)
  • Community Programs: Manual entry (unique to SLP, no existing system to integrate)
  • Evidence Files: Automated indexing (photos, agreements, certificates from shared drives)

Integration Methods:

MethodUse CaseFrequencyTechnical Approach
RESTful APIReal-time data sync (HR employee updates)On-demand, webhook-triggeredHTTP POST/GET requests, JSON payload, JWT authentication
CSV/Excel Bulk ImportOne-time data migration, periodic updatesWeekly/monthly batchUpload CSV file, validate schema, import to database
Database ConnectionDirect database queries (read-only)Daily batchPostgreSQL foreign data wrapper, read-only user, scheduled queries
SFTP File TransferAutomated evidence file uploadsHourly/dailyWatch SFTP folder, auto-import files, metadata extraction
WebhooksEvent-driven sync (new employee hired → add to platform)Real-timeSubscribe to HR system events, receive HTTP POST on event, process

RESTful API Endpoints (Sample):

Authentication:

POST /api/v1/auth/login
POST /api/v1/auth/logout
POST /api/v1/auth/refresh

Beneficiaries:

GET /api/v1/beneficiaries # List all beneficiaries (paginated)
GET /api/v1/beneficiaries/{id} # Get beneficiary details
POST /api/v1/beneficiaries # Create new beneficiary
PUT /api/v1/beneficiaries/{id} # Update beneficiary
DELETE /api/v1/beneficiaries/{id} # Delete beneficiary (soft delete, audit logged)

Projects:

GET /api/v1/projects # List all projects (SLP focus area filtering)
GET /api/v1/projects/{id} # Get project details (beneficiaries, budget, evidence)
POST /api/v1/projects # Create new project
PUT /api/v1/projects/{id} # Update project

SLP Compliance:

GET /api/v1/slp/dashboard # Get SLP compliance KPIs (5 focus areas, budget status)
GET /api/v1/slp/budget # Get budget tracking (5% wage, 2-3% EBITDA, forecasts)
GET /api/v1/slp/audit-trail # Get DMRE audit trail (evidence completeness, gaps)

Reports:

POST /api/v1/reports/mining-indaba # Generate Mining Indaba submission PDF
POST /api/v1/reports/dmre # Generate DMRE annual compliance report PDF
POST /api/v1/reports/stakeholder # Generate stakeholder communication (newsletter, briefing)

Evidence Files:

GET /api/v1/evidence # List evidence files (filterable by project, date, type)
POST /api/v1/evidence/upload # Upload evidence file (photo, PDF, video, agreement)
GET /api/v1/evidence/{id}/download # Download evidence file
DELETE /api/v1/evidence/{id} # Delete evidence file

API Authentication:

  • Method: JWT Bearer token in Authorization header
  • Format: Authorization: Bearer <jwt_token>
  • Token Lifespan: 24 hours (access token), 30 days (refresh token)

API Rate Limiting:

  • Authenticated Users: 1,000 requests/hour
  • Public API (if enabled): 100 requests/hour per IP address
  • Exceeded Limit Response: HTTP 429 Too Many Requests, retry after X seconds

OpenAPI Documentation:

  • Swagger UI: Available at /api/docs (interactive API testing)
  • ReDoc: Available at /api/redoc (readable API documentation)
  • OpenAPI Spec: Available at /api/openapi.json (machine-readable API definition)

Metrics Tracked:

  • Uptime: Platform availability (99.5% SLA target)
  • Response Times: Dashboard load (<3s), API response (<200ms)
  • Error Rates: HTTP 5xx errors, database connection failures
  • Database Performance: Query execution times, connection pool usage
  • Cache Hit Rate: Redis cache effectiveness (target: >80% hit rate)
  • Disk Usage: Database storage, file storage growth trends
  • User Activity: Active users, peak usage times, feature adoption

Monitoring Tools:

  • Application Monitoring: Sentry (error tracking, performance monitoring)
  • Infrastructure Monitoring: Railway.app built-in metrics (CPU, RAM, network)
  • Uptime Monitoring: Uptime Robot (5-minute checks, SMS/email alerts if down)
  • Database Monitoring: PostgreSQL slow query log, pg_stat_statements extension

Alerting:

  • Critical Alerts: Platform down, database unavailable, high error rate (>5%)

    • Notification: SMS + Email to iSu Technologies on-call engineer
    • Response Time: 30 minutes (acknowledge), 4 hours (resolve)
  • Warning Alerts: Slow response times (>5s), cache hit rate <60%, disk usage >80%

    • Notification: Email to iSu Technologies support team
    • Response Time: 24 hours (investigate), 72 hours (resolve)

Pilot Support (30 Days Post-Launch):

  • Included: Bug fixes, user questions, performance monitoring, minor adjustments
  • Channels: Email (support@isutech.co.za), video calls (as needed)
  • Response Times:
    • Critical (platform down): 30-minute response, 4-hour resolution target
    • High (feature broken): 2-hour response, 24-hour resolution target
    • Medium (usability issue): 4-hour response, 48-hour resolution target
    • Low (question, enhancement): 1-business-day response
  • Hours: Business hours (Monday-Friday, 8am-6pm SAST) for non-critical issues, 24/7 for critical issues

Production Support (Annual Subscription):

  • Investment: R300K-R400K/year (R25K-R33K/month)

  • Included:

    • Bug fixes and issue resolution
    • Security patches and dependency updates
    • Quarterly feature releases (new GRI 14 topics, award template updates, UI improvements)
    • Performance monitoring and optimization
    • User support (email, video call, on-site if needed)
    • 99.5% uptime SLA with financial penalties if missed
    • Mining Indaba submission support (annual - September deadline assistance)
    • Quarterly check-ins (strategy reviews, optimization opportunities)
  • Response Times (SLA):

    • Critical (platform down): 30-minute response, 4-hour resolution target
    • High (feature broken, Mining Indaba submission issue): 2-hour response, 24-hour resolution target
    • Medium (usability issue): 4-hour response, 48-hour resolution target
    • Low (enhancement request): 1-business-day response, quarterly release cycle
  • Penalties for SLA Misses:

    • Uptime <99.5%: 5% monthly credit per 0.1% below SLA (e.g., 99.3% uptime = 10% credit)
    • Critical support response >30 minutes: 10% monthly credit per incident
    • High support response >2 hours: 5% monthly credit per incident

Enterprise Support (On-Premise Deployments):

  • Custom SLA: Negotiated based on infrastructure (Sepfluor-managed servers)
  • Software Support: iSu Technologies provides software updates, bug fixes, technical guidance
  • Infrastructure Support: Sepfluor IT team responsible for servers, database, backups, monitoring
  • On-Site Assistance: Available (additional cost, travel expenses)

You Own Your Data:

  • Sepfluor retains full ownership of all SLP data, beneficiary records, evidence files, generated reports
  • iSu Technologies is a data processor, not data controller (POPIA terminology)
  • Contractual guarantee: Sepfluor owns data, iSu Technologies cannot use for other purposes

Export Capabilities:

  • Full Database Export: CSV/JSON export of all tables (beneficiaries, projects, budgets, evidence metadata)
  • Evidence Files Export: Zip archive of all uploaded files (photos, PDFs, videos, agreements)
  • Generated Reports Export: All Mining Indaba submissions, DMRE reports, stakeholder communications (PDF archives)
  • Frequency: On-demand (anytime via dashboard), scheduled (weekly/monthly automated exports)

Export Formats:

  • CSV: For spreadsheet import (Excel, Google Sheets)
  • JSON: For API integration, data analysis (Pandas, R)
  • PDF: For generated reports (Mining Indaba, DMRE)
  • SQL Dump: For database migration (PostgreSQL backup format)

No Proprietary Formats:

  • Standard CSV/JSON (not custom iSu Technologies formats)
  • PostgreSQL SQL dump (compatible with any PostgreSQL instance - AWS RDS, Azure Database, on-premise)
  • Standard file formats (JPEG, PNG, PDF, MP4 - not custom encodings)

Source Code Escrow:

  • What It Is: Third-party holds complete source code (updated quarterly)
  • Trigger Events: iSu Technologies ceases operations, declares bankruptcy, fails to support for 90+ days
  • Your Access: If triggered, Sepfluor receives full codebase + deployment instructions
  • Benefit: Sepfluor can self-host or hire another developer to maintain
  • Cost: Included in production contract (no additional fee)

Migration Support:

  • If Sepfluor chooses to migrate to alternative vendor (Power BI, SAP, custom build):
    • iSu Technologies provides full data export (CSV, JSON, SQL dump)
    • 90-day migration assistance (answer questions, clarify data schema, support transition)
    • No “hostage” situation (you’re free to leave with all data)

Sepfluor IT Team Can Validate:

  • Security Assessment: Review architecture diagrams, encryption standards, POPIA compliance
  • Integration Feasibility: Review API documentation, test sandbox API endpoints
  • Performance Testing: Load test demo environment (MGSLG platform as proxy)
  • Source Code Review: Escrow-based review (if security concerns require code audit)

iSu Technologies Provides:

  • Architecture Diagrams: High-level and detailed system architecture
  • Security Assessment Document: 15-page report covering encryption, POPIA, access controls, vulnerability management
  • API Sandbox Access: Test API endpoints before pilot kickoff
  • Penetration Test Results: Third-party penetration test report (redacted sensitive details)
  • Compliance Matrix: POPIA, King IV, ISO 27001 mapping

MGSLG Technical References:

  • Platform: https://frontend-production-5e4e.up.railway.app
  • Login: mgslg2025 (demo credentials)
  • Validate: Dashboard performance, PDF generation, beneficiary tracking, evidence library
  • Contact: [MGSLG IT contact] for technical reference call

SACE Technical References:

  • Scale Validation: 400,000 users, 500+ providers, millions of records (proves scalability for Sepfluor)
  • Contact: [SACE IT contact] for technical reference call (if SACE approves)

Q: What happens if Railway.app goes down? A: Railway.app is built on Google Cloud Platform / AWS (Tier 1 cloud providers with 99.99% historical uptime). If Railway fails, we can migrate to alternative providers (Heroku, Render, AWS directly) within 24-48 hours. Backups stored in Hetzner Cape Town are independent of Railway.

Q: Can we host on-premise instead of cloud? A: Yes. Enterprise deployment option available. Requires Sepfluor IT infrastructure (Ubuntu servers, PostgreSQL, Redis, S3-compatible storage). iSu Technologies provides Docker images, deployment scripts, ongoing software support. Sepfluor IT team responsible for infrastructure (servers, backups, monitoring).

Q: How do we integrate with SAP if we use it for ERP? A: RESTful API integration. SAP can call our APIs (push employee data, budget data) or we can pull from SAP APIs (if SAP exposes them). Common approach: Daily batch export from SAP to CSV, upload to our platform via API or manual import.

Q: What if we need custom features beyond pilot scope? A: Change order process. Sepfluor submits request, iSu Technologies estimates effort (cost, timeline), Sepfluor approves, we implement. Prioritized based on urgency (e.g., Mining Indaba deadline features prioritized over nice-to-have enhancements).

Q: Can we get source code access? A: Source code escrow available (production contract). Provides business continuity protection. Direct source code access (without escrow trigger) requires separate negotiation (typically enterprise licensing model).

Q: How do you handle GDPR if we have EU investors? A: Platform is GDPR-compatible (encryption, consent, right to erasure, data portability). However, data hosted in South Africa (Hetzner Cape Town) - not EU. If GDPR compliance required, we can deploy to Hetzner EU data center (additional cost, slightly higher latency for South African users).

Q: What’s your disaster recovery process for cyber attacks (ransomware)? A: Immediate isolation (disconnect affected systems), forensic investigation (identify attack vector), restore from geo-redundant backups (encrypted separately from production, attacker can’t access), strengthen defenses (patch vulnerabilities, update security rules), notify Sepfluor stakeholders (transparent communication).

Q: Can we white-label the platform? A: Yes. Production phase includes full Sepfluor branding (logo, colors, fonts, domain: community.sepfluor.co.za). “Powered by iSu Technologies” footer can be removed for additional fee (typically 10-15% upcharge, negotiable).


Step 1: Review This Document

  • Share with Sepfluor IT team, security officer, compliance team
  • Identify questions, concerns, additional requirements

Step 2: Technical Q&A Session (Optional)

  • 1-hour technical deep-dive with iSu Technologies technical lead
  • Address specific concerns (integration, security, performance, compliance)
  • Demo API endpoints, architecture diagrams, security assessment

Step 3: Reference Customer Validation (Optional)

  • Technical reference call with MGSLG or SACE IT team
  • Validate platform performance, security, support quality
  • Ask questions iSu Technologies can’t objectively answer

Step 4: Security Assessment Review (Production Phase)

  • Detailed security assessment document (15 pages)
  • Penetration test results (third-party audit)
  • POPIA compliance matrix (Section-by-section coverage)
  • Sepfluor IT/Security team approval before production deployment

Step 5: Pilot Kickoff

  • Technical validation complete
  • Proceed to pilot (8-10 weeks)
  • Minimal IT involvement during pilot (standalone deployment)
  • Integration planning for production phase (if pilot successful)

Document Version: 1.0 Last Updated: 20/11/2025 Owner: iSu Technologies Technical Team Status: Ready for Sepfluor IT/Security Review


This technical overview is designed for IT/security stakeholders. For business stakeholders (CEO, Chairman, Community Relations), refer to Executive Summary One-Pager and Presentation Deck. For technical questions, contact: support@isutech.co.za