Operations overview
This page gives operators a map of the Better Comply deployment stack before they dive into individual configuration guides.
Operators - IT engineers, system administrators, or DevOps engineers who deploy and maintain Better Comply.
Deployment shape
Better Comply is composed of three independently deployable layers:
| Layer | Technology | Hosted on |
|---|---|---|
| Web application | React SPA, built with Vite | Netlify (static CDN) |
| Backend API | Fastify on Node 20 | Google Cloud Run |
| Data, auth, and storage | Postgres + pgvector + GoTrue + Object Storage | Supabase |
Web (Netlify)
The frontend is a static Vite build deployed to Netlify. Netlify serves the assets from its CDN, applies security headers (CSP, HSTS, Permissions-Policy), and rewrites all paths to /index.html for client-side routing.
The build requires one environment variable: VITE_BACKEND_URL pointing at the Cloud Run service URL.
See Architecture for the full security-header inventory.
Backend (Cloud Run)
All server-side logic runs as a single Fastify service on Google Cloud Run. This includes AI content generation, certificate issuance, document processing, lifecycle audit trail writes, and the scheduled cron endpoints.
The backend talks to Supabase using either the service-role key (for admin operations) or the caller's forwarded JWT (for RLS-scoped operations).
Data (Supabase)
Supabase provides:
- Postgres + pgvector - primary datastore and vector search for RAG retrieval.
- GoTrue - authentication and session management (email/password and emailless employee PIN).
- Object Storage - completion certificates, controlled document binaries and Markdown blobs, quiz image assets.
- Row Level Security (RLS) - every data access from the browser is scoped to the authenticated user's role.
What the browser calls directly
The browser talks to Supabase directly for read queries and calls the Cloud Run backend (POST /v1/<route>) for every state-changing or AI-bearing operation. Supabase Edge Functions were retired in May 2026 - all HTTP routes now live in the Cloud Run backend.
Next steps
| Page | What it covers |
|---|---|
| Architecture | Component data flow, security headers, where audit evidence lives |
| Environment variables | All env vars grouped by concern |
| Scheduled jobs | Cron endpoints, cadences, and secret gating |
| Email delivery | Resend vs console provider, from address |
| Document processing | RAG indexing modes and stuck-job recovery |
| Demo and seeding | Non-production demo data (double-gated) |
| Backups and releases | Release SOP, rollback, migration notes |