Bread Breakers (SG) uses a secure, cost-efficient architecture with modern cloud tooling. Static site hosting on Vercel, self-managed PostgreSQL database, AWS email services, and cloud-based storage APIs.
This overview provides transparency into our technology choices and security measures, demonstrating our commitment to robust, multi-layered security architecture while maintaining operational security for sensitive implementation details.
| Layer | Web Hosting | Database | File Storage | |
|---|---|---|---|---|
| Physical Infra | Vercel | Oracle Cloud | AWS | Cloudflare |
| VM / OS | Vercel | CIS Hardened | AWS Lambda | R2 |
| Managed Platform | Vercel | Docker Compose | AWS SES | R2 |
| Application / Code | SvelteKit | Supabase/PostgreSQL | Custom Logic | Custom Integration |
| Data / Config | Self | Self | Self | Self |
| Access & Identity | GitHub SSO | OAuth2 Proxy | AWS IAM | Google SSO |
| Security / Compliance | Cloudflare WAF | RLS + Logging | AWS | Cloudflare |
| CI / CD | GitHub → Vercel | - | - | - |
Cloud Service Provider Managed
Self-Managed
Shared Responsibility / Third-Party
Operating Considerations
- Web Hosting – Vercel free-tier deployment with GitHub integration
- DNS & CDN – Cloudflare DNS with DDoS protection and WAF rules
- Source Control – GitHub repository with automated builds
- Database – Self-managed Supabase (PostgreSQL) on Oracle Cloud
- Database Security – Row-level security, audit logging, OAuth2 proxy for admin access
- Email Services – AWS SES for outbound, Lambda functions for inbound processing
- File Storage – Cloudflare R2 integration for document storage
- Infrastructure Security – CIS-hardened VM, regular patching, MFA on all cloud accounts
- SSL/TLS – Automated certificate management via Caddy reverse proxy
Architecture Overview
Frontend SvelteKit static site deployed on Vercel, with domain managed through Cloudflare DNS. Cloudflare provides DDoS protection and WAF security rules.
Backend Self-managed Supabase instance running PostgreSQL in Docker on Oracle Cloud. Database endpoints secured with reverse proxy for automatic HTTPS, OAuth2 proxy for admin access, and row-level security for data protection. Automated backups are performed daily and stored in S3.
Email AWS SES handles outbound emails, with inbound processing via Lambda functions. Messages temporarily stored in S3 with daily lifecycle cleanup, routed through SNS topics.
Storage Document uploads stored via Cloudflare R2. All transactional emails BCC'd to Bread Breakers (SG) for audit trail (except approval emails for proper segregation of duties).
Security Multi-factor authentication required for all cloud provider access. VM regularly patched and CIS-hardened. Database logging enabled for all changes. Access controls implemented at multiple layers.
