Skip to main content

About this page

This page is the conceptual public view of the Graphor production architecture. It is intended for security and privacy reviewers who need to understand how the platform is put together at the layer at which trust commitments apply. A more detailed Architecture Whitepaper, with per-component implementation specifics, deployment topology, and the supporting operational runbooks, is available to enterprise customers under NDA on request via privacy@graphorlm.com.

1. Conceptual overview

The Graphor production environment is organized in five layers. Customer interactions are authenticated at the edge, authorized at the application layer, and scoped to a single Project before any customer-content store is touched. The full per-component region inventory — including the region of every external dependency — is in Data Residency §1. The complete subprocessor list is in Subprocessors.

2. Ingestion flow

When a customer uploads a Source (document, web URL, code repository, transcript), the following sequence runs end to end: The original document and the retrievable units derived from it remain in the customer’s Project until the customer issues a delete via the DSR API. The full delete cascade is documented in Data Retention §2.

3. Query flow

When the customer asks a question or runs a structured extraction, the following sequence runs: Tier routing per request is determined by the thinking_level parameter. The specific provider for each tier and the customer-controllable parameters are documented in Model Use and Training §1.2.

4. Per-layer summary

The five layers in the conceptual diagram, and where each is documented in detail:
LayerRoleCustomer data touchedDocumented at
ClientCustomer application or browser.None (resides with the customer).
Public edgeStatic frontend assets and sign-in / identity provider. The frontend serves no customer data itself; the identity provider handles authentication.Account Information only at sign-in.Subprocessors §6
Application backendStateless authenticated HTTP and streaming surface. Scopes every request to a single Project, orchestrates workflows, routes inference.Customer Content and Derived Content transit, nothing persisted on the backend instances.Tenant Isolation §1
Asynchronous workersLong-running ingestion workflow — parsing, chunking, enrichment, embedding, indexing.Customer Content during parsing, Derived Content during indexing.Subprocessors §2
Self-hosted observabilityOperational tracing for the application backend. Tier-aware: enterprise default OFF; free / pro default ON with a Brazilian-PII mask.Tier-dependent. See Data Retention §4.Subprocessors §4
Customer data storesObject storage for original documents; relational and graph stores for metadata, retrievable units, and history; an ephemeral cache for in-flight operations.All four customer-data categories: Customer Content, Derived Content, Account Information, Billing identifiers.Data Retention §1, Data Residency §1
External AI providersTier-routed model inference and embeddings.Per-request: question and retrieved context. Per-build: chunked text for embedding.Subprocessors §3, Model Use and Training
External payment processorSubscription processing.Billing identifiers only; never Customer Content.Subprocessors §5

5. Public network surface

The customer-facing surface is intentionally narrow:
SurfaceURLPurposeAuthentication
Marketing sitehttps://graphorlm.comProduct information, pricing, legal pages.None.
Documentationhttps://docs.graphorlm.comThis site.None.
Application UIhttps://app.graphorlm.comCustomer-facing application.Sign-in via the identity provider → session cookie.
REST and streaming APIPaths under https://app.graphorlm.comProgrammatic access.API token (Authorization: Bearer <token>) — see Tenant Isolation §2.
MCP endpointsPer-Project, issued at Project creationModel Context Protocol transports for external AI clients.API token.
All HTTPS traffic is served on managed certificates. TLS 1.2 or above is enforced; older protocol versions are rejected at the load balancer. Per-route security headers (HSTS, CSP, X-Content-Type-Options, Referrer-Policy) are set on every response from the application backend. There is no public surface other than the five above — no SSH, no administrative console, no direct database access path. Internal operational tooling (CI/CD, monitoring, alerting) runs entirely on the Synapse-controlled side of the network and is not customer-reachable.

6. What is NOT in the architecture

Stating these explicitly avoids confusion for security reviewers comparing Graphor against other vendors:
  • No customer-deployed agents. Graphor does not require a customer-side daemon, gateway, or VPC peering. Integration is via the public surface listed above.
  • No SSO into a customer-owned identity provider today. Sign-in is via the managed identity provider in §5. SAML or OIDC-to-customer-IdP is on the enterprise-tier roadmap.
  • No customer-deployed cloud (BYOC). See Tenant Isolation §3 for the explicit non-decision.
  • No on-premise deployment. Graphor is a cloud-only product. On-premise is not on the roadmap.

7. Architecture Whitepaper (NDA)

An enterprise-grade Architecture Whitepaper, with per-component implementation details, deployment topology, monitoring and alerting structure, and the operational runbooks for incident response and disaster recovery, is available to customers under NDA on request via privacy@graphorlm.com. It is the level of detail typically requested by a SOC 2 auditor or an enterprise security questionnaire that goes beyond the public Trust Center.

8. Change history

VersionDateChange
1.02026-06-21Initial publication of the conceptual architecture view.
When the conceptual architecture, the public network surface, or the layer model changes materially, this table is updated and subscribers to subprocessors@graphorlm.com receive an email.

Contact