Skip to content

Architecture Diagram

This diagram shows how data flows between the client browser, Ouva’s managed services, and third-party integrations. All traffic is outbound-only over TLS 1.2+. No inbound ports are required.

CLIENT (BROWSER / KIOSK DEVICE) Ouva SPA 3D Scene Rendering Program & Activity UI Check-in & Progress Companion Messaging On-Device Processing MediaPipe Inference (WebAssembly / WebGL) Camera scenes only Kiosk Agent Device Health Display Status Always-on deployments Google Chrome Recommended HTTPS HTTPS / WSS HTTPS HTTPS MANAGED SERVICES Netlify CDN & Static Hosting app.ouva.co Supabase Auth · Database · Realtime · Storage *.supabase.co Stripe Billing js.stripe.com Google / jsDelivr CDN MediaPipe assets SUPABASE PLATFORM DETAIL Auth Magic Link / Password SSO (OIDC / SAML) PostgreSQL REST / RPC API Row-Level Security Realtime WebSocket Channels Live Updates Storage Object / Media Upload & Delivery Edge Functions generate-speech Server-side logic THIRD-PARTY INTEGRATIONS (FEATURE-GATED) ElevenLabs Text-to-Speech · api.elevenlabs.io HTTPS (server-side) Customer Identity Provider OIDC / SAML 2.0 · e.g. Microsoft Entra ID SSO (if configured) Core data path Optional / feature-gated

All traffic outbound-only over TLS 1.2+ · No inbound ports required · No third-party analytics SDKs

  • Solid blue lines represent core data paths required for normal application use.
  • Dashed grey lines represent optional or feature-gated connections that depend on deployment configuration.
  • All connections are outbound-only over TLS 1.2+. No inbound ports are required.
  • Ouva uses Netlify and Supabase as managed services. There is no direct AWS infrastructure usage.

For a step-by-step walkthrough of how data moves through these components, see Data Flow. For a full list of external providers with security references, see Third-party Services.