The whole stack,
on one page.
Every layer, every interface, every audit boundary. The same map we hand the DPO, our DD partners, and any architect evaluating ARIA. No black boxes — the decision registry is the source of truth, and it's public.
System Map
Five layers, one audit trail.
Surfaces dispatch to application services. Application calls pure engine functions. Engine reads from tenant-scoped data. Data sits on Saudi-residency infra. Every step between writes an event the DPO can replay.
Keep scrolling — each layer unlocks the modules below it.
Where humans and partners touch ARIA.
Request handling, business logic, multi-tenant routing.
The math. Pure functions, hash-stamped per invocation.
Tenant-scoped storage, encrypted at rest.
Saudi-residency primary, in-region backups.
Multi-tenancy
Row-level security on every query.
Tenants share infrastructure, not data. Isolation is enforced at the row level by Postgres RLS policies — not at the application boundary, where it can be bypassed by a coding mistake.
Every row carries a tenant_id. The query planner refuses cross-tenant joins.
Per-tenant KMS keys envelope encrypted columns. A rogue dump leaks ciphertext only.
Business-config is per-tenant — feature flags, regulator posture, signed addenda.
Audit trail is tenant-scoped. The DPO replays only their own history.
KAFD Capital
Investment House · Riyadh
12,481 rows
row-level-secured
Red Sea Pavilion JV
Developer · Jeddah
3,902 rows
row-level-secured
Khobar Households
Individual · Eastern Province
87,210 rows
row-level-secured
Intake Spine
Six audiences. One engine. Three rubrics.
B2B intake (Developer, Investment House, Corporate Housing) and B2C intake (Buyer, Investor, Expat) collapse into the same scoring engine. The language and the output surface change. The math doesn't.
B2B intake
Developer
40 fields
Investment House
50 fields
Corporate Housing
30 fields
ARIA Engine
Scoring
Engine
DCF · MC · NLG
B2C intake
Buyer
7–11 fields
Investor
7–11 fields
Expat
7–11 fields
↓ Engine output branches by audience
IC Memo
Institutional · committee-ready
Wealth Companion
Individual · Safety Score
Match Feed
Marketplace · cross-link
Audit trail · tamper-evident
Evidence-backed from intake to memo.
Every material change writes a durable governance event with prior-state evidence. Reviewers can trace how a decision moved from intake to memo without reading implementation details.
{
event: "Memo signed",
workspace: "Tenant workspace",
actor: "Committee member",
time: "2026-05-11T09:41:21Z",
fingerprint: "0xe97f…03ab",
previous: "0x2d4a…91ff"
}workspace=Tenant workspace · actor=Analyst
0x7af3…d2c1
prev: GENESIS
workspace=Tenant workspace · actor=ARIA engine
0xb18c…5e80
prev: 0x7af3…d2c1
workspace=Tenant workspace · actor=Analyst
0x2d4a…91ff
prev: 0xb18c…5e80
workspace=Tenant workspace · actor=Committee member
0xe97f…03ab
prev: 0x2d4a…91ff
Interaction Surfaces
Four ways in. Four ways out. Seven KSA adapters.
Every surface speaks to the same application layer. KSA regulator and bank adapters carry their posture — read-only, advisory, or write — declared per tenant in business-config.
Web app
Next.js 15 RSC · EN + AR
Native mobile
iOS + Android
REST API
Developer tier · usage-metered
Admin CLI
DPO + ops · audit-logged
Signed PDF
Memo export · EN / AR
Excel + CSV
Pro / Elite / B2B all tiers
Webhooks
Event-driven · Enterprise
Read-only adapter
ERP / MLS · custom
Decision Registry · public
47 architecture decisions. All public.
Every load-bearing decision lives in the decision registry — context, consequences, and the moment we changed our mind. The same registry the DPO reads. Eleven of the most-referenced decisions are below.
Architect · DPO · DD reviewer
Bring your team. We'll walk any layer.
Bring your DPO. Bring your DD team. Bring your CTO. We'll walk through any layer in depth — and send you the PIA draft, sub-processor list, cross-border assessment, and the methodology pack under NDA.