Technical Architecture & Integration
Five-module architecture. 100% open-source stack. Three deployment models — including air-gapped on-premises for the most demanding environments.
Platform Architecture
C-PAP is built as a modular, five-component architecture designed for deployment across enterprise, industrial, and converged environments. Each module addresses a distinct function within the assurance lifecycle and can be deployed independently or as a fully integrated platform.
Assessment & Evaluation
Control assessment, maturity scoring, gap analysis, and evidence-based evaluation engine.
Risk & Treatment
Risk quantification, treatment planning, residual risk tracking, and action management.
Evidence & Artefacts
Evidence lifecycle management, document storage, cross-control linking, and version control.
Reporting & Governance
Report generation, analytics dashboards, compliance views, and executive reporting.
Integration & Automation
API gateway, SIEM integration, GRC connectors, and automated evidence collection.
Technology Stack
C-PAP is built entirely on open-source technology, ensuring zero vendor lock-in and full auditability of the platform infrastructure.
| Component | Technology |
|---|---|
| Frontend | Next.js 15 |
| API Layer | FastAPI |
| Database | PostgreSQL 16 |
| Authentication | Keycloak 26 |
| AI / LLM | Ollama |
| Object Storage | MinIO |
| Orchestration | K3s |
| Infrastructure | OpenTofu |
Open-Source Commitment
Every component in the C-PAP technology stack is open-source, auditable, and replaceable. This is a deliberate architectural decision driven by three requirements:
- Auditability: Clients and assessors can inspect every component of the platform infrastructure
- Sovereignty: No dependency on proprietary cloud services that could restrict data handling or deployment location
- Longevity: No risk of vendor discontinuation, licence changes, or forced migration
API Capabilities
C-PAP provides a comprehensive RESTful API documented to the OpenAPI 3.0 specification. The API enables programmatic access to all platform functions:
- Control and domain management
- Assessment creation, update, and retrieval
- Evidence upload and lifecycle management
- Report generation and export
- Risk register and treatment plan operations
- Framework mapping queries
- User and role management
Integration Points
C-PAP integrates with existing security and IT management infrastructure through defined connectors:
- SIEM: Log and event correlation for continuous monitoring evidence
- GRC: Bidirectional control and risk data exchange
- CMDB: Asset inventory synchronisation for scope and coverage tracking
- Ticketing: Non-conformance and action tracking integration
- Evidence Collection: Automated ingestion from scanning, monitoring, and audit tools
Deployment Models
SaaS
Cloud-hosted, fully managed service. Fastest time to deployment. Automatic updates and maintenance. Suitable for organisations without air-gap or data residency constraints.
Private Cloud
Dedicated instance within the organisation's cloud tenancy (AWS, Azure, GCP, or sovereign cloud). Full data sovereignty, custom networking, and integration with existing cloud infrastructure.
On-Premises / Air-Gapped
Self-hosted deployment for environments with strict data handling requirements. Supports air-gapped networks, classified environments, and installations where no external connectivity is available.
Security Model
C-PAP implements defence in depth across all deployment models:
- Role-based access control (RBAC) via Keycloak
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- Audit logging of all platform operations
- Multi-factor authentication support
- Session management and idle timeout controls
- API authentication via OAuth 2.0 / OIDC
Data Handling & Sovereignty
C-PAP is designed for UK data sovereignty by default. All data processing and storage occurs within the deployment boundary — no data leaves the platform environment unless explicitly exported by an authorised user.
A Data Protection Impact Assessment (DPIA) is available for organisations that need to conduct privacy assessments as part of their procurement process.
Supply Chain Transparency
C-PAP generates Software Bills of Materials (SBOMs) in both CycloneDX and SPDX formats, providing full visibility into the platform's dependency chain for procurement and security assessment purposes.
Discuss Your Deployment Requirements
Every environment is different. Let us understand your infrastructure, security, and data handling requirements.