How is the Cloud infrastructure architected? Cloud is architected as a multi-tenant software-as-a-service system with high values of security and data segmentation.  The following sections will follow the simplified architecture diagram presented below, offering additional insight into how Cloud works.


A variety of external systems access Cloud servers.  Agents use Cloud from the browser directly or as an embedded component of another application.  Client applications deployed to devices connect to Cloud to facilitate remote control, camera sharing and diagnostics during service delivery.  

The Cloud SDK applications integrate live support capabilities along with in-app self-service.  External applications integrate with the Cloud API and can receive notifications.

Agent Navigator

The primary Cloud web application is accessed from a tenant specific url, (e.g. for the mycompany tenant.  All communication is secured to the application server using TLS on port 443.  The TLS secured communication includes both the HTTPS web requests and long running secure WebSocket (WSS) requests for real-time browser application feedback.

Remote Client and Cloud SDK Applications

Windows, Mac, iOS and Android clients and Cloud SDK based applications connect securely to Cloud servers.  Clients connect to the application servers using TLS on port 443 over HTTPS and secure WebSocket (WSS) connections.  In addition, clients may establish remote control and camera sharing connections over AES-256 encrypted TCP to a relay server on port 443.  Communication between clients and the relay server uses a custom protocol secured by a per-connection symmetric key distributed over HTTPS.

Integration Cloud has a rich set of flexible APIs for integrating with corporate and contact center systems and customer applications. In addition, the Cloud Guided Path application architecture allows partners to extend Guided Path functionality almost at will. Cloud includes the following types of integration:

  • Client SDK's (Android, iOS, Javascript) allow you to embed self-service and assisted-service in consumer-facing applications.
  • Portal UI Integration enables you to embed Cloud in your agent-facing applications.
  • REST API's allow your applications to perform read/update/create (GET/PUT/POST) operations on Cloud data objects.
  • Event Subscriptions enable your application to receive notifications of selected Cloud events, such as state transitions. It is intended for use in conjunction with the REST API, enabling an application to receive rich information about events and data objects.
  • Guided Path Apps are web applications that allow you to embed external content in Guided Paths.

All integrations communicate with Cloud through HTTPS API endpoints for security.  Please visit for more information.

Application Cloud application servers are deployed behind load balancers in a highly available, scalable configuration designed to handle a growing system load reliably.  Additional application and relay servers can be added as needed to achieve horizontal scale to accommodate growing system load.

Application Server Cloud application servers run the main web application and are accessed over HTTPS and secure WebSocket connections.  Tenant qualified host names in requests, e.g., directly convey a tenant context to application servers.  This tenant identification forms a strong basis for the multi-tenant data facilities that will be presented.  Application servers are implemented based on a modern NGINX, Node.js, Redis, Kafka, PostgreSQL technology stack.

Relay Server

Remote control and camera sharing connections are handled by relay servers.  Clients connect to relay servers using a custom TCP/AES-256 secured protocol.  This custom protocol is then translated for consumption by the /nexus browser based remote display client over a secure WebSocket connection.


The Cloud data layer is built with a strong value for enforced tenant data separation. Cloud stores limited customer information including email address, first/last name and phone numbers as provided to the agent. The Cloud mobile sessions also capture various information about the mobile device H/W and S/W specifications

  • manufacturer
  • brand
  • model
  • operating system
  • memory size
  • processor
  • device name
  • serial number.

Remote control sessions are encrypted using AES-256 before transmission and stored using AES-256 at rest.

Database (PostgreSQL)

Two types of databases are used in Cloud.  The global database holds minimal administrative data about the overall system and includes a directory of tenants.  Container databases contain data for multiple tenants.  Access to any one tenant in a container database is strictly enforced by database users with specific tenant permissions limited to a single tenant schema.  The database users enforce a strong separation of tenant data directly from the database layer.

File Store

Guided path content, attachments, remote recordings and any other tenant file data is stored in tenant specific file containers.

Cache (Redis)

A caching system is used to increase performance.  All data in the cache is keyed with a tenant identifier in order to provide data separation at this level.

Queue (Kafka)

Real-time session events are published to a message queue.  Queue topics include tenant identifiers to separate tenant data.

ETL (Custom + Storm)

A real-time ETL process responds to queued events in order to update analytic data.


Real-time analytics reporting services are provided by dedicated servers.


Real-time event queues are monitored for external event subscriptions.  When an event of interest arrives, it is forwarded to a registered external API endpoint. 

Production Services Cloud applications and services are hosted within Data Centers installed in state of the art co-location facilities.  Their availability and reliability are assured by the implementation of security and availability methods and procedures designed to cover physical access and protection, network connectivity, remote and local access, application and server management, availability and customer sensitive data.

Network Security

  • Firewall
    • Multiple zones for tiered security
    • All public traffic traverses DMZ
    • firewalls are configured to only allow traffic specific to Cloud applications and services.  All other traffic is restricted
    • Access policies are defined based on TCP service ports and protocols
    • FTP and telnet are blocked both at the firewall, and where necessary, at the server
OS level, preventing anonymous access
    • Applause based IDP/IPP identifies, classifies, and stops malicious traffic at the perimeter.
    • Inline prevention technologies take preventive action on a broad range of threats  including Denial of Service (DoS)
    • Network protection from policy violations, vulnerability exploitations, and anomalous activity through detailed inspection of traffic in Layers 2 through 7
  • Internal Network
    • VLAN segmentation
    • Separation of management and application networks
    • Out-of-band network for redundant access to appliances and servers

Operational Security

  • Access and Change Management
    • Staff background checks
    • Restricted access based on Roles and Responsibilities
    • LDAP based SSO controls user access to systems and appliances
    • Change management approval workflow for all production services
  • Systems and Appliances Management
    • Operating System hardening to remove unused services
    • Regular patching and updates
    • Configuration Management automation
    • System logging
    • Periodic vulnerability assessment 

Physical Security

  • 24x7 On-site security personnel
  • 100% CCTV coverage
  • Biometric and electronic key card access
  • All ingress/egress through vestibules (man-traps)
  • Natural boundary protection
  • Where appropriate, localized Natural Disaster and Code compliance to all local standards (flood plain, seismic, etc)
  • N+1 mechanical infrastrucure including HVAC, Pre-action multi-zone smoke/fire suppression
  • N+1 electrical infrastructure redundancy including redundant utility feeds
  • Co-location facility provides 100% uptime SLA.


  • Carrier grade hardware utilized throughout the datacenter
  • Physical redundancy server configurations for web, application and database server layers
  • Servers deployed with redundancy across separate physical hosts and separate physical datacenters
  • Redundant connectivity throughout the internal network
  • N+1 aggregated ISP connectivity utilizing HSRP, with 100% uptime SLA from provider
  • Highly available storage/disks including redundant power supplies, controllers, and network connections
  • All datacenter hardware fed by redundant and disparate commercial power, backed
up by UPS and generators


  • Automation provides regularly scheduled backups of DB and server images
  • Synchronization technology sends regular updates of backups electronically to offsite
and geographically disparate storage
  • All local and offsite backups are monitored and automatically retry as needed

Disaster Recovery

  • Fully redundant and geographically disparate data center, inclusive of all systems, applications and appliance necessary to make the Cloud application available. 
  • Data replication from primary to secondary data centers to provide near-realtime data availability.
  • In the event of a disaster, all services will be rerouted to the DR site via DNS re-assignment.