Supported deployment models
SaaS
Vendor hosted, dedicated env. Optimized for speed to production with full governance and evidence delivery.
BYOC
Dedicated runtime inside the institution cloud account, with managed operations and perimeter sovereignty.
On-Prem
Dedicated runtime in the institution datacenter for maximum sovereignty and local integration needs.
Architecture and trust boundaries
Transactional core (on-chain enforcement)
Transaction critical flows are enforced by smart contracts. Settlement, permissioning, and core invariants execute deterministically on-chain, reducing reliance on mutable off-chain services in the critical path.Institutional outcomes:
- Reduced mutable attack surface for highest risk functions
- Independent verification via on-chain state and events
- Clear trust boundaries between governance systems and transactional execution
Governance and oversight layer (institution console)
The institution console is the system of record for governance and evidence:
- identity and role based access control (RBAC)
- separation of duties and approval workflows for sensitive actions
- policy configuration (permissions, limits, risk constraints)
- release metadata (versioning and immutable artifact identifiers)
- audit logs (who, what, when, where)
- operational workflows (deployment requests, rollback requests, secret rotation requests)
- evidence generation for audits, incident timelines, and resilience testing
- Least privilege by default, scoped to tenant and environment boundaries
- Separation of duties for sensitive operations
- Evidence first operations with correlation IDs
Execution layer (institution dedicated runtime)
A dedicated single tenant stack per institution, hardened to institutional baselines:
- network segmentation and least privilege
- minimal exposed ports with explicit allow rules
- encryption in transit (TLS) and encryption at rest where applicable
- host and container hardening with patching and vulnerability management
- backups and restore drills aligned to defined RTO and RPO targets
- logging and monitoring aligned to institution oversight processes
Levery separates service availability (runtime serving end users) from operational availability (ability to deploy,
roll back, and configure under governance). This preserves resilience without weakening change control.
Security and assurance posture
Release integrity and controlled change
- Deployments reference immutable artifacts (for example pinned image digests)
- Production changes run only through approved workflows
- Release metadata and outcomes are recorded in the governance layer
- Rollbacks are standardized and tested
Auditability and end to end traceability
The operating model preserves evidence of: - who requested the change - who approved the change - what changed
(release identifier) - where it was applied (tenant and environment) - the resulting outcome (health checks and
timestamps)
Resilience and recoverability
- Backups aligned to defined retention policies - Periodic restore drills with recorded outcomes - RTO and RPO targets agreed per deployment - Standardized incident management workflow with evidence capture
SaaS (single tenant, vendor hosted)
Summary A vendor operated dedicated environment that prioritizes speed to production while providing governance and evidence for institutional oversight. Where each layer runs| Layer | Location |
|---|---|
| Transactional core | on-chain |
| Governance layer | vendor managed institution console |
| Execution layer | vendor hosted dedicated runtime |
- Vendor hosted outsourcing is permitted by internal policy
- The institution prefers managed operations
- Governance and evidence delivery are required for third party oversight
- Strict change governance with approvals, immutable release identifiers, and standardized rollback
- Complete audit trail for privileged actions and operational events
- Resilience evidence (backup policy, restore drills, RTO and RPO commitments)
- Clear data retention and portability approach
- Vendor hosting risk controls and evidence cadence
- Incident response posture and notification SLAs
- Disaster recovery posture and test evidence
- Assurance that deployed artifacts match approved releases
BYOC (single tenant, institution hosted in the institution cloud account)
Summary The institution provides the infrastructure boundary in its own cloud account, while Levery deploys and operates the dedicated stack inside approved controls. This combines managed operations with perimeter sovereignty. Where each layer runs| Layer | Location |
|---|---|
| Transactional core | on-chain |
| Governance layer | vendor managed institution console (or a dedicated instance if required) |
| Execution layer | institution cloud account runtime |
- Policy requires workloads and data to remain inside the institution cloud account
- Alignment with internal network controls and infrastructure evidence is required
- Data residency and encryption key ownership requirements must be satisfied with institution owned primitives
- The institution controls the perimeter, routing, firewall policy, and infrastructure audit logs
- Managed operations remain governed through approved workflows and immutable releases
- Evidence is straightforward to package and correlate across infrastructure, governance, and application layers
- Outbound only operational connectivity where required by policy
- Institution controlled encryption keys (KMS or HSM) when mandated
- Strict segmentation between tiers with least privilege connectivity
- Standardized incident and resilience procedures with recorded evidence
On-Prem (single tenant, institution hosted on premises)
Summary The institution provides dedicated compute and network controls in its datacenter. Levery deploys and operates the dedicated stack under strict segmentation and privileged access governance. Where each layer runs| Layer | Location |
|---|---|
| Transactional core | on-chain |
| Governance layer | vendor managed institution console (or a dedicated instance if required) |
| Execution layer | institution datacenter runtime |
- Internal policy or classification mandates on premises compute
- Maximum sovereignty over infrastructure, telemetry, and access controls is required
- Low latency integration with internal systems is a priority
- Strict segmentation and allowlisting within the datacenter
- Privileged access governance for administrative operations (MFA, session recording, time bounded access)
- Clear operational responsibility boundaries for patching, vulnerability management, and disaster recovery execution
- Standardized evidence capture for change governance and operational events
- Vendor assisted operations under institution controlled privileged access governance
- Institution executed operations using approved release packages and runbooks when policy prohibits vendor access
What to expect in institutional due diligence
Levery provides an evidence pack aligned with typical institutional security questionnaires, including:- trust boundary and data flow diagrams
- control mapping (policy to control to evidence)
- change and release evidence (approvals, immutable release identifiers, deployment outcomes)
- incident response plan and reporting format
- resilience evidence (RTO and RPO targets, backups, restore drill results)
- security testing summaries and remediation tracking
- portability and exit plan (especially for vendor hosted deployments)