Wovex Cloud Architecture Overview (Azure, Single‑Tenant)
1. Purpose & Audience
This document provides an overview of the cloud architecture used to host the Wovex application for Enterprise customers. It is aimed at:
Customer IT, security, and architecture teams.
Internal Wovex support and implementation teams.
It describes the main components, how they interact, and the key controls around security, data protection, and tenancy.
2. System overview
2.1 What Wovex is
Wovex is a SaaS platform for benefits realisation management – helping organisations plan, track and evidence the value delivered by change initiatives and investments.
Typical capabilities include:
Capturing projects, programmes and portfolios and their expected benefits.
Mapping outcomes, measures and value drivers.
Tracking actuals vs forecasts.
Providing dashboards and reports for stakeholders.
2.2 High‑level architecture summary
For each customer, Wovex is deployed as a web application running on Microsoft Azure and structured around:
Web Application: C# ASP.NET MVC application hosted on Azure App Service (Windows).
Database: Customer‑specific Azure SQL Database instance.
File/Object Storage: Azure Storage account (for files such as attachments, exports or other binary application data).
Email Delivery: Integration with Twilio SendGrid for transactional and notification emails.
The application is accessed over the public internet using HTTPS (TLS).
Hosting is in the region of choice for Enterprise customers from any Microsoft data centre, e.g., Australia, Canada, Europe, UK and the USA.
3. Tenancy & isolation model
3.1 Single‑tenant application & database
For Enterprise customers:
App Service (web app) – a dedicated Azure App Service instance.
Database – a dedicated Azure SQL Database.
This provides:
Isolation of application compute (no other customer’s workloads run in the same App Service instance).
Physical data separation at the database level; data for this customer is not stored in shared customer tables within a multi‑tenant database.
3.2 Storage and email services
Azure Storage account – Wovex uses Azure Storage accounts for image files.
SendGrid – Email is sent via Twilio SendGrid using SMTP over TLS.
4. Logical architecture
At a logical level, the system is composed of the following layers:
Presentation layer
Web UI delivered by the ASP.NET MVC application.
Accessed from modern browsers via HTTPS.
Application/business layer
Implements Wovex business rules (e.g. benefit mapping, benefits tracking, portfolio analysis).
Handles authentication & authorisation at the application level.
Coordinates calls to the database, storage, and email service.
Data layer
Azure SQL Database – primary system of record for:
Customers, users, permissions.
Projects, portfolios, benefits and measures.
Configuration and reference data.
Azure Storage Account – for:
Attachments and documents.
Reports/exports.
Other binary artefacts as needed.
Integration layer
SendGrid – used to send:
Account invitations and password reset emails.
Notifications, reminders, and other transactional mail.
5. Physical / deployment architecture (Azure)
5.1 Azure services used
For a typical production deployment for one customer, the following Azure resources are involved:
Component | Azure Service | Purpose |
Web application | Azure App Service (Web App, Windows) | Hosts the Wovex ASP.NET MVC application. |
Database | Azure SQL Database | Stores structured application data for the customer. |
File storage | Azure Storage Account | Stores files, documents, and binary artefacts. |
Email delivery | Twilio SendGrid (SaaS, integrated with Azure) | Sends transactional and notification emails. |
Monitoring | Azure Monitor / Application Insights | Telemetry, performance metrics, and logging. |
5.2 Azure App Service (Web Application)
Platform‑as‑a‑Service – Azure App Service is a managed PaaS; Microsoft manages the underlying OS and runtime patching monthly, so Wovex can focus on the application and data rather than servers.
Runtime – Wovex runs as a C# ASP.NET MVC application on the Windows App Service runtime.
Access – The application is exposed via HTTPS and can be fronted by a DNS, such as
https://Customername.wovex.com.
5.3 Azure SQL Database
Provides relational data storage with high availability.
Supports Transparent Data Encryption (TDE) to encrypt database files at rest; TDE is enabled by default for customers.
Supports automatic backups and point‑in‑time restore for a configurable retention period. [Default differential backup and PITR of 7 days, extendable on request to 35 days.]
5.4 Azure Storage Account
Stores files (e.g. attachments) in Azure Blobs or Files.
Azure Storage encrypts all data at rest using 256‑bit AES; encryption is on by default for all storage accounts.
Access is over HTTPS; you can optionally tighten access using private endpoints/VNET integration and/or SAS tokens.
5.5 SendGrid
Wovex uses Twilio SendGrid as the outbound email service.
The web application calls SendGrid over HTTPS using an API key with a limited scope (e.g. “Mail Send”).
6. Security & data protection
This section summarises key security characteristics of the architecture. It is designed to align with Azure security and data‑encryption best practices.
6.1 Data in transit
All browser access to Wovex uses HTTPS (TLS).
Azure App Service supports modern TLS versions and certificate options, including custom domains and managed certificates.
Calls from Wovex to Azure SQL Database, Azure Storage, and SendGrid are made over encrypted channels (e.g. TLS for SQL/HTTPS for REST APIs).
6.2 Data at rest
Azure SQL Database: TDE encrypts data and backups at rest using service‑managed keys.
Azure Storage: All data in Azure Storage accounts is encrypted at rest by default.
Additional customer requirements (e.g. customer‑managed keys in Azure Key Vault) can be supported subject to implementation.
6.3 Patching and platform security
Azure App Service is PaaS; the underlying OS and application stack are patched automatically by Microsoft on a regular schedule, aligning with Patch Tuesday, using safe deployment practices.
This reduces the operational overhead for OS patching and helps keep the environment up to date with security fixes.
6.4 Identity & access control (platform level)
At the Azure platform level:
Access to subscription and resources is managed via role‑based access control (RBAC).
Only authorised Wovex operations personnel have access to the customer’s resource group(s), on a least‑privilege basis.
Integration with the customer’s identity provider, Azure AD/SAML, for user SSO.
Application‑level identity (end‑user login, permissions and roles) is covered in a separate Security & Identity document, if required.
6.5 Backups & disaster recovery
SQL Database backups: Azure SQL provides automated backups with point‑in‑time restore capabilities within a defined retention window.
Storage data: Critical files in Storage are protected via redundancy options.
Disaster recovery model:
Default is the service is run in a single Azure region with backups, and can be extended to a multi‑region DR (e.g. geo‑replicated SQL/Storage and region‑failover plan) as an additional cost service.
7. Monitoring, logging & operations
Application monitoring:
Azure Application Insights is used to capture request traces, performance metrics, dependency calls (SQL, Storage, SendGrid), and failures.
Infrastructure monitoring:
Azure Monitor is used to track metrics for App Service, SQL Database, and Storage (CPU, DTUs, connections, throttling, etc.).
Security monitoring:
Logs can be forwarded into a SIEM (e.g. Microsoft Sentinel) for centralised security monitoring and alerting, as an additional costed service.
8. Environments
Typical environment structure:
Production – live customer data.
Optional Non‑production (Test/UAT/Training) – separate single-tenanted Azure resources and databases, typically using synthetic or subset data. These can be provided as extra cost environments for code early release update testing.
9. Summary for IT reviewers
For standard customers, Wovex provides:
A single‑tenant deployment for the web app and database, hosted on Microsoft Azure App Service and Azure SQL Database.
Encryption of data in transit (TLS) and at rest (via Azure SQL TDE and Azure Storage encryption).
Isolation from other customers’ workloads at the application and database tiers.
Integration with a mature, cloud‑based email delivery service (Twilio SendGrid) for notification and transactional emails.
Alignment with Azure security, encryption and operational best practices, with options to extend into customer‑specific requirements (e.g. customer‑managed keys, stricter network controls, SIEM integration).