Page 03 · Recommendations

Architecture & Technology

Our recommendation departs from the RFP's modular-monolith suggestion: we propose a microservices architecture where each core domain is an independently deployable API. On the client side, a single React Native + Capacitor codebase powers both web and mobile.

Core domain APIs

Authentication & Access Control API

Workshop Management API

Retailer Management API

Vehicle, VIN & OE Mapping API

RFQ Management API

Quotation Management API

Matching Engine API

Order Management API

Delivery & Logistics API

Payments & Refunds API

Notification Service API

Admin Operations API

Analytics & Reporting API

Audit Logging & Monitoring API

Architectural objectives

▸Independently deployable services — each domain owns its data and lifecycle

▸Horizontal scalability per service based on real-world load patterns

▸Avoid vendor lock-in through widely adopted technologies and open standards

▸Support GCC expansion, bilingual (Arabic/English) interfaces and RTL

▸Clear API contracts (OpenAPI) between services and clients

▸Critical workflows are auditable and operationally traceable

Technology stack

Frontend (Web & Mobile)

React.js + Capacitor (React Native)

Single codebase delivering responsive web and native iOS/Android from one source. Performs as a true reactive cross-platform application — no separate web build to maintain.

Backend

Microservices APIs · Java · Spring Boot

Each domain module is built as an independent API service with its own endpoints, deployment unit and scaling profile. The RFP suggests a modular monolith — we recommend going one step further with microservices for true isolation, independent release cadence and resilience.

Database

PostgreSQL + PostGIS · per-service

ACID compliance and first-class geospatial capabilities for retailer matching. Schema-per-service to preserve service boundaries.

Caching & Queues

Redis

High-performance caching, rate limiting, session management and async RFQ distribution queues across services.

API Gateway

Gateway + Service Discovery

Single entry point for clients, request routing, auth offload, and consistent rate-limiting policy across all microservice APIs.

Cloud Hosting

Hostinger (KVM VPS) → AWS

Cost-efficient KVM footprint for the MVP, with a clear migration path to AWS as the platform scales.

Performance benchmarks

API Response Time (p95)< 200 ms for CRUD operations

Page Load Time< 3 seconds on 4G/LTE

RFQ Distribution Latency< 5 seconds, submission → notification

Mobile App Cold Start< 4 seconds on mid-range devices

Concurrent Users (Launch)500 simultaneous users

RFQ Volume (Launch)1,000 RFQs / day

Availability & reliability

▸ 99.9% uptime target
▸ High-availability architecture — no single point of failure
▸ Automated daily backups with 30-day retention
▸ Staging and production environment separation
▸ Real-time alerting on critical failures

Security · In scope

✓Encryption in transit (TLS 1.2+)
✓Encryption at rest (AES-256)
✓Password security (bcrypt hashing)
✓Secrets management (environment variables)
✓RBAC enforced at API level
✓Server-side input validation
✓Rate limiting per user / IP
✓File upload security — type validation, size limits, malware scanning
✓Audit logging for all privileged actions

Security · Out of scope · Phase 1

— Penetration Testing — deferred to Phase 2 (cost & timeline)
— SaaS-based security testing — SAST via SonarQube used as MVP alternative

Infrastructure

Server specifications

Environment	CPU	RAM	Storage
Production (MVP)	8-core	32 GB	200 GB SSD
Development	4-core	8–16 GB	100 GB SSD
Testing / QA	2-core	4–8 GB	50 GB SSD

DevOps — phased roll-out

Capability	Phase 1	Phase 2	Phase 3
Source code repository (Git)	✓	✓	✓
CI/CD pipeline	partial	✓	enhanced
Containerisation (Docker)	✓	✓	✓
Environment management	✓	✓	✓
Secrets management	✓	✓	✓
Database migrations	✓	✓	✓
Monitoring & logging	—	✓	✓
Infrastructure as Code	—	—	Terraform

Backup strategy: automated daily database backups · 30-day retention · tested restore procedures.