Architecture
How Scrydon is laid out across your cluster — trust zones, subsystems, traffic crossings, and where to look for what.
Scrydon is a customer-deployed Kubernetes platform. This section is the architectural reference for the system you're running.
Trust zones
Three zones, with the boundary between them explicit and configurable:
| Zone | Owner | What lives there |
|---|---|---|
| Scrydon | Scrydon (the vendor) | License Server (license.scrydon.com). The single endpoint your cluster phones home to. No customer data flows here. |
| Customer | You — your Kubernetes cluster | The entire Scrydon platform: ingress, auth, agentic workflows, analytics, ontology, document storage, and (optionally) a customer-owned GPU pool for self-hosted inference. |
| External Vendors | Third parties — OpenAI, Anthropic, Microsoft, Azure OpenAI, AWS Bedrock, ElevenLabs, Microsoft Graph, … | Cloud LLM / embeddings / STT / TTS / GPU APIs. Reached from the customer zone only when you opt in by installing an integration. |
Slim view
The picture to put in a deck:
Traffic across zones
Only three crossings exist:
| Direction | Required / Opt-in | Purpose |
|---|---|---|
| Customer → Scrydon | Required for licensed operation (license traffic only) | Daily license validation (POST /api/license/validate, 30-day grace window). |
| Customer → External Vendors | Opt-in per integration | Cloud LLM / embeddings / STT / TTS / GPU / Microsoft Graph — resolved through the integration registry. Never hardcoded. |
| User → Customer | Required | All product traffic — chat, documents, voice. Terminates at Traefik in your cluster. |
No data crosses Customer → Scrydon other than the license heartbeat. No data crosses Customer → External Vendors unless your organisation explicitly installs and selects that integration.
Subsystems
Agentic
The workflow engine. Visual editor, automations, and the workflow runtime.
Analytics stack
Managed tables, schema inference, classification, and the OLAP layer that backs them.
Ontology
Typed Object / Link / Action layer over your managed tables and knowledge bases.
Cortex (LLM gateway)
The internal hop every LLM, embedding, and image call goes through.
Copilot
AI-powered assistant embedded in the workflow editor — Ask, Build, and Plan modes.
Realtime voice
Low-latency WebRTC pipeline for voice agents.
How a request flows
A typical request — "the user asks the chat agent a question that requires looking something up in a managed table" — touches a handful of subsystems in this order:
- Traefik terminates TLS and routes to Platform (auth + session).
- Platform authenticates the user, evaluates the policy registry, and forwards to Agentic.
- Agentic executes the workflow. The Agent block dispatches its LLM call through Cortex.
- Cortex picks the model — self-hosted inference, or an external cloud vendor — and returns the response.
- The agent calls a tool that reads a managed table. Analytics projects the typed result through the Ontology layer (if the workflow uses one), applying DLP labels and column masking on the way out.
- The response streams back to the user via the same path.
Every step is authorised, every cross-service call is mutually authenticated, and every sensitive operation lands in the audit log.
Related sections
- Deployment — install Scrydon on your cluster (Helm, Azure Marketplace, air-gapped Zarf).
- Security — DLP, authorisation, secrets, audit, mTLS, ingress hardening.
- Compliance — ISO 27001 / 42001, EU AI Act, GDPR, SOC 2, SecNumCloud, NIST, CRA, AIUC-1.
- Platform — identity, workspaces, settings, licensing.