LegaciVault Platform

Technical Architecture

System design, data model, security controls, and integration map

System Architecture Stack

Presentation Layer

React 19 + TypeScript SPATailwind CSS 4 + shadcn/uiWouter client-side routingFramer Motion animationsRecharts data visualizations

Application Layer

Node.js / Express API servertRPC type-safe API layerZod schema validationJWT + OAuth 2.0 authRole-based access control (RBAC)

Data Layer

PostgreSQL (primary datastore)Drizzle ORMRedis (session + cache)S3-compatible object storage (documents)Full-text search index

Infrastructure Layer

AWS / Cloudflare CDNDocker containerizationAutomated backups (daily)Multi-region replicationSOC 2 Type II compliance

Core Data Model

Primary entities and their key fields. All sensitive fields (account numbers, SSNs) are stored as hashed or encrypted values.

User

id

email

role

mfa_enabled

created_at

Trust

id

name

type

grantor_id

jurisdiction

created_date

Asset

id

trust_id

category

name

value

institution

account_number_hash

Document

id

trust_id

type

s3_key

encryption_key_id

uploaded_at

physical_location

Beneficiary

id

trust_id

person_id

role

share_percentage

account_id

Trustee

id

trust_id

person_id

role

onboarding_status

invited_at

Security Architecture

Encryption at Rest

AES-256 encryption for all stored documents and sensitive data fields. Encryption keys are managed via AWS KMS with automatic rotation.

Encryption in Transit

TLS 1.3 enforced for all connections. HSTS headers prevent downgrade attacks. Certificate pinning for mobile clients.

Authentication

OAuth 2.0 + PKCE flow. MFA required for all accounts. Session tokens expire after 30 minutes of inactivity.

Access Control

Role-based permissions: Owner, Successor Trustee (read-only), Advisor (read-only). Granular document-level sharing controls.

Audit Logging

Immutable audit trail for every document access, download, and permission change. Logs retained for 7 years.

Data Residency

All data stored in US-based data centers. GDPR-compliant data handling. Right-to-deletion supported.

Integration Map

Financial Data

  • Plaid (bank/brokerage aggregation)
  • Yodlee (alternative aggregation)
  • Morningstar (asset valuation)

Legal Document Generation

  • Documate API
  • HotDocs (template engine)
  • DocuSign (e-signatures)

Identity & Auth

  • Auth0 / Okta
  • Stripe Identity (KYC)
  • USPS Address Validation

Communications

  • SendGrid (transactional email)
  • Twilio (SMS notifications)
  • Postmark (delivery receipts)

Compliance & Monitoring

  • Sentry (error tracking)
  • Datadog (APM + logging)
  • Vanta (SOC 2 automation)

Upstream Platforms

  • FiduciaHQ (fiduciary API)
  • Provenance (HNW data sync)
  • Vestrum Trust (master identity)

Vestrum Trust Platform Hierarchy

LegaciVault sits within a four-tier brand and product architecture. Data and identity flow upward through shared APIs.

Vestrum Trust

Corporate / Master Brand

Infrastructure, compliance, API ecosystem, jurisdictional rules engine

FiduciaHQ

Fiduciary Platform

Multi-trust, multi-family administration for corporate trustees and trust companies

Provenance

HNW Tier ($20M+)

Complex single-family estate management, entity visualization, scenario modeling

LegaciVault

Entry-Level Tier

Families and individuals. Document vault, asset inventory, beneficiary tracking