Technology

BlueUP Platform: Layered Architecture

BlueUP is not a standalone product: it's an integrated platform in three layers designed so regulated organizations can adopt agentic AI without compromising security, compliance, or sovereignty.

Platform Architecture

LAYER 3: GOVERNANCE & COMPLIANCE

ComplianceView
Continuous monitoring
96 controls

BlueUPALM (Anti-Money Laundering: prevención de blanqueo de capitales. Consume 5-10% del presupuesto operativo de una entidad media; los sistemas tradicionales generan >95% falsos positivos. Leer más → AML/Digital Operational Resilience Act: reglamento UE 2022/2554 sobre resiliencia operativa digital. Exige a entidades financieras de la UE resistir, responder y recuperarse de incidentes TIC. En vigor desde 17 enero 2025. Leer más → DORA)
Banking-grade regulatory
compliance

LAYER 2: SOVEREIGN EXECUTION

Rust Financial Engine
162k journals/sec
Native multi-GAAP

Model Context Protocol: en BlueUP, el Gateway MCP gobierna qué herramientas pueden invocar los agentes de IA, por identidad y política. Leer más → MCP / LLM Gateways
Tool and model
governance

LAYER 1: ZERO TRUST REACHABILITY

BlueUP Connect
Identity-first
desktop client

Sustrato de conectividad open-source de NetFoundry: túneles cifrados, servicios dark sin IP pública, política de servicio identity-first. Leer más → OpenZiti / Empresa creadora de OpenZiti, respaldada por Cisco Investments. BlueUP es partner oficial: ofrece despliegue self-hosted y conectividad managed sobre su plataforma. Leer más → NetFoundry
Identity-first connectivity
Dark services by default

SUBSTRATE: CRYPTOGRAPHIC IDENTITY

Keycloak (humans) · Sistema de identidad criptográfica para workloads (SVIDs Ed25519 rotatorios). Cada servicio tiene identidad verificable que se renueva automáticamente. Leer más → SPIRE SVIDs (workloads) · Tokens de capacidad criptográficos (v6) con atenuación asíncrona: se pueden restringir offline sin invalidar el token original. Usado en BlueUP para autorización. Leer más → Biscuit Tokens (offline authorization) · Open Policy Agent: evaluación centralizada de políticas de acceso e infraestructura. En BlueUP gobierna decisiones a nivel de infra; Cerbos cubre el nivel app. Leer más → OPA (infra) · Cerbos (app)

---

Layer 1: Zero Trust Reachability

The fundamental principle: without a valid cryptographic identity, no data path exists.

Services have no public IP, don't respond to port scans, don't appear on Shodan. They only "exist" for authenticated identities with matching policy.

OpenZiti

Open-source connectivity substrate: encrypted tunnels, dark services, service policy.

BlueUP Connect

Desktop client showing users only their authorized services.

Cryptographic identity

Every agent, service and human has a verifiable Ed25519 identity.

Dark Services

No inbound ports, no public IP, invisible to the internet.

Technology Partner: NetFoundry

Our connectivity substrate is built on OpenZiti, the open-source platform developed by NetFoundry. As an official NetFoundry partner, we offer both self-hosted deployment and managed connectivity for customers who require it.

NetFoundry is backed by investors including Cisco Investments and partners like Stellar Cyber and Intrusion for high-security environments.

---

Layer 2: Sovereign Execution

Business logic runs on controlled infrastructure with institutional-grade performance.

Financial engine (Rust)

10 crates, 191 tests, multi-GAAP accounting (Sectoral/IFRS/Tax), 162k journals/sec.

MCP Gateway

Governs which tools agents can invoke, by identity and policy.

LLM Gateway

Controls access to language models with human approval points.

Sandbox de Google que provee aislamiento a nivel de kernel por agente y servicio. En BlueUP se usa para limitar el blast radius de cada componente. Leer más → gVisor sandbox

Kernel-level isolation per agent and service.

---

Layer 3: Governance & Compliance

Continuous monitoring and regulatory compliance integrated by design, not bolted on.

BlueUPALM

Banking-grade AML/DORA compliance: screening, incident management.

ComplianceView

96 controls aligned with National Institute of Standards and Technology: organismo federal estadounidense que publica estándares técnicos ampliamente referenciados en ciberseguridad, incluyendo el Cybersecurity Framework y la familia SP 800.NIST, Estándar internacional para sistemas de gestión de seguridad de la información (SGSI). Define controles y proceso de auditoría certificable. Versión vigente: ISO/IEC 27001:2022.ISO 27001, DORA, and Fintech Open Source Foundation: fundación bajo la Linux Foundation centrada en open source para servicios financieros. Mantiene proyectos como CDM (Common Domain Model) y SDLC Controls referenciados en compliance.FINOS. Automated collectors.

OPA

Centralized access and infrastructure policy evaluation.

Cerbos PDP

Contextual ABAC/RBAC authorization for business logic.

---

Identity Substrate

The entire system shares a unified identity model:

Layer	Technology	Function
Humans	Keycloak OIDC/PKCE	Federated authentication without static passwords
Workloads	SPIRE SVIDs (Ed25519)	Rotating cryptographic identity per service
Authorization	Biscuit Tokens v6	Capability tokens with asynchronous attenuation
Encryption	End-to-end mTLS	Mutual verification on every connection

---

Complete Technology Stack

Layer	Technologies
Frontend	React, TypeScript, CSS Modules
Backend	Rust (Axum), Python (FastAPI), NATS JetStream
Security	OpenZiti, Keycloak, SPIRE, OPA, Biscuit Tokens, Cerbos
AI & Data	Vertex AI, MCP SDK, vLLM / Ollama (sovereign)
Infrastructure	Google Cloud, Kubernetes (Talos Linux), Terraform, Gitea Actions
Isolation	Cilium (network), gVisor (kernel), eBPF (observability)

---

Design Principles

Identity as Perimeter

Security doesn't depend on server location, but on verifiable cryptographic identity.

Dynamic Privileges

AI proposes, but OPA policies and human intervention act as security brakes.

Minimum Blast Radius

A compromise in one agent never translates to a systemic breach.

Compliance by Design

DORA, AML, Reglamento UE 2024/1689: marco europeo para sistemas de IA basado en riesgo. Prohíbe usos inaceptables, regula los de alto riesgo y establece transparencia para modelos generativos. Entrada en vigor escalonada 2025-2027.AI Act and General Data Protection Regulation: Reglamento UE 2016/679 de protección de datos personales. Aplica a cualquier tratamiento de datos de residentes europeos. Sanciones de hasta el 4% del facturado global.GDPR are architectural requirements, not add-ons.

Data Sovereignty

Processing never leaves controlled infrastructure.

---

Application by industry

This architecture is applied differently depending on the regulated industry it serves. See operational details in:

• Private Banking — Enhanced Know Your Customer: conjunto de procesos para verificar la identidad de un cliente y entender su perfil de riesgo. En banca y fintech, requisito legal previo a la apertura de relación de negocio. Leer más → KYC, continuous screening and traceability for HNWI.
• Insurance — Insurance-specific AML with integrated Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales e Infracciones Monetarias. Unidad de inteligencia financiera de España (FIU), receptor oficial de las comunicaciones de operativa sospechosa de las entidades obligadas.SEPBLAC workflow.
• Fintech & Agentic AI — Modelo arquitectónico bajo el axioma "nunca confíes, verifica siempre". Cada acceso se verifica individualmente con identidad criptográfica, en cada interacción — sin importar si la petición viene de dentro o fuera de la red. Leer más → Zero Trust governance for autonomous agents.

For readers wanting downloadable material: DORA Whitepaper and DORA Calculator.

---

Want to dive deeper into the architecture?

Download our technical whitepaper on identity-first architecture for agentic AI.

→ Download whitepaper | Request demo