Skip to main content

Overview

This guide covers production deployment considerations for Conformly.ai across all three projects, including security, environment configuration, and reliability.

Production Environment Variables

conformly-core (Backend)

VariableProduction Value
ENVIRONMENTproduction
DEBUGfalse
ALLOWED_ORIGINShttps://www.conformly.ai,https://beta.conformly.ai
STRIPE_SUCCESS_URLhttps://beta.conformly.ai/payment-success?session_id={CHECKOUT_SESSION_ID}
STRIPE_CANCEL_URLhttps://www.conformly.ai/#pricing
STRIPE_API_KEYsk_live_... (live key, not test)
REDIS_URLYour managed Redis endpoint

conformly-frontend (Platform App)

VariableProduction Value
VITE_API_BASE_URLhttps://beta-api.conformly.ai/api/v1
VITE_WEB_URLhttps://www.conformly.ai
VITE_SUPABASE_URLYour Supabase project URL
VITE_SUPABASE_ANON_KEYYour Supabase anon key

conformly-web (Marketing Site)

VariableProduction Value
VITE_API_BASE_URLhttps://beta-api.conformly.ai/api/v1
VITE_APP_URLhttps://beta.conformly.ai
VITE_SUPABASE_URLYour Supabase project URL
VITE_SUPABASE_ANON_KEYYour Supabase anon key

Security

Secrets Management

  • Never commit .env files to version control
  • Use secrets management services (AWS Secrets Manager, HashiCorp Vault, or Vercel encrypted env vars)
  • Rotate API keys (Stripe, Supabase, Google, OpenAI) regularly
  • Use separate credentials for development, staging, and production

Authentication

  • All API traffic over HTTPS/TLS
  • CORS restricted to production domains only (no localhost)
  • Rate limiting enabled (RATE_LIMIT_PER_MINUTE, RATE_LIMIT_BURST)
  • JWT token expiration tuned for security (ACCESS_TOKEN_EXPIRE_MINUTES=30)
  • Supabase Row-Level Security (RLS) enforced on all tables

Stripe Webhooks

  • Verify the Stripe-Signature header using STRIPE_WEBHOOK_SECRET
  • Use a dedicated webhook endpoint (POST /api/v1/payments/webhook)
  • Handle checkout.session.completed and customer.subscription.deleted events

Database

  • Supabase manages connection pooling and SSL
  • RLS policies enforce workspace-level tenant isolation
  • The profiles table uses a CHECK constraint on role (admin, engineer, manager, viewer)
  • The handle_new_user() trigger automatically creates profiles on signup

Backend Infrastructure (EC2)

The production backend runs on EC2 with Docker: 
# Pull latest changes
git pull origin main

# Rebuild and restart
docker compose -f docker-compose.prod.yml up -d --build

# Verify
docker compose -f docker-compose.prod.yml ps
docker compose -f docker-compose.prod.yml logs -f backend
The production compose file should not include --reload: 
backend:
  command: ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000",
            "--proxy-headers", "--forwarded-allow-ips", "*"]

Reverse Proxy (Nginx)

server {
    listen 443 ssl;
    server_name beta-api.conformly.ai;

    ssl_certificate /etc/letsencrypt/live/beta-api.conformly.ai/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/beta-api.conformly.ai/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
    }
}

Performance

Scaling

  • Backend: Horizontal scaling behind ALB or nginx; each instance runs the full Docker stack
  • Celery Workers: Scale independently — docker compose up -d --scale celery-worker=5
  • Redis: Use managed Redis (ElastiCache) for high availability
  • Database: Supabase manages read replicas and connection pooling

Caching

  • Redis caches frequently accessed data and session state
  • Analysis results are persisted to Supabase tables — no re-computation on page refresh
  • Frontend uses TanStack Query with stale-while-revalidate caching

Monitoring

  • Celery Flower: Task monitoring dashboard (docker compose --profile monitoring up -d)
  • Container logs: docker compose logs -f backend celery-worker
  • APM: Integrate Datadog, New Relic, or Sentry for error tracking
  • Metrics: Prometheus + Grafana for system-level monitoring
  • Health checks: GET /health endpoint for load balancer probes

Reliability

High Availability

  • Deploy across availability zones
  • Use managed Supabase (automatic failover)
  • Redis persistence enabled for job state recovery
  • Health checks and auto-restart via Docker restart: unless-stopped

Backup

  • Supabase manages automated database backups
  • Application logs shipped to centralized storage
  • Document recovery procedures and test them regularly

Deployment Checklist

  • All environment variables set with production values
  • ALLOWED_ORIGINS restricted to production domains
  • Stripe keys switched from sk_test_ to sk_live_
  • STRIPE_SUCCESS_URL and STRIPE_CANCEL_URL point to production URLs
  • HTTPS/TLS enabled with valid certificates
  • Nginx reverse proxy configured with forwarded headers
  • --reload flag removed from production compose
  • Rate limiting enabled
  • Monitoring and alerting configured
  • Supabase email templates configured (confirmation, password reset)
  • Database handle_new_user() trigger verified

Docker Deployment

Learn about Docker-based deployment