> ## Documentation Index
> Fetch the complete documentation index at: https://docs.conformly.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Production Deployment

> Best practices for deploying Conformly.ai in production

## Overview

This guide covers production deployment considerations for Conformly.ai across all three projects, including security, environment configuration, and reliability.

## Production Environment Variables

### conformly-core (Backend)

| Variable             | Production Value                                                             |
| -------------------- | ---------------------------------------------------------------------------- |
| `ENVIRONMENT`        | `production`                                                                 |
| `DEBUG`              | `false`                                                                      |
| `ALLOWED_ORIGINS`    | `https://www.conformly.ai,https://beta.conformly.ai`                         |
| `STRIPE_SUCCESS_URL` | `https://beta.conformly.ai/payment-success?session_id={CHECKOUT_SESSION_ID}` |
| `STRIPE_CANCEL_URL`  | `https://www.conformly.ai/#pricing`                                          |
| `STRIPE_API_KEY`     | `sk_live_...` (live key, not test)                                           |
| `REDIS_URL`          | Your managed Redis endpoint                                                  |

### conformly-frontend (Platform App)

| Variable                 | Production Value                       |
| ------------------------ | -------------------------------------- |
| `VITE_API_BASE_URL`      | `https://beta-api.conformly.ai/api/v1` |
| `VITE_WEB_URL`           | `https://www.conformly.ai`             |
| `VITE_SUPABASE_URL`      | Your Supabase project URL              |
| `VITE_SUPABASE_ANON_KEY` | Your Supabase anon key                 |

### conformly-web (Marketing Site)

| Variable                 | Production Value                       |
| ------------------------ | -------------------------------------- |
| `VITE_API_BASE_URL`      | `https://beta-api.conformly.ai/api/v1` |
| `VITE_APP_URL`           | `https://beta.conformly.ai`            |
| `VITE_SUPABASE_URL`      | Your Supabase project URL              |
| `VITE_SUPABASE_ANON_KEY` | Your Supabase anon key                 |

## Security

### Secrets Management

* Never commit `.env` files to version control
* Use secrets management services (AWS Secrets Manager, HashiCorp Vault, or Vercel encrypted env vars)
* Rotate API keys (Stripe, Supabase, Google, OpenAI) regularly
* Use separate credentials for development, staging, and production

### Authentication

* All API traffic over HTTPS/TLS
* CORS restricted to production domains only (no `localhost`)
* Rate limiting enabled (`RATE_LIMIT_PER_MINUTE`, `RATE_LIMIT_BURST`)
* JWT token expiration tuned for security (`ACCESS_TOKEN_EXPIRE_MINUTES=30`)
* Supabase Row-Level Security (RLS) enforced on all tables

### Stripe Webhooks

* Verify the `Stripe-Signature` header using `STRIPE_WEBHOOK_SECRET`
* Use a dedicated webhook endpoint (`POST /api/v1/payments/webhook`)
* Handle `checkout.session.completed` and `customer.subscription.deleted` events

### Database

* Supabase manages connection pooling and SSL
* RLS policies enforce workspace-level tenant isolation
* The `profiles` table uses a CHECK constraint on `role` (`admin`, `engineer`, `manager`, `viewer`)
* The `handle_new_user()` trigger automatically creates profiles on signup

## Backend Infrastructure (EC2)

The production backend runs on EC2 with Docker:

```bash theme={null}
# Pull latest changes
git pull origin main

# Rebuild and restart
docker compose -f docker-compose.prod.yml up -d --build

# Verify
docker compose -f docker-compose.prod.yml ps
docker compose -f docker-compose.prod.yml logs -f backend
```

The production compose file should **not** include `--reload`:

```yaml theme={null}
backend:
  command: ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000",
            "--proxy-headers", "--forwarded-allow-ips", "*"]
```

### Reverse Proxy (Nginx)

```nginx theme={null}
server {
    listen 443 ssl;
    server_name beta-api.conformly.ai;

    ssl_certificate /etc/letsencrypt/live/beta-api.conformly.ai/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/beta-api.conformly.ai/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
    }
}
```

## Performance

### Scaling

* **Backend**: Horizontal scaling behind ALB or nginx; each instance runs the full Docker stack
* **Celery Workers**: Scale independently — `docker compose up -d --scale celery-worker=5`
* **Redis**: Use managed Redis (ElastiCache) for high availability
* **Database**: Supabase manages read replicas and connection pooling

### Caching

* Redis caches frequently accessed data and session state
* Analysis results are persisted to Supabase tables — no re-computation on page refresh
* Frontend uses TanStack Query with stale-while-revalidate caching

## Monitoring

* **Celery Flower**: Task monitoring dashboard (`docker compose --profile monitoring up -d`)
* **Container logs**: `docker compose logs -f backend celery-worker`
* **APM**: Integrate Datadog, New Relic, or Sentry for error tracking
* **Metrics**: Prometheus + Grafana for system-level monitoring
* **Health checks**: `GET /health` endpoint for load balancer probes

## Reliability

### High Availability

* Deploy across availability zones
* Use managed Supabase (automatic failover)
* Redis persistence enabled for job state recovery
* Health checks and auto-restart via Docker `restart: unless-stopped`

### Backup

* Supabase manages automated database backups
* Application logs shipped to centralized storage
* Document recovery procedures and test them regularly

## Deployment Checklist

* [ ] All environment variables set with production values
* [ ] `ALLOWED_ORIGINS` restricted to production domains
* [ ] Stripe keys switched from `sk_test_` to `sk_live_`
* [ ] `STRIPE_SUCCESS_URL` and `STRIPE_CANCEL_URL` point to production URLs
* [ ] HTTPS/TLS enabled with valid certificates
* [ ] Nginx reverse proxy configured with forwarded headers
* [ ] `--reload` flag removed from production compose
* [ ] Rate limiting enabled
* [ ] Monitoring and alerting configured
* [ ] Supabase email templates configured (confirmation, password reset)
* [ ] Database `handle_new_user()` trigger verified

<Card title="Docker Deployment" icon="docker" href="/deployment/docker">
  Learn about Docker-based deployment
</Card>
