Security Architecture

Proposed zero-egress control posture

Internal Use Only
User Entry Points
👥

MS Teams / Copilot

User interface for commands and notifications

Azure AD OAuth
📁

SharePoint Online

Document drop zone (managed M365)

Encrypted at Rest
Azure Private Network

Event Grid

Event routing within VNET

Managed Identity
🚀

func_ingest

Document parsing function

Managed Identity
🧠

func_reason

LLM orchestration function

Managed Identity
🔗

func_bridge

Workiva API bridge

Managed Identity
🗃

Blob Storage

Intermediate data storage

Private Endpoint CMK Encrypted
🔐

Key Vault

Secrets & certificates

Private Endpoint RBAC Only
📊

Log Analytics

Monitoring & diagnostics

Private Endpoint
🤖

Azure OpenAI

GPT-5.1 Private Deployment

Private Endpoint Managed Identity
🔎

AI Search

Vector database (RAG)

Private Endpoint
📄

Document Intelligence

Form recognition

Private Endpoint
External Services
📄

Workiva Platform

ESG Reporting target

OAuth2 Client Credentials API Gateway

Security Protocol Flows

👥
MS Teams
TLS 1.3 + Azure AD
Event Grid
🚀
Azure Functions
Private Link
🤖
Azure OpenAI
🔗
func_bridge
OAuth2 + TLS
📄
Workiva API
🚀
All Functions
Managed Identity
🔐
Key Vault

🔒 VNET Integration

All Azure Functions and AI resources communicate over a private virtual network with no public IP exposure.

  • Service endpoints for internal routing
  • NSG rules blocking internet egress
  • Azure Firewall for controlled egress

🔗 Private Endpoints

Azure OpenAI and Storage accounts use Private Links - not accessible via public internet.

  • DNS zones for private resolution
  • No public endpoints enabled
  • Traffic never leaves Azure backbone

👤 Managed Identity

All service-to-service authentication uses Managed Identity - no credentials in code.

  • System-assigned identities per function
  • RBAC for least-privilege access
  • Automatic credential rotation

🌐 Data Residency

All data processing occurs within designated EU region - no data sent to public OpenAI models.

  • Norway East as primary region
  • Private model deployments only
  • GDPR compliant processing

🌎 Data Residency & Compliance

🇳🇴
Norway East
Primary Region
🇪🇺
EU Data Boundary
Compliance Zone
🔒
Zero Egress
Network Policy
GDPR Compliant
Regulatory
Public Zone
Private VNET
External (Private Link)
Private Endpoint

Project Northern Lights Security Architecture v1.0 | Danta Labs for KPMG Lighthouse

Zero-Egress Compliant | GDPR Ready | Norway East Region