Technology Standards
| Version | Date | Author | Comments |
|---|---|---|---|
| 1.0 | D. Souza / L. Crespo | Document Creation | |
| 1.1 | S. Zuloaga | Added Cybersecurity Considerations Section | |
| 1.2 | 06/08/25 | L. Crespo | Added CMS to Informational Sites |
| 1.3 | 11/08/25 | L. Crespo | Modified CI/CD supported platforms |
| 1.4 | 21/08/25 | Marco Roberto Gonçalves | Added Infrastructure Section |
Introduction
This document establishes the approved technology standards for Patria, covering various technology implementation categories. These standards ensure we maintain consistency, security, and quality across all our systems. The document continuously evolves, adapting to new needs and technological advancements. Undefined technical scenarios will be standardized as needed.
Technical Drivers
These fundamental principles guide our technical decisions and architecture evolution:
- SECURITY BY DESIGN: Applications must be designed with Information Security, SSO, and SOC process requirements in mind from their conception.
- ARCHITECTURAL INTEGRITY PRESERVATION: The technical architecture of systems must be maintained according to their original standards, avoiding maintenance activities that generate unnecessary disruptions and risks. Structural changes will be evaluated when necessary, due to obsolescence, security risks, or changes in non-functional requirements.
- BUSINESS LOGIC SEPARATION: Integration, presentation, or database layers should not contain business logic. This logic must reside in backend structures with specific responsibilities.
- INTEGRATED AUTOMATION: Automation and the elimination of manual processes should be maximized for all new developments. CI/CD is mandatory for package generation, automated testing for integrity validation, environment transitions, deployment, notification, and monitoring.
Technology Standards by Use Case
This section outlines the approved technologies organized by their primary use cases. By categorizing standards according to their application context, we provide clear guidance for technology selection while ensuring consistency across similar implementation scenarios.
Application and Service Development
Application and service development standards define the approved technologies for building both internal and customer-facing digital solutions. These standards ensure consistency, interoperability, and maintainability across our development ecosystem while supporting our security and quality objectives.
Transactional Applications
Transactional applications handle critical business operations that require data processing, state management, and secure user interactions. The following standards ensure these applications are built on robust, scalable, and secure foundations.
| Component | Standard Technology | Version | Alternative | Version |
|---|---|---|---|---|
| Frontend | React | Latest Stable | Angular (TypeScript) | Latest Stable |
| Backend | Python | 3.13.x+ | Node.js | Latest Stable |
| APIs | RESTful with FastAPI | Latest | GraphQL | Latest Stable |
| Authentication | Entra ID (Microsoft AD) | - | OAuth 2.0/OpenID Connect | - |
Informational Applications (web sites)
Informational applications focus on data presentation, reporting, and content delivery without complex transactional requirements. These standards provide guidance for building efficient and user-friendly information systems while maintaining appropriate security measures.
| Component | Standard Technology | Version | Alternative | Version |
|---|---|---|---|---|
| Frontend | React | Latest Stable | Angular (TypeScript) | Latest Stable |
| Backend | Python | 3.13.x+ | Node.js | Latest Stable |
| APIs | RESTful | Latest | - | - |
| CMS | StrapiCMS | Latest Stable | Drupal (Only for legacy systems) | Latest Stable |
Custom Development
Custom development environments establish standardized tools and platforms for code creation, version control, and deployment pipelines. These standards ensure developer productivity, code quality, and consistent delivery processes.
| Development Environment | Primary | Alternative |
|---|---|---|
| IDE | VS Code | - |
| Repository Management | Github | Azure DevOps |
| CI/CD | Github Actions | Azure DevOps Pipelines |
Automation
Automation standards address the technologies used to streamline processes, reduce manual effort, and increase operational efficiency. By standardizing our automation approaches, we ensure consistent implementation, maintainability, and integration with existing systems.
Simple Automation
Simple automation focuses on streamlining basic processes through scripting and low-code solutions. These standards guide the development of efficient automation for routine tasks without the complexity of full RPA implementations.
| Use Case | Standard Technology | Alternative |
|---|---|---|
| Scripts and Automated Processes | Python 3.13.x+ | N8N / Power Automate Cloud Flows |
Robotic Process Automation (RPA)
RPA solutions emulate human interactions with digital systems to automate complex, repetitive tasks. These standards ensure our RPA implementations are consistent, maintainable, and properly integrated with our security framework.
| Use Case | Standard Technology | Alternative |
|---|---|---|
| User Interface Automation | UiPath | Power Automate Desktop |
Workflow Automation
Workflow automation manages the orchestration of business processes across systems and human interactions. These standards provide guidance for implementing structured workflows with proper governance, tracking, and approval mechanisms.
| Use Case | Standard Technology | Alternative |
|---|---|---|
| Processes and Approvals | ServiceNow | Fluig (TBC) / Power Automate |
Business Analysis Tools
Business analysis tools empower departments to derive insights from data and improve decision-making processes. These standards balance the need for analytical flexibility with appropriate governance and security controls. Business areas have autonomy to develop departmental data solutions, experimentation, and exploration. Corporate systems must be managed by the IT team.
| Component | Standard Technology | Version | Alternative | Version |
|---|---|---|---|---|
| Analysis Language | Python | 3.13.x+ | R | Latest LTS |
| Development Environment | VS Code + Jupyter Notebooks | Latest | - | - |
Cybersecurity in Technology Architecture
Cybersecurity is a foundational element integrated across all aspects of our technology architecture. This section outlines the security standards, controls, and practices that must be implemented to protect our systems, data, and users while enabling business operations.
Application Development Security
Application security standards establish the requirements for building secure applications from the ground up. By implementing these standards consistently, we protect against common vulnerabilities while ensuring proper authentication, authorization, and data protection.
Security Fundamentals
These fundamental security controls address the most critical application vulnerabilities. They must be integrated into all application development processes to establish a strong security foundation and prevent common attack vectors.
| Category | Key Controls | Reference Standard |
|---|---|---|
| Injection Protection | Parameterized queries · Input validation · ORM usage | OWASP ASVS |
| Sensitive Data Protection | AES-256 encryption at rest and in transit · TLS 1.2+ · Updated cryptographic libraries | NIST CSF |
| Input/Output Validation | Input/output escaping · CSP implementation · Strict validation | OWASP Top Ten |
Access Control and Authentication
Access control and authentication standards ensure that only authorized users can access our systems and data. These controls establish the framework for proper identity verification, permission management, and session security.
| Mechanism | Implementation | Reference Standard |
|---|---|---|
| Role-Based Access Control | Comprehensive RBAC · Periodic permission reviews · Least privilege principle | ISO 27001 |
| Multi-Factor Authentication | Mandatory MFA · Strong password policies · Adaptive authentication mechanisms | OWASP ASVS |
API Security
API security standards protect the interfaces that connect our systems internally and with external partners. These standards ensure that our APIs maintain data confidentiality, integrity, and availability while preventing unauthorized access and abuse.
Secure API Design
Secure API design principles establish the architectural foundation for protected service interfaces. These standards ensure APIs are designed with security as a primary consideration, from communication protocols to authentication mechanisms.
| Component | Implemented Standard | Security Consideration |
|---|---|---|
| Architecture | RESTful / GraphQL | Design by contract |
| Communication | HTTPS/TLS 1.3 (minimum) | Complete channel encryption |
| Authentication | OAuth 2.0 / OpenID Connect | Secure JWT token management |
| Access Control | Granular by endpoints and methods | Consistent permission enforcement |
Additional Security Controls
These complementary security controls enhance API protection beyond basic design principles. They address specific threat vectors such as injection attacks, cross-origin vulnerabilities, and denial-of-service attempts.
| Control | Implementation | Purpose |
|---|---|---|
| Input Validation | Comprehensive across all endpoints | Prevent injections and attacks |
| CORS Policies | Strict restriction | Prevent unauthorized access |
| Rate Limiting | By user/IP/endpoint | Prevent abuse and DoS |
| Documentation | OpenAPI (Swagger) | Facilitate secure usage |
Threat Monitoring and Response
Threat monitoring and response capabilities enable the detection, analysis, and mitigation of security incidents. These standards ensure we maintain visibility into our environment and can respond effectively to potential threats.
Event Management and Monitoring
Effective event management and monitoring provide the visibility needed to detect security incidents. These standards establish the requirements for comprehensive logging, event correlation, and anomaly detection across our technology landscape.
| Capability | Implementation | Purpose |
|---|---|---|
| Centralized Logging | SIEM System | Event correlation |
| Continuous Monitoring | Anomaly detection rules | Threat identification |
| Incident Response | Automated procedures | Rapid mitigation |
Continuous Security Validation
Continuous security validation ensures our defenses remain effective against evolving threats. These standards establish the framework for ongoing security testing, vulnerability management, and architecture reviews.
| Mechanism | Frequency | Scope |
|---|---|---|
| Vulnerability Analysis | Continuous in pipeline | Code and dependencies |
| Penetration Testing | Quarterly | Applications and APIs |
| Security Reviews | With each architectural change | Design and configuration |
Infrastructure
Infrastructure standards define the approved technologies and practices for building, deploying, and managing the foundational IT environment that supports all applications and services. These standards ensure robustness, scalability, security, and operational efficiency across our physical and cloud footprints.
Platform Services
Platform Services cover the core computing, networking, and storage components that form the backbone of our digital operations. These standards provide guidelines for selecting and implementing the fundamental building blocks of our IT infrastructure, ensuring high availability and performance.
Compute & Orchestration
Compute and orchestration standards address the platforms used for virtual machines, container management, server operating systems, and serverless functions, ensuring a consistent and scalable environment for application deployment.
| Component | Standard Technology | Alternative |
|---|---|---|
| Virtualization Platforms for On Premises | VMware | Hyper-V |
| Container Orchestration | Kubernetes | N/A |
| Server Operating Systems | Windows Server | Linux (Red Hat or Ubuntu Server) |
| Serverless Computing | GCP Cloud Functions | Azure Functions / AWS Lambda |
Network Services
Network services standards cover the design, implementation, and management of network infrastructure, including equipment, load balancing, DNS, connectivity, and monitoring, ensuring secure and efficient data flow.
| Component | Standard Technology | Alternative |
|---|---|---|
| Network Equipment | Cisco | N/A |
| DNS Management | Internal DNS, Public DNS | N/A |
| Connectivity | VPNs (IPSec), Direct Connect / ExpressRoute | N/A |
| Network Monitoring | PRTG | N/A |
Storage Services
Storage services standards define the approved types and platforms for data storage, including block, file, and object storage, along with guidelines for data backup and restoration to ensure data integrity and availability.
| Component | Standard Technology | Alternative |
|---|---|---|
| Storage Types | Storage (GCP) | N/A |
| Storage Platforms | Pure Storage, Google Storage | Cloud Native (Azure Storage, AWS S3) |
| Data Backup and Restore | Veeam / Commvault | Snapshots |
Data Management
Data Management standards focus on the approved technologies for managing various types of databases and data warehousing solutions. These guidelines ensure efficient, scalable, and secure data persistence and analytics capabilities.
Database management standards define the approved relational and NoSQL databases, as well as data warehousing solutions, ensuring optimal performance, scalability, and data integrity for all applications.
| Component | Standard Technology | Alternative |
|---|---|---|
| Relational Databases | SQL Server | MySQL / Google DB |
| NoSQL Databases | MongoDB | Cassandra / DynamoDB / Cosmos DB |
| Data Warehousing | Google BigQuery | Azure Synapse Analytics / Amazon Redshift |
Cloud Strategy
Cloud Strategy standards outline our approach to cloud computing, including provider strategies, and the adoption of Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) models. These guidelines also cover cloud governance for cost and resource management.
Cloud Computing Fundamentals
Cloud computing fundamentals establish the foundational principles and standards for leveraging cloud services, ensuring a consistent approach to multi-cloud, hybrid cloud, and native cloud deployments, along with effective governance.
| Component | Standard Technology | Alternative |
|---|---|---|
| Cloud Provider Strategy | GCP | AWS / Azure |
| IaaS Standards | Virtual Machines, Virtual Networks, Managed Disks | N/A |
| PaaS Standards | Managed Databases, App Services, Functions, Message Queues | N/A |
| Cloud Governance | FinOps principles, Cloud Cost Management tools | N/A |
IT Operations & Management
IT Operations & Management standards define the tools and processes for monitoring, automation, identity management, CI/CD, and disaster recovery. These standards aim to achieve operational excellence, efficiency, and business continuity.
Operational Excellence
Operational excellence standards ensure robust monitoring, extensive automation, streamlined identity and access management, integrated CI/CD pipelines, and comprehensive disaster recovery plans, critical for maintaining high availability and efficient operations.
| Component | Standard Technology | Alternative |
|---|---|---|
| Monitoring and Observability | Grafana + Prometheus | TBD |
| Automation and Orchestration | Terraform | TBD |
| Identity and Access Management | Azure Active Directory (Entra ID) | GCP IAM |
| CI/CD Platforms for Infra | Azure DevOps | GitHub |
| Disaster Recovery (DR) and Business Continuity (BC) | DRaaS Solutions / Cloud Native DR (GCP) | Defined RTO/RPO strategies, Regular DR Testing |
Infrastructure Protection
Infrastructure Protection standards outline the necessary security controls for network, endpoint, and vulnerability management, as well as privileged access. These standards are crucial for safeguarding the underlying infrastructure from various cyber threats.
Infrastructure Security Controls
Infrastructure security controls establish the defensive measures for network security (firewalls, segmentation), endpoint protection (servers), vulnerability management, and privileged access management, providing a hardened foundation for IT operations.
| Component | Standard Technology | Alternative |
|---|---|---|
| Network Security | Palo Alto, Network Segmentation, WAF | Next-Gen Firewalls |
| Endpoint Security (Servers) | Trelix | Microsoft Defender |
| Vulnerability Management | Qualys | GCP SCC |
| Privileged Access Management (PAM) | TBD (Azure PIM) | TBD |
Naming Convention
Consistent and standardized naming conventions are fundamental for maintaining a well-organized, manageable, and secure infrastructure. Proper naming facilitates automation, simplifies troubleshooting, enhances readability for operations teams, and supports compliance efforts across on-premises and cloud environments.
Standard Naming Elements
Resource names are constructed by combining several key elements (only for cloud resources, separated by delimiters (e.g., hyphens -). The order and inclusion of these elements may vary slightly depending on the resource type or platform.
| Element | Description | Example Values |
|---|---|---|
| Company | Short identifier for the company or business unit. | PAT |
| Environment (Env) | Indicates the lifecycle stage of the resource. | ‘PROD’(Production) ‘UAT’(Staging) ‘DEV’(Development) ‘POC’(Proof of Concept) ‘SANDBOX’ (Sandbox) |
| Region/Location (Loc) | Physical or logical geographical location of the resource. | SAO (São Paulo) MVD (Montevideo) BUE (Buenos Aires) BOG (Bogotá) MDE (Medellín) NYC (New York) GTW (George Town) EDI (Edinburgh) LON (London) DR (Disaster Recovery) gcp (Google Cloud Platform) |
| Resource Type (Type) | Abbreviation for the type of resource. | SRV (Server) WKS (Workstation) NOT (Laptop) MTR (Meeting Room) FW (Firewall) SW (Switch) AP (Access Point) vm (Virtual Machine) vnet (Virtual Network) sg (Security Group) stg (Storage Account) rg (Resource Group) ce (Computer Engine) |
| Description/Purpose (Desc) | Optional short description if needed for specific clarity (use sparingly). | On Premises AD: Active Directory DB: Database AP: Application Server AC: Access Control ST: Storage BK: Backup EX: Exchange FS: File Server PS: Print Server MN: Management CA: Certification Authority XA: Citrix XenAPP Cloud dc: Domain Controller fs: File Server ap : Application Server db : Database fw : Firewall bh : Bastion Host rd : Remote Desktop Service rs : Reporting Service |
| Instance/Index (Idx) | Numerical or alphabetical suffix for multiple instances of the same resource within a workload. | 01, 02, etc |
General Naming Structure
While variations may exist, a common structure would be:
Uppercase for on-premises resources and following the standard below:
[Company][Loc][Type][Desc][Idx]
PATSAOSRVDB01
Lowercase for cloud resources and following the standard below:
[Company][Loc][Type][Desc][Idx]
patgcpcedb04
Exceptions and Deviations
Note
Exceptions: Any deviations from these naming conventions must be documented and approved by the Architecture Review Board. Exceptions should be rare and justified by specific technical constraints or compliance requirements.
References
This document adheres to several established standards and frameworks to ensure robust technology architecture. Key references include:
- OWASP Application Security Verification Standard (ASVS)
- NIST Cybersecurity Framework
- ISO 27001/27002 Security Standards
- Python Code Style: PEP 8
- OWASP API Security Project
- NIST SP 800-53 Security Controls
- RFC 6749 (OAuth 2.0)
- OpenAPI Specification
- REST API Design Rulebook