Permissioned hybrid cloud-edge architecture for healthcare AI workloads
SmartClover combines tenant-designated edge execution with hybrid cloud coordination. This architecture is cloud+ edge by design: data-boundary control is preserved while cloud primitives support scale, governance, and observability.
Document status: Draft for architecture/security reviewLast updated: 2026-02-17Owner: Architecture + Security
SmartClover uses a permissioned hybrid architecture: clinical workloads run in authorized edge/on-prem boundaries, sensitive flows are end-to-end encrypted, clinical payload data is not centralized, and immutable trace events are anchored for auditable integrity.
Service map (public baseline)
| Domain | Current architecture baseline | GCP alignment rationale |
|---|---|---|
| Compute and orchestration | Permissioned on-edge/on-prem workers with hybrid cloud coordination components. | Cloud orchestration components are mapped to GCP-managed compute families per deployment tier. |
| Data and storage boundaries | Clinical payload data remains tenant-local and encrypted; no centralized clinical payload repository. | Control-plane metadata may use managed cloud storage patterns without centralizing clinical payload data. |
| AI and model operations | AI-assisted workflows run within authorized boundaries with human approval gates. | Model lifecycle coordination aligns to managed AI service patterns where contractually approved. |
| Security and identity | Role-based access, encryption control, and policy-constrained service communication. | Identity, key, and policy controls follow cloud security pillar principles. |
| Observability and audit | Append-only operational traces with immutable anchoring for audit integrity. | Operational telemetry aligns with managed observability stacks for reliability governance. |
Tenancy and data-boundary model
- Tenant isolation uses permissioned boundaries and policy-constrained access paths.
- Data residency follows tenant-selected deployment boundaries (on-edge/on-prem or approved hybrid segment).
- No default cross-tenant clinical data sharing is enabled.
- Clinical payload storage remains local to authorized tenant boundaries.
Reliability and recovery posture
| Control area | Public statement |
|---|---|
| Availability posture | Resilience is built through distributed node design and tenant-boundary execution. |
| SLO/SLA model | Targets are defined per package and environment tier in RFQ and onboarding artifacts. |
| Backup and recovery | Backup and recovery controls are tenant-scoped, encryption-protected, and contract-defined. |
| Incident handling | Severity-based incident flow with traceable lifecycle and corrective-action tracking. |
Cost-performance rationale
- Edge-local execution reduces repeated high-volume clinical data transfer overhead.
- No centralized clinical payload repository limits central storage growth pressure.
- Hybrid cloud components are scoped to coordination, governance, and observability.
- Capacity planning is tied to RFQ-defined workload envelopes and deployment tier.