Permissioned cloud-on-edge services for healthcare AI workloads
SmartClover supports tenant-designated edge and on-prem execution with hybrid cloud coordination. The model keeps healthcare data boundaries explicit while cloud services support orchestration, observability, and release control.
Document status: Draft for architecture/security reviewLast updated: 2026-05-11Owner: Architecture + Security
SmartClover uses a permissioned cloud-on-edge architecture: clinical workloads run in authorized edge/on-prem boundaries, sensitive flows are end-to-end encrypted, clinical payload data is not centralized by default, and immutable trace events are anchored for auditable integrity.
Deployment boundaries
Service map (public baseline)
| Domain | Current architecture baseline | Deployment rationale |
|---|---|---|
| Compute and orchestration | Permissioned cloud-on-edge and on-prem workers with hybrid coordination components. | Cloud coordination is scoped to orchestration, release control, observability, and operational governance. |
| Data and storage boundaries | Clinical payload data remains tenant-local and encrypted within the approved deployment model. | Control-plane metadata may use managed storage patterns without centralizing clinical payload data. |
| AI and model operations | AI-assisted workflows run within authorized boundaries with human approval gates. | Model lifecycle coordination is enabled only where the contract and deployment boundary approve it. |
| Security and identity | Role-based access, encryption control, and policy-constrained service communication. | Identity, key, and policy controls are selected per environment and reviewed during onboarding. |
| Observability and audit | Append-only operational traces with immutable anchoring for audit integrity. | Operational telemetry supports reliability review, security review, and release traceability. |
Tenancy and data-boundary model
- Tenant isolation uses permissioned boundaries and policy-constrained access paths.
- Data residency follows tenant-selected deployment boundaries (on-edge/on-prem or approved hybrid segment).
- No default cross-tenant clinical data sharing is enabled.
- Clinical payload storage remains local to authorized tenant boundaries.
Reliability and recovery posture
| Control area | Public statement |
|---|---|
| Availability posture | Resilience is built through distributed node design and tenant-boundary execution. |
| SLO/SLA model | Targets are defined per package and environment tier in RFQ and onboarding artifacts. |
| Backup and recovery | Backup and recovery controls are tenant-scoped, encryption-protected, and contract-defined. |
| Incident handling | Severity-based incident flow with traceable lifecycle and corrective-action tracking. |
Cost-performance rationale
- Edge-local execution reduces repeated high-volume clinical data transfer overhead.
- Tenant-local clinical payload handling limits central storage growth pressure.
- Hybrid cloud components are scoped to coordination, governance, and observability.
- Capacity planning is tied to RFQ-defined workload envelopes and deployment tier.