Skip to content

Performance

The Zaita platform is built for low-latency, high-availability operation across distributed deployments. A combination of edge delivery, intelligent traffic management, and elastic compute scaling ensures consistent performance for both interactive users and automated certificate lifecycle workloads.

Request Handling and Edge Delivery

All customer-facing traffic is routed through a global content delivery network (CDN), which serves static assets from locations closest to the user. This reduces load on origin servers and minimises latency. Secure connections are established at the network edge, improving response times for geographically distant users. Requests are automatically directed to the nearest available point of presence, and volumetric traffic attacks are absorbed at the edge before reaching platform infrastructure.

Web Application Firewall

All traffic passes through a web application firewall (WAF) before reaching the platform's API and web portal. The WAF provides:

  • Threat filtering — protection against common web attack vectors, enforced via the OWASP Core Rule Set.
  • Rate limiting — configurable thresholds that protect API endpoints from abuse and ensure equitable resource allocation across tenants.
  • Bot mitigation — automated detection and filtering of non-human traffic patterns.
  • Custom rules — support for tenant-specific or deployment-specific filtering requirements.

Only validated requests are forwarded to platform compute resources.

Scalable Compute

The platform runs on container-based orchestration, enabling elastic scaling and predictable performance under varying load.

Autoscaling

User-facing workloads — including the web portal, API layer, and job dispatch services — scale automatically based on demand. Additional capacity is brought online during peak periods and released during low-traffic windows, keeping the platform responsive without over-provisioning.

Workload Isolation

Cryptographic operations such as certificate generation and key pair creation run on dedicated compute resources, separate from user-facing request processing. This prevents intensive backend workloads from affecting portal or API responsiveness.

Stable Resource Allocation

All workloads run with defined CPU and memory allocations. Minimum guarantees prevent resource starvation, while upper limits ensure no single component consumes disproportionate capacity.

Zero-Downtime Deployments

Platform updates are deployed incrementally. Traffic is only routed to new instances once they have passed health and readiness checks, ensuring no disruption during upgrades.

Asynchronous Task Processing

Certificate lifecycle operations — including key pair generation, CSR creation, and certificate issuance — are handled asynchronously. The platform acknowledges requests immediately and processes them in the background, providing:

  • Responsive experience — users and API consumers receive immediate confirmation without waiting for long-running operations to complete.
  • Demand smoothing — the job queue absorbs bursts in workload, distributing processing evenly over time.
  • Independent scaling — backend processing capacity scales based on queue depth, independent of front-end traffic.
  • Automatic retry — failed tasks are retried automatically, without requiring client-side logic.

Data Store Performance

The platform uses separate, purpose-configured data stores for distinct workload types:

  • Source One (primary store) — optimised for the mixed read/write patterns of web application traffic, including certificate metadata, account lookups, and audit records.
  • Source Two (Secured Back Control Plane store) — configured for the high-integrity, low-frequency access requirements of cryptographic key operations, with access restricted to the Secured Back Control Plane.
  • Source Three (task store) — tuned for the high-throughput write and update operations driven by the job orchestration lifecycle.

Logical separation ensures that heavy workloads on one store — such as a bulk certificate generation run — do not affect the performance of others.

Availability and Resilience

The platform is designed for continuous availability across all supported deployment regions:

  • Multi-replica deployments — critical components run with multiple instances distributed across availability zones, maintaining operation during individual node or zone failures.
  • Self-healing infrastructure — unhealthy instances are automatically restarted or replaced without manual intervention.
  • Connection resilience — database and service connections use pooling and circuit breaker patterns to handle transient failures gracefully.
  • Offline backups — regular backups are stored in a geographically separate location, supporting data durability and disaster recovery.

Summary

Aspect Approach
Edge delivery Global CDN with geographic routing and TLS termination
Traffic protection WAF with OWASP rule enforcement, rate limiting, and bot mitigation
Compute scaling Automatic horizontal scaling on front-end and back-end workloads
Workload isolation Separate compute for user-facing and cryptographic operations
Task execution Asynchronous job queue with independent scaling and automatic retry
Data store optimisation Purpose-configured stores tuned for their specific access patterns
Availability Multi-replica, multi-zone deployments with self-healing and circuit breaking