To save as PDF: click Save as PDF above → set layout to Landscape → enable Background graphics in More settings → Save.
velaro.

AI Solution - Data Flow Architecture

How Velaro’s AI orchestration layer interacts with NetSuite and external AI providers · All credentials server-side only

Oracle NetSuiteBuilt for NetSuite (BFN)
Badge Renewal · 2026
1

AI Data Flow Diagram

All AI components · NetSuite credentials never sent to LLMs, client browsers, or MCP servers · Server-to-server only

End User Layer
Visitor Engagement
Inbound channels
  • Live Chat (web widget)
  • SMS · IVR · WhatsApp
  • Facebook Messenger
Agent / Admin
Platform users
  • Agent Workspace
  • Admin Portal
  • Entra CIAM authenticated
HTTPS / TLS 1.2+
Network Perimeter
Azure Front Door
  • Global load balancing
  • DDoS Protection L3/L4/L7
  • TLS 1.2+ termination
  • GeoFiltering
Azure WAF
  • OWASP Core Rule Set 3.2
  • Bot protection
  • Custom rate-limiting
  • IP reputation filtering
Filtered traffic
Velaro Platform
AI Orchestration runs entirely within Velaro / Azure infrastructure - Azure App Service
Admin Portal
  • AI configuration management
  • Workflow Builder
  • NetSuite integration config
  • MCP server management
  • Azure Cognitive Search index
Agent Workspace
  • Inbound conversations
  • Workflow node execution
  • Conversation Engine host
  • NetSuite informational pane
  • Agent-initiated direct REST calls
AI Orchestration Layer
Conversation Engine
Assembles system prompt + conversation history + tool definitions. No NetSuite credentials at this stage.
LLM Provider API Call
Sends payload to selected LLM. LLM returns tool_use intent - not a direct NetSuite call.
③a
PRODUCTION
Built-in AI Skills (IWorkflowSkill)
33 production skills including: netsuite_search_customer, netsuite_get_customer, netsuite_get_customer_contacts, netsuite_get_customer_balance, netsuite_get_open_invoices, netsuite_get_invoice, netsuite_get_payment_history, netsuite_get_credit_memo, netsuite_get_credit_memos, netsuite_search_orders, netsuite_get_order, netsuite_get_order_history, netsuite_cancel_order, netsuite_add_order_note, netsuite_create_rma, netsuite_get_rma, netsuite_create_case, netsuite_get_cases, netsuite_add_case_note, netsuite_update_case, netsuite_get_opportunity, netsuite_search_opportunities, netsuite_create_quote, netsuite_search_items, netsuite_check_stock, netsuite_get_item_pricing, netsuite_get_subsidiaries, netsuite_update_customer, netsuite_update_record, netsuite_get_record, netsuite_create_record, netsuite_restlet, netsuite_search. OAuth signing server-side - credentials never leave backend.
③b
PRODUCTION
MCP Tool Server
Velaro-hosted HTTP · JSON-RPC 2.0. OAuth credentials stay server-side - MCP server receives only tool arguments and conversation context, never tokens.
Result - LLM Formulates Reply
NetSuite tool results returned to the LLM. It composes a natural language response to the visitor or agent. No raw credentials appear in the response or logs.
Azure Cognitive Search - RAG / Knowledge Base
Vector index of customer-provided docs · Queried server-side · Results injected into LLM context only
Optional
External AI Providers
AI Providers
Selected per customer config
  • Azure OpenAI Service
  • OpenAI (api.openai.com)
  • Anthropic (Claude)
  • Google Gemini
Data to LLMs:
✓ Sent:
System promptConversation historyTool definitionsTool results
✗ Never sent:
OAuth credentialsOther tenant dataInfrastructure secrets
External Data Source
NetSuite
Customer’s own instance - Velaro never hosts NS data
Authentication
  • OAuth 1.0a (HMAC-SHA256)
  • Consumer Key + Consumer Secret
  • Access Token + Token Secret
  • Credentials encrypted in Azure SQL (TDE)
API Path 1 - SuiteTalk REST
  • Standard record CRUD
  • SuiteQL queries
API Path 2 - Custom RESTlet
  • SuiteScript in customer account
  • Field metadata & dropdown lists
  • Multi-item operations
Records Accessed
  • Customers · Leads · Contacts
  • Cases · Orders · Invoices
  • Opportunities · Quotes · RMAs
Data source only. All API calls server-to-server exclusively by Velaro backend. Never initiated by client browsers, chat widgets, end users, or LLM providers. OAuth tokens never leave the server.
3

Omnichannel Delivery - Same Data, Every Channel

NetSuite data surfaces through every channel Velaro supports. The AI bot runs the same 33 skills regardless of which channel the customer contacts you on.

Web Chat
  • Widget on any page
  • Real-time order lookup
  • Invoice payment links
SMS / Text
  • Twilio inbound texts
  • Order status replies
  • RMA confirmations
WhatsApp
  • Rich message cards
  • Invoice PDFs
  • Case updates
IVR / Voice
  • Caller account lookup
  • Balance by phone
  • Case creation by voice
Facebook Messenger
  • Order tracking
  • Product availability
  • Support case filing
Instagram DM
  • Product queries
  • Inventory check
  • Return initiation
Apple Messages
  • Native Apple Pay
  • Invoice settlement
  • Rich card replies
Email (Inbound)
  • Ticket auto-create in NS
  • Order confirmation lookup
  • Auto-reply with data
Example - same bot, different channel
SMS: Customer texts "where is my order" - bot calls netsuite_search_orders - replies "Order #4821 ships Thursday via FedEx, tracking 1Z999..."
IVR: Caller says "check my balance" - bot calls netsuite_get_customer_balance - speaks "Your current balance is $1,240 with 2 invoices due this week."
Security Controls Summary
Data Protection
  • TLS 1.2+ for all data in transit
  • AES-256 at rest (Azure SQL TDE)
  • OAuth credentials encrypted in Azure SQL
  • LLM API keys in Azure App Settings (platform-encrypted)
  • Infrastructure secrets in Azure Key Vault
Authentication & Access
  • Entra External ID (CIAM) for user auth
  • MFA support for platform users
  • OAuth 1.0a (HMAC-SHA256) for NetSuite
  • Azure AD RBAC for platform resources
  • Per-tenant data isolation enforced
  • Per-site AI configurations
Isolation & Observability
  • No cross-tenant data sharing
  • Server-side credential isolation - tokens never reach clients, LLMs, or MCP servers
  • All NetSuite calls server-to-server only
  • Integration Activity Log (per-integration audit trail)
  • Azure Monitor + Application Insights
  • Loggly centralized logging
© Velaro, Inc.
Diagram 1 of 2 - AI Data Flow Architecture
Confidential - Oracle NetSuite BFN Badge Review
velaro.

Security Architecture

Infrastructure layers, network perimeter, credential isolation, and how Velaro compares to middleware integration approaches

Oracle NetSuiteBuilt for NetSuite (BFN)
Badge Renewal · 2026
2

Security Architecture & Middleware Comparison

Network perimeter · App layer · Credential isolation · Outbound-only external services · vs. Zapier/Make/Power Automate

Public Internet
End Users
  • Chat widget visitors
  • SMS / IVR callers
  • WhatsApp / Messenger
Agents & Admins
  • Browser-based console
  • Desktop application
HTTPS - TLS 1.2+
Network Perimeter
Azure Front Door
  • Global load balancing
  • DDoS L3/L4/L7
  • TLS 1.2+ termination
  • Real IP header (X-Azure-ClientIP)
  • Geo-filtering rules
Azure WAF
  • OWASP Core Rule Set 3.2
  • Bot protection
  • Custom rate-limiting
  • IP reputation filtering
  • SQL injection / XSS prevention
Filtered, authenticated traffic
Application Layer - Azure App Service
Velaro API - Security Headers & Credential Isolation
  • HSTS enforced
  • X-Content-Type-Options: nosniff
  • CORS restricted to allow-listed origins
  • Per-site data filtering
  • Server-side OAuth signing - tokens never reach client
  • All NetSuite calls server-to-server only
Entra External ID (CIAM)
  • User authentication
  • MFA support
  • Per-tenant isolation
  • Token-based sessions
Azure SQL Database
  • TDE - AES-256 at rest
  • OAuth credentials encrypted
  • Per-tenant row isolation
  • Automated backups
Azure Key Vault
  • Infrastructure secrets
  • Certificate management
  • RBAC-controlled access
Azure App Settings
  • Platform-encrypted config
  • LLM API keys stored here
  • Never exposed to client
Azure Redis Cache
  • Session state (no PII keys)
  • Real-time routing data
  • Encrypted in transit
Why Velaro is more secure than Make / Zapier / Power Automate
Make / Zapier / Power Automate
  • OAuth tokens stored on third-party servers
  • Credentials passed between automation nodes
  • Tokens visible in platform flow logs
  • Customer data flows through external processors
  • API changes break every flow - manual rebuild
  • Not real-time - triggered/polling only
  • Multiple failure points per operation
Velaro Native Integration
  • Credentials encrypted in customer’s Azure SQL
  • OAuth signed server-side - never transmitted
  • Tokens never appear in any log output
  • Data stays within customer’s Azure tenant
  • Velaro handles API changes - zero downtime
  • Real-time - fires live during conversation
  • Single RelayToRestlet endpoint, minimal failure risk
External Services - Outbound Only

All calls initiated server-side by Velaro backend. Never inbound from these providers.

LLM Providers
Anthropic · OpenAI · Azure OpenAI · Google Gemini - HTTPS, API key auth
NetSuite REST API
OAuth 1.0a signed · SuiteTalk REST + Custom RESTlet · Server-to-server only
Twilio SMS / Voice
Outbound messages · HTTPS · API key in Key Vault
Azure Cognitive Search
RAG queries · Managed identity · Per-tenant index isolation
Azure SignalR Service
Real-time chat · Connection string in Key Vault
Azure Blob Storage
File attachments · Per-tenant containers · SAS tokens
Observability & Audit

All logging server-side. No credentials or raw tokens appear in any log output.

Azure Monitor
Platform metrics · Alerting · Auto-scale triggers
Application Insights
Request tracing · Exception tracking · Performance monitoring
Loggly
Centralized structured logging · Retention policy enforced
Integration Activity Log
Per-integration audit trail · NetSuite API call log · Timestamps & response codes - no credential data
Credential Safety Guarantee
  • OAuth tokens never appear in logs
  • LLM API keys not logged
  • PII handled per retention policy
  • Cross-tenant log isolation enforced