Skip to content
Maddict Docs

Architecture overview

This page gives a non-exhaustive, high-level view of how Maddict fits together. It’s aimed at admins and technically curious users who want to understand what’s behind the product — not an internal engineering reference.

The big picture

Section titled “The big picture”
            ┌──────────────────────────────────────────────┐
            │            Maddict web application            │
            │  Dashboard · Builder · Admin back-office      │
            └───────────────┬───────────────┬──────────────┘
                            │               │
              tenant data   │               │  audience data
              (Postgres)    ▼               ▼  (proxied, tier-gated)
            ┌───────────────────────┐   ┌──────────────────────┐
            │   Database + Auth      │   │   Audience data API   │
            │   (row-level security) │   │   (external source)   │
            └───────────────────────┘   └──────────────────────┘

The web application

Section titled “The web application”

Maddict is a single web application that serves three role-gated surfaces:

  • The dashboard — the catalogue, audience builder, saved audiences, compare, and exports.
  • Agency administration — team management and plan usage for agency admins.
  • The platform back-office — agency provisioning and oversight for Maddict staff, invisible to everyone else.

The data layer

Section titled “The data layer”

Tenant data — your audiences, saved work, team membership, entitlements — lives in a managed Postgres database with authentication. Row-level security (RLS) enforces that each request can only ever touch its own tenant’s rows. Sign-in, invitations, and password recovery are handled by the same managed auth layer. See Tenant data isolation.

The audience data source

Section titled “The audience data source”

The segment catalogue and statistics are powered by an external audience data API. Maddict acts as a secured, tenant-aware, tier-gating proxy in front of it: every request is authenticated, scoped to your tenant, and checked against your entitlements before any data is returned. Your browser never talks to the data source directly.

Defence in depth

Section titled “Defence in depth”

Several independent layers protect the platform at once:

  • Authentication — you must be signed in.
  • Authorisation — your role must permit the action.
  • Tenant isolation — RLS confines you to your agency’s data.
  • Entitlement gating — your plan must include what you’re requesting.
  • Audit logging — significant actions are recorded immutably.

No single layer is load-bearing on its own. For specifics, see Security & compliance.

Next

Section titled “Next”
Tenant data isolationHow one agency's data stays separate from another's.
Security & complianceThe controls that protect the platform.