Technology

Built for Scale

Drivia is enterprise-grade from the ground up. Here's the full technology stack, architecture decisions, and security practices that power the platform.

100+

Database Tables

26+

Edge Functions

30+

Widget Types

200+

RLS Policies

40+

API Routes

100+

DB Migrations

500+

TypeScript Files

Accessibility Modes

Architecture Overview

Drivia follows a modern JAMstack architecture with server-side rendering for SEO and performance, client-side interactivity for rich learning experiences, and edge functions for AI processing and background jobs.

The frontend is a Next.js 15 App Router application deployed on Vercel's edge network. Server components handle data fetching and SEO, while client components power interactive widgets, the AI tutor, and real-time features.

The backend is a combination of Next.js API routes (for auth-protected operations) and Supabase Edge Functions (Deno runtime for AI, webhooks, and scheduled jobs). All database access goes through Supabase's PostgREST layer with row-level security enforced at the database level.

AI features use a multi-provider strategy with OpenAI and Anthropic models, wrapped in security guardrails that include rate limiting, prompt injection detection, input sanitization, and output validation.

Frontend

Next.js 15React framework with App Router, server components, streaming SSR, and edge middleware.

React 19Latest React with concurrent features, server actions, and optimized hydration.

TypeScriptFull type safety across the entire codebase. Zero any types in critical paths.

Tailwind CSSUtility-first styling with custom design tokens, dark mode, and responsive breakpoints.

Lucide IconsConsistent, tree-shakeable icon library with 1,500+ icons.

Framer MotionProduction-grade animations for page transitions, widgets, and micro-interactions.

Backend & API

Next.js API RoutesServer-side API endpoints with middleware for auth, rate limiting, and validation.

Supabase Edge Functions26+ serverless Deno functions for AI processing, webhooks, and background jobs.

Stripe APIPCI-compliant payment processing for subscriptions, one-time purchases, and founder spots.

OpenAI / AnthropicMulti-provider AI for JAX tutor, content generation, and learning analytics.

Python ML PipelineScikit-learn and custom models for personalized recommendations and struggle detection.

Database

PostgreSQL (Supabase)Enterprise-grade relational database with 100+ tables, full-text search (pg_trgm), and JSONB for flexible schemas.

Row-Level SecurityEvery table has RLS policies. Users can only access their own data. Admins have scoped elevated access.

Database Functions50+ PostgreSQL functions for complex operations: XP calculations, leaderboard views, streak tracking, analytics aggregation.

Real-time SubscriptionsSupabase Realtime for live chat, presence indicators, typing indicators, and notification delivery.

Automated Migrations100+ tracked migrations with rollback capability. Schema changes are versioned and auditable.

AI & Machine Learning

JAX AI TutorSocratic method AI with full lesson context, conversation history, and learning signal awareness. Uses guardrails for safety.

ML Recommendation Engine3-tier fallback: Python ML model → AI personalized → computed fallback. Analyzes quiz patterns, topic affinity, struggle areas, and content preferences.

AI Security GuardrailsRate limiting (120 req/hr), prompt injection detection (12 patterns), input sanitization, output PII scanning, and harmful content filtering.

Learning Signal TrackingEvery interaction generates signals: time-on-task, revisit patterns, quiz performance, scroll depth. Fed into ML pipeline for personalization.

Content GenerationAI-assisted course creation, quiz generation, and lesson content enrichment with human oversight and audit workflows.

Security

Row-Level Security (RLS)Database-level access control. Every query is filtered by the authenticated user's identity. No data leaks possible at the query layer.

TLS 1.3 EncryptionAll data in transit is encrypted. HTTPS enforced on all endpoints.

PCI CompliancePayment processing through Stripe. No credit card data touches our servers.

CSRF ProtectionDouble-submit cookie pattern on all state-changing operations.

Rate LimitingAPI rate limiting per user and per endpoint. AI endpoints have additional throttling.

Audit LoggingAll admin actions are logged with actor, timestamp, and payload for compliance.

Input ValidationZod schema validation on all API inputs. HTML/script stripping. Length caps on text fields.

Infrastructure

VercelEdge deployment with automatic scaling, global CDN, and instant rollbacks. Zero-downtime deployments.

Supabase CloudManaged PostgreSQL, Auth, Storage, Realtime, and Edge Functions. Supabase maintains its own compliance program; Drivia's SOC 2 audit is underway.

StripePayment infrastructure handling subscriptions, invoices, refunds, and tax compliance.

GitHubVersion control with branch protection, CI/CD via Vercel, and code review workflows.

Uptime MonitoringAutomated health checks and error tracking for proactive issue detection.

Why This Stack?

Performance

Server components + edge deployment = sub-second page loads globally. No spinners, no waiting.

Security First

RLS at the database layer means even a compromised API can't leak data. Defense in depth.

AI-Native

Built with AI from day one, not bolted on. Every component is designed to work with the AI tutor.

Enterprise-Ready

Audit logging, compliance reporting, SOC 2 audit support, and SSO/SAML roadmap scope.

Questions about our technology or security practices? Contact our engineering team

Preparing your workspace