Architecture

SigSpan is a fully serverless, single-region deployment on AWS. This page walks through the path an alert takes from inbound email to outbound SMS, and the operational surfaces around that path.

Platform summary

Region
us-east-1 (N. Virginia)
Compute
AWS Lambda (serverless, event-driven)
Storage
DynamoDB, KMS-encrypted, multi-tenant
Inbound email
Amazon SES
Outbound SMS
Amazon SNS
Audit retention
30 days in CloudWatch Logs

The path of a message

Every alert SigSpan delivers follows the same four-stage path. The whole thing typically completes in under three seconds.

  1. Stage 1

    Email arrives

    Amazon SES

    Inbound monitoring alerts hit a per-tenant SigSpan address. Amazon SES handles receipt, spam filtering, DKIM and SPF validation, and TLS termination from the sending MTA.

  2. Stage 2

    Parse and route

    AWS Lambda

    A Lambda function parses the email, extracts the alert content, applies per-tenant routing rules, and resolves the on-call recipient phone numbers.

  3. Stage 3

    Persist and audit

    DynamoDB + AWS KMS

    Tenant configuration, recipient phone numbers, consent records, and the message audit log all live in DynamoDB. Every table is encrypted at rest with AWS KMS-managed keys. Records are scoped by tenant on the partition key.

  4. Stage 4

    Dispatch as SMS

    Amazon SNS

    The parsed alert is dispatched to recipients via Amazon SNS. Suppression-list checks (STOP, UNSUBSCRIBE) and per-tenant rate limits are applied immediately before dispatch. Carrier response codes are persisted to the audit log.

Operational surfaces

The services that sit alongside the message path — what protects it, watches it, and bills for it.

AWS WAF + Secrets Manager

AWS WAF sits in front of the customer-facing API for baseline DDoS and request-shape protection. All credentials — SMTP, third-party API keys, JWT signing keys — are stored in AWS Secrets Manager and accessed at runtime by Lambda execution roles with least-privilege IAM policies.

CloudWatch monitoring & audit

All Lambda invocations, SES receipts, SNS dispatches, and application-level events stream into Amazon CloudWatch. The per-message audit log is retained for 30 days by default and can be extended on a per-tenant basis. Internal alerting is wired against CloudWatch metrics.

Billing (Stripe metered)

Usage is metered at the dispatch path: every successful SMS dispatch is recorded against the tenant's Stripe subscription. There are no monthly platform fees — invoicing reflects only metered usage. Pricing details →

What we don't (yet) have

It is worth being explicit about the parts of the platform we have not built yet, so you can decide whether they matter for your use case.

  • Multi-region deployment. SigSpan currently runs in a single AWS region (us-east-1). Cross-region failover is not yet in place. If you need active-active multi-region for your alerting path, this is a known gap.
  • Public status page. Operational history is internal-only today. We will publish a public status page once we have enough verified uptime history for it to be meaningful.
  • Third-party compliance certifications. SigSpan does not currently hold SOC 2, HIPAA, ISO 27001, or PCI certifications. Get in touch if your use case requires any of these.

The principle here is the same as the rest of this page: be specific. A long list of vague claims helps no one; a short list of concrete capabilities and concrete gaps lets you make an informed call.

Related

Last reviewed: 2026-05-17. This page is reviewed at least quarterly; service names are stable, but specific implementation details may shift between reviews.