Technical architecture · April 2026

321k lines of code.
One oncology data model.

Three apps, eight infrastructure layers, and every vendor a signed BAA. Scroll the stack — each layer locks into place as you pass it.

3Apps8Stack layersRoadmapCompliance
321k
Lines of code
2,073
Version changes
904
Changes · 30 days
140k
Patients synced
Platform overview · 3 apps

One SSO. Three codebases. Same oncology data model.

Wavera ships as a triplet — EHR for the clinic, Inventory for the pharmacy, Connect for the integrations layer. One JWT signs in to all three.

Wavera EHR
DEPLOYED
237k LOC1,273 total · 616 / 30d
Framework
Next.js 16 · React 19 · Prisma 6
Database
Supabase PG (dev) · Cloud SQL PG (prod)
Key tech
NextAuth 5Three.jsTiptap 3RechartsGemini AITesseract
Wavera Inventory
LIVE
72k LOC739 total · 254 / 30d
Framework
Next.js 16 · React 19 · Drizzle 0.45
Database
SQLite (local) · Cloud SQL PG (prod)
Key tech
GS1 barcode scanMFA / TOTPjsPDFGemini AI
Wavera Connect
LIVE
13k LOC61 total · 34 / 30d
Framework
Next.js 16 · React 19 · Drizzle 0.45
Database
PostgreSQL
Key tech
React Flow editorHL7 v2 DFT buildersFTP delivery
Core technology stack · 8 layers

Eight layers. One commit graph.

Scroll the stack — each layer locks at the top and the next slides in beneath, building a transparent pile of the whole system.

L01
Frontend
What oncologists touch.
01 / 08

Next.js 16 App Router running React 19, typed end-to-end with TypeScript 5. Tailwind CSS 4 for styling · shadcn + Radix UI primitives · Framer Motion for physics · Tiptap 3 for the rich-text clinical editor.

Primary
Next.js 16React 19TypeScript 5Tailwind 4
Support
shadcnRadix UIFramer MotionTiptap 3
L02
Backend / API
Server actions + routes · one repo.
02 / 08

Next.js App Router API routes and server actions keep the server and client on the same graph. pino provides structured JSON logging with correlation IDs that land in Cloud Logging.

Primary
Next.js APIServer Actionspino logging
Support
Edge functionsZero cold-start on Cloud RunTyped end-to-end
L03
Database
Dual ORM · typed schemas · PHI-encrypted.
03 / 08

EHR rides on Supabase PostgreSQL in dev and Cloud SQL PostgreSQL in production via Prisma 6. Inventory and Connect share a Drizzle ORM 0.45 schema — SQLite locally, Cloud SQL PostgreSQL in prod. Upstash Redis caches hot reads and rate-limits PHI endpoints.

Primary
Cloud SQL PGPrisma 6Drizzle 0.45
Support
Supabase PG (dev)SQLite (local)Upstash Redis
L04
Auth / SSO
One sign-in across all three apps.
04 / 08

NextAuth 5 issues JWTs that propagate across EHR · Inventory · Connect via a shared secret. Clinical roles are MFA-enforced with TOTP. PHI is encrypted at the field level with AES-256-GCM before it touches the database.

Primary
NextAuth 5JWT SSOTOTP / MFAAES-256-GCM
Support
bcryptField-level PHI encryptionSession hardening
L05
AI / ML
Gemini · Vertex · Deepgram · Tesseract.
05 / 08

Google Gemini LLM drives note generation and the Luna copilot, deployed through Vertex AI for managed scale. Deepgram streams ambient dictation over WebSocket. Tesseract.js OCRs scanned path and imaging reports at ingestion.

Primary
Google Gemini LLMVertex AIDeepgramTesseract.js
Support
Luna copilotOCR pipelineAmbient ASRStreaming STT
L06
Cloud infrastructure
Serverless · auto-scale · zero-downtime.
06 / 08

All three apps run on Google Cloud Run — serverless containers that auto-scale from zero to thousands. Cloud SQL for Postgres, Cloud Storage for documents, Cloud KMS for key management, Cloud Logging for audit, Pub/Sub for events, Upstash Redis for cache.

Primary
Cloud RunCloud SQLCloud KMS
Support
Cloud StorageCloud LoggingPub/SubUpstash Redis
L07
Interoperability
FHIR R4 · TEFCA · HL7 · 340B.
07 / 08

FHIR R4 native — 26 resource types, US Core 7.0.0. Wavera participates in TEFCA via CommonWell as our QHIN — Carequality nationwide queries live across 140k+ patients. Custom HL7 v2 DFT^P03 encoder for claim transmissions; 340B drug pricing live; secure file transport via ssh2-sftp-client.

Primary
FHIR R4TEFCA · CommonWell QHINCarequalityHL7 v2 DFT
Support
340B pricingssh2-sftp-clientPayer endpoints
L08
Security · Compliance
HIPAA · SOC 2 · GDPR · ONC roadmap.
08 / 08

HIPAA-eligible GCP with a signed BAA. PHI encrypted at rest via Cloud KMS. Audit trail across all three systems through pino + Cloud Logging. WAF protecting production. MFA enforced for every clinical role. SOC 2 Type II audit in progress; ONC (g)(10) certification roadmap on file.

Primary
HIPAA BAAAES-256-GCMCloud KMSWAF
Support
SOC 2 audit trailGDPR consentONC · roadmap
Platform map · bidirectional

The whole stack, on one page.

Source EHRs migrate in through FHIR R4. Inside Wavera — agents grounded against NCCN, an oncology data model, and an event-driven API gateway. Outbound — bidirectional sync with every partner you already trust. Hover any card.

Wavera Platform ArchitectureWavera is an AI-native oncology operating system. Source EHRs (Epic, Cerner, Flatiron, eClinicalWorks, iKnowMed, Elation, AthenaHealth) migrate into Wavera through a thick FHIR R4 data pipe. Inside Wavera: a FHIR / SMART / OAuth 2.0 API gateway with webhooks and an event bus, an orchestration engine, four AI agents (Treatment Orchestrator, Luna Charting Co-Pilot, Revenue Agent, Workflow Engine) grounded with Retrieval-Augmented Generation, and an AI-native core OS. The platform exchanges data bidirectionally with Pharmacy, Surescripts, Waystar, patient payments, Labs, biomarker testing partners (Caris, Foundation One, NeoGenomics), CommonWell, and DrFirst, and consumes one-way clinical evidence from NCCN guidelines and AJCC staging. The stack runs on AI infrastructure: Google Vertex AI & Gemini, Deepgram, and Cloud Healthcare API — under HIPAA, HITRUST, BAA, VPC-SC, and CMEK controls.Wavera Platform ArchitectureThe architecture of a bidirectional clinical operating system.POWERED BYGoogleDeepgramMIGRATE FROMTHE WAVERA AI-NATIVE OSBIDIRECTIONAL INTEGRATIONSReplace your legacy EHRSeamless migration. Zero rip-and-replace pain.EpEpicHospital / academic systemsCnCerner / Oracle HealthAcute & ambulatoryFlFlatiron / OncoEMROncology-specificeCeClinicalWorksCommunity practiceiKiKnowMed (McKesson)Community oncologyElElationIndependent / DPC practicesAtAthenaHealthCloud-hosted ambulatorySeamless migrationWHAT WE MIGRATE· Patient charts & demographics· Regimens & treatment plans· Active & historical orders· Claims, ERAs, payer mix· Documents & scanned records· Lab results & imaging refsAuto-mapped into FHIR R4 +Wavera's oncology data model.NO RIP & REPLACEWaveraTHE INTELLIGENT ONCOLOGY WORKSPACEAI-NATIVE · NOT A WRAPPERAPI LAYER · BIDIRECTIONALFHIR R4 · SMART on FHIR · OAuth 2.0 · API GatewayUS Core 7.0.0 · Bulk FHIR · rate limiting · audit loggingWEBHOOKS · EVENT BUSORCHESTRATION ENGINERoutes events across agents · enforces clinical guardrails · reconciles bidirectional state · audit-tracedAI AGENTSRAG-grounded · NCCN · AJCC · patient chartTreatment OrchestratorRegimen selection, dose modification,cycle tracking, infusion coordination.NCCN · AJCC · oncology data modelLuna · Charting Co-PilotAmbient dictation, agentic notes,decision support — eliminates pajama time.Deepgram ASR · Gemini reasoning$Revenue Agent340B optimization, J-code capture, prior auth,claims via Waystar — recovers leakage.Waystar · Surescripts · Patient payWorkflow EngineChair scheduling, inventory, supportive care,admin coordination — fully automated.Cross-app event busAI-NATIVE CORE OSUnified oncology data model · longitudinal patient graph · event busTumor staging (TNM/AJCC) · biomarkers (PD-L1, MSI, TMB) · regimens · cumulative toxicity340B lots · audit log · multi-tenant PHI isolationAI INFRASTRUCTURE · MULTI-MODELGoogle · Vertex AIGemini · MedLM groundingDeepgramAmbient voice ASR · in-roomCloud HealthcareFHIR · HL7v2 · DICOMHIPAA · HITRUST · SOC 2 · BAA · VPC-SC · CMEK · IAM · Cloud RunSolving the integration taxBidirectional sync. Read & write — not just read-only fetch.Bidirectional read + write · live, event-drivenPharmacyDispensing systems · 340B · NDC lotsSxSurescriptsPharmacy benefit · ePA · formulary$WaystarClearinghouse · claims · ERA / EOBPatient paymentsStripe · ACH · saved cards · plansLabsQuest · LabCorp · TempusBiomarker testingCaris · Foundation One · NeoGenomicsCommonWellHIE · longitudinal recordsDrFirste-Rx · EPCS · iPrescribe mobileCLINICAL EVIDENCE SOURCESRead-only · grounds RAG recommendationsNCCNNCCN GuidelinesReal-time regimen library, dose rulesAJCCAJCC StagingTNM · structured tumor stagingEVENT-DRIVEN · WEBHOOKS · RETRIESNo nightly batches · No vendor lock-inFHIR R4What Sets Wavera ApartWavera owns the full stack — its own oncology data model, its ownagents, its own write-path. Designed AI-first, ground-up.PROOF POINTS▸ Native FHIR R4 + oncology-specific data model▸ Bidirectional write-path into every connected system▸ Not bolted onto a 20-year-old chart engineRAG-Grounded RecommendationsEvery AI suggestion is grounded with Retrieval-AugmentedGeneration against vetted clinical evidence and patient context.GROUNDED AGAINST▸ NCCN guidelines & regimen library▸ AJCC staging & biomarker rules▸ The patient's longitudinal chart — with citationsSolving the Integration TaxBidirectional read + write to every partner. Event-driven and live.No nightly batches, no stale state, no vendor lock-in.8 LIVE PARTNERS▸ Pharmacy, Surescripts, Waystar, patient payments▸ Labs, biomarker testing, CommonWell, DrFirst▸ + read-only NCCN & AJCC clinical evidence
Integration roadmap

What's live. What's testing. What's next.

340B drug pricing· 2,936 active drugs
LIVE
FHIR Exchange· in progress
LIVE
Deepgram · ambient dictation· deployed STT/TTS
LIVE
HL7 v2 DFT · sFTP· active DFT
LIVE
EHR Connection· 140,140 synced patients
TESTING
Waystar · RCM automation
IN DEV
Order Management· 4,797 drugs tracked
IN DEV
Clinical Trials · 578,000 trials
IN DEV
Predictive Analytics· 13,374 audit events
PLANNING
HG Lab / HG P360· lab automation
PLANNING
CommonWell · QHIN· onboarded · patient 360 live
TESTING
TEFCA / Carequality· via CommonWell · nationwide queries
TESTING
Medicai· radiology connections
PLANNING
Neogenomics· biomarker partner
PLANNING
Natera· biomarker partner
PLANNING
Caris· biomarker partner
PLANNING
NCCN · 2,800 Rx templates
PLANNING
iPrescribe / Dr. First
IN DEV
Compliance posture

Every standard that matters, with receipts.

HIPAA
LIVE
PHI encrypted at rest via AES-256-GCM (Cloud KMS). BAA-eligible GCP infrastructure. Audit logs across all three systems. MFA enforced for every clinical role.
SOC 2
IN PROGRESS
Structured audit trail via pino + Cloud Logging. Access controls enforced at role and permission level. WAF protecting production services. Type II audit underway.
GDPR
LIVE
Cookie consent (vanilla-cookieconsent). Data minimization enforced at schema level. Right-to-erasure hooks wired into every patient-scope data model.
TEFCA · Carequality
LIVE
Live via CommonWell as our QHIN. Nationwide patient-record queries across the Carequality network — onboarded and exchanging today.
ONC (g)(10)
ROADMAP
Certification roadmap on file. FHIR R4 native, US Core 7.0.0, SMART on FHIR — implementation aligned with the ONC HTI-1 rule.
HITRUST
ROADMAP
Targeting HITRUST CSF certification post-SOC 2. Controls already mapped through GCP Cloud Healthcare API and VPC-SC boundary.
Vendors & partners

The names you already trust, wired together.

AI & reasoning
Google Gemini LLM
Notes · Luna copilot
Vertex AI
Managed deployment
Deepgram
Ambient dictation
Tesseract.js
OCR
Cloud & storage
Google Cloud Run
Serverless · 3 apps
Cloud SQL
PostgreSQL prod
Cloud Storage
Docs · images
Upstash Redis
Cache · rate limits
Interop
FHIR Exchange
140k patients · live
HL7 v2 DFT^P03
Custom encoder
340B pricing
Live
ssh2-sftp-client
Secure transport
Security
Cloud KMS
PHI encryption keys
NextAuth 5
SSO · JWT
WAF
Prod edge
pino + Cloud Logging
Audit trail
Developer & CI
GitLab CI
Source · pipelines
Google Cloud Build
~7 min build
Docker
Container runtime
Jest 30 · Playwright
Tests · E2E
The numbers

What “production-grade” actually means.

~7 min
CI/CD build
GitLab → Cloud Build → Run
0
downtime deploys
Cloud Run blue/green
AES-256
encryption at rest
GCM · Cloud KMS · per-field PHI
TLS 1.3
encryption in transit
perfect forward secrecy
140k
patients on FHIR
live exchange
4,797
drugs tracked
340B pricing live
MFA
clinical role policy
TOTP enforced
SOC 2
Type II in progress
audit · Q3 2026