Technical architecture · April 2026

321k lines of code.
One oncology data model.

Three apps, eight infrastructure layers, and every vendor a signed BAA. Scroll the stack — each layer locks into place as you pass it.

3Apps8Stack layersRoadmapCompliance
321k
Lines of code
2,073
Version changes
904
Changes · 30 days
140k
Patients synced
Platform overview · 3 apps

One SSO. Three codebases. Same oncology data model.

Wavera ships as a triplet — EHR for the clinic, Inventory for the pharmacy, Connect for the integrations layer. One JWT signs in to all three.

Wavera EHR
DEPLOYED
237k LOC1,273 total · 616 / 30d
Framework
Next.js 16 · React 19 · Prisma 6
Database
Supabase PG (dev) · Cloud SQL PG (prod)
Key tech
NextAuth 5Three.jsTiptap 3RechartsGemini AITesseract
Wavera Inventory
LIVE
72k LOC739 total · 254 / 30d
Framework
Next.js 16 · React 19 · Drizzle 0.45
Database
SQLite (local) · Cloud SQL PG (prod)
Key tech
GS1 barcode scanMFA / TOTPjsPDFGemini AI
Wavera Connect
LIVE
13k LOC61 total · 34 / 30d
Framework
Next.js 16 · React 19 · Drizzle 0.45
Database
PostgreSQL
Key tech
React Flow editorHL7 v2 DFT buildersFTP delivery
Core technology stack · 8 layers

Eight layers. One commit graph.

Scroll the stack — each layer locks at the top and the next slides in beneath, building a transparent pile of the whole system.

L01
Frontend
What oncologists touch.
01 / 08

Next.js 16 App Router running React 19, typed end-to-end with TypeScript 5. Tailwind CSS 4 for styling · shadcn + Radix UI primitives · Framer Motion for physics · Tiptap 3 for the rich-text clinical editor.

Primary
Next.js 16React 19TypeScript 5Tailwind 4
Support
shadcnRadix UIFramer MotionTiptap 3
L02
Backend / API
Server actions + routes · one repo.
02 / 08

Next.js App Router API routes and server actions keep the server and client on the same graph. pino provides structured JSON logging with correlation IDs that land in Cloud Logging.

Primary
Next.js APIServer Actionspino logging
Support
Edge functionsZero cold-start on Cloud RunTyped end-to-end
L03
Database
Dual ORM · typed schemas · PHI-encrypted.
03 / 08

EHR rides on Supabase PostgreSQL in dev and Cloud SQL PostgreSQL in production via Prisma 6. Inventory and Connect share a Drizzle ORM 0.45 schema — SQLite locally, Cloud SQL PostgreSQL in prod. Upstash Redis caches hot reads and rate-limits PHI endpoints.

Primary
Cloud SQL PGPrisma 6Drizzle 0.45
Support
Supabase PG (dev)SQLite (local)Upstash Redis
L04
Auth / SSO
One sign-in across all three apps.
04 / 08

NextAuth 5 issues JWTs that propagate across EHR · Inventory · Connect via a shared secret. Clinical roles are MFA-enforced with TOTP. PHI is encrypted at the field level with AES-256-GCM before it touches the database.

Primary
NextAuth 5JWT SSOTOTP / MFAAES-256-GCM
Support
bcryptField-level PHI encryptionSession hardening
L05
AI / ML
Gemini · Vertex · Deepgram · Tesseract.
05 / 08

Google Gemini LLM drives note generation and the Luna copilot, deployed through Vertex AI for managed scale. Deepgram streams ambient dictation over WebSocket. Tesseract.js OCRs scanned path and imaging reports at ingestion.

Primary
Google Gemini LLMVertex AIDeepgramTesseract.js
Support
Luna copilotOCR pipelineAmbient ASRStreaming STT
L06
Cloud infrastructure
Serverless · auto-scale · zero-downtime.
06 / 08

All three apps run on Google Cloud Run — serverless containers that auto-scale from zero to thousands. Cloud SQL for Postgres, Cloud Storage for documents, Cloud KMS for key management, Cloud Logging for audit, Pub/Sub for events, Upstash Redis for cache.

Primary
Cloud RunCloud SQLCloud KMS
Support
Cloud StorageCloud LoggingPub/SubUpstash Redis
L07
Interoperability
HL7 · FHIR · 340B · sFTP.
07 / 08

Custom HL7 v2 DFT^P03 encoder for claim transmissions · FHIR Exchange live across 140k patients · 340B drug pricing live · secure file transport via ssh2-sftp-client. QHIN / TEFCA integration planned for nationwide queries.

Primary
HL7 v2 DFTFHIR Exchange340B pricingsFTP
Support
QHIN / TEFCA · plannedssh2-sftp-clientPayer endpoints
L08
Security · Compliance
HIPAA · SOC 2 · GDPR · ONC.
08 / 08

HIPAA-eligible GCP with a signed BAA. PHI encrypted at rest via Cloud KMS. Audit trail across all three systems through pino + Cloud Logging. WAF protecting production. MFA enforced for every clinical role. SOC 2 audit in progress; ONC certification in progress.

Primary
HIPAA BAAAES-256-GCMCloud KMSWAF
Support
SOC 2 audit trailGDPR consentONC · in progress
Integration roadmap

What's live. What's testing. What's next.

340B drug pricing· 2,936 active drugs
LIVE
FHIR Exchange· in progress
LIVE
Deepgram · ambient dictation· deployed STT/TTS
LIVE
HL7 v2 DFT · sFTP· active DFT
LIVE
EHR Connection· 140,140 synced patients
TESTING
Waystar · RCM automation
IN DEV
Order Management· 4,797 drugs tracked
IN DEV
Clinical Trials · 578,000 trials
IN DEV
Predictive Analytics· 13,374 audit events
PLANNING
HG Lab / HG P360· lab automation
PLANNING
Commonwell· patient 360
PLANNING
Medicai· radiology connections
PLANNING
Neogenomics· biomarker partner
PLANNING
Natera· biomarker partner
PLANNING
Caris· biomarker partner
PLANNING
NCCN · 2,800 Rx templates
PLANNING
iPrescribe
PLANNING
Multi-tenant· 2 tenants
PLANNING
QHIN / TEFCA
PLANNED
Compliance posture

Every standard that matters, with receipts.

HIPAA
PHI encrypted at rest via AES-256-GCM (Cloud KMS). BAA-eligible GCP infrastructure. Audit logs across all three systems. MFA enforced for every clinical role.
SOC 2
Structured audit trail via pino + Cloud Logging. Access controls enforced at role and permission level. WAF protecting production services.
GDPR
Cookie consent (vanilla-cookieconsent). Data minimization enforced at schema level. Right-to-erasure hooks wired into every patient-scope data model.
ONC Certification
In progress. FHIR Exchange live. QHIN / TEFCA planned for nationwide interoperability.
Vendors & partners

The names you already trust, wired together.

AI & reasoning
Google Gemini LLM
Notes · Luna copilot
Vertex AI
Managed deployment
Deepgram
Ambient dictation
Tesseract.js
OCR
Cloud & storage
Google Cloud Run
Serverless · 3 apps
Cloud SQL
PostgreSQL prod
Cloud Storage
Docs · images
Upstash Redis
Cache · rate limits
Interop
FHIR Exchange
140k patients · live
HL7 v2 DFT^P03
Custom encoder
340B pricing
Live
ssh2-sftp-client
Secure transport
Security
Cloud KMS
PHI encryption keys
NextAuth 5
SSO · JWT
WAF
Prod edge
pino + Cloud Logging
Audit trail
Developer & CI
GitLab CI
Source · pipelines
Google Cloud Build
~7 min build
Docker
Container runtime
Jest 30 · Playwright
Tests · E2E
Backed by

Building with Google.

Wavera runs on Google Cloud and builds on Gemini — signed BAA, healthcare-grade residency, enterprise observability. The next generation of oncology infrastructure should be standards-first and backed by investors who understand healthcare at scale.

Sponsorship partner
Backed by the investor that shaped the modern healthcare-AI portfolio — Flatiron, Verily, Oscar. Aligned on evidence-first, interoperability-first oncology.
Healthcare AI funds
Talking with leading venture firms who've built in oncology, revenue cycle, and clinical AI. Prioritizing partners who bring distribution and clinical credibility.
The numbers

What “production-grade” actually means.

~7 min
CI/CD build
GitLab → Cloud Build → Run
0
downtime deploys
Cloud Run blue/green
AES-256
encryption at rest
GCM · Cloud KMS · per-field PHI
TLS 1.3
encryption in transit
perfect forward secrecy
140k
patients on FHIR
live exchange
4,797
drugs tracked
340B pricing live
MFA
clinical role policy
TOTP enforced
SOC 2
Type II in progress
audit · Q3 2026