Technical documentation

Stack, infrastructure, method.

Reference page for CTOs and technical leads evaluating HOLCO. What we use, where we host it, how we connect, and what you get back at the end of the engagement. Without marketing wording.

Stack

Components used in production.

Layer	Component	Usage
AI models	Anthropic Claude (Opus 4.7, Sonnet 4.6, Haiku 4.5)	Long-context reasoning, conversational agents, sensitive contexts
—	Mistral (Large, Codestral)	European sovereignty, on-premise deployments
—	OpenAI (GPT-5, gpt-image-1)	Ad-hoc tools, editorial image generation
—	Hugging Face Hub	Open-source models for self-hosted deployments
Orchestration	Model Context Protocol (MCP)	Standardised bridges to client systems
—	Anthropic SDK	Streaming SSE, prompt caching, tool use
—	LangChain (selective)	RAG pipelines, vectorisation
Frontend	Next.js 16, React 19, Tailwind v4	Static sites, executive interfaces
—	Framer Motion, Lucide	Editorial motion, iconography
Backend	Node.js 22, Express, FastAPI (Python)	SSE proxies, business services
Data	Postgres 15, Supabase	Persistence, vector search (pgvector)
—	Redis (case-by-case)	Cache, task queues
Infrastructure	Ubuntu 24.04 LTS, nginx 1.24	TLS reverse proxy, static hosting
—	Let's Encrypt (Certbot)	TLS certificates, auto-renewal
—	systemd	Service management in production
Hosting	Dedicated server, EU datacenter (FR / DE)	Default. Client self-hosting available
—	Vercel, Cloudflare	Static sites, CDN

Specific choices are made at scoping, depending on the case and sovereignty constraints. Nothing is imposed.

Orchestration and bridges

How we connect AI to your systems.

Our technical objective: build the bridge between your systems and the AI model, without imposing a format. We are agnostic on the connection mechanism. If your SaaS exposes an MCP server, we use it. If it ships a DXT extension, we take it. Otherwise we plug directly into its REST API, GraphQL, or webhooks. The format does not matter; what matters is that the agent can query your data the moment the executive asks the question.

Supported bridge formats

Format	Category	Technical description
MCP server	Open standard	Model Context Protocol (Anthropic, Nov 2024). Third-party or in-house server exposing resources, prompts and tools to an AI agent. JSON-RPC over stdio, HTTP+SSE or WebSocket.
DXT extension (.dxt)	Anthropic package	Desktop Extensions for Claude. ZIP archive packaging an MCP server with its dependencies (Node, Python or binary). One-click distribution, no client toolchain.
REST / OpenAPI	Universal	OpenAPI 3.x description converted into agent-consumable tools. Auth via OAuth2, API key or JWT depending on the SaaS. Used for Salesforce, HubSpot, Pennylane, Stripe, etc.
GraphQL	Universal	Typed schemas introspected at runtime, automatic tool generation on the agent side. Shopify, Linear, GitHub, Notion v2.
Webhooks	Event-driven	HTTPS endpoint exposed to receive events from the SaaS (HMAC signature verified). Triggers an agent workflow or a recurring email.
Native connector	OAuth + SDK	For Google Workspace, Microsoft 365, Slack, etc. Official SDK + short-lived OAuth2 refresh token. Minimal scope, never full-access.
Custom (SSH, JDBC, files)	Bespoke	When the SaaS lacks a public API, we connect to the storage layer: SSH tunnel to a database, S3/SFTP read, authorised local agent.

For SaaS editors

How HOLCO consumes your APIs.

You are Pennylane, HubSpot, Notion, Salesforce or any other SaaS editor, and one of your customers just signed with HOLCO. You want to understand how our agent will consume your API? Here are our default practices. For deeper review, write to alan@holco.co (audit, sandbox, DPA, partner agreement).

Authentication: OAuth 2.0 standard with short-lived refresh tokens (15 min) when supported. Otherwise encrypted API key storage.
Refresh tokens: Never logged or exported. Stored encrypted at rest (AES-256), rotated monthly at minimum.
Rate limits: Strictly respected. Exponential backoff on 429. No aggressive polling — webhooks preferred when available.
User-Agent: Identifiable: User-Agent: HOLCO-Agent/<version> (+contact@holco.co). Lets you audit and meter usage.
OAuth scopes: Minimal. read-only by default, write only when the function requires it and with explicit client consent.
Data storage: No durable re-storage. Read, aggregate, restitute in memory. Short cache (max 1h) to honour rate limits.
Audit trail: Every API call logged on HOLCO side (method, endpoint, status, ms). 90-day retention, accessible to the client on request.
Deletion / revocation: On client request or OAuth revocation: tokens purged within 24h, caches cleared, logs anonymised per the DPA.

Operational security

Production controls.

Area	Control	Detail
Server access	ED25519 SSH keys	No password authentication. Custom port. Fail2ban active. Daily authentication audit.
—	Provider console MFA	Provider admin account protected by TOTP + physical backup key.
TLS	Let's Encrypt + Certbot	Automatic renewal. HSTS enabled (max-age 6 months). TLS 1.3 preferred, 1.2 minimum.
Firewall	ufw (Ubuntu firewall)	Minimal rules: 22 (custom SSH port), 80, 443. Everything else blocked by default.
System	Security updates	unattended-upgrades active on Ubuntu LTS security packages. Reboots scheduled outside business hours.
Secrets	.env outside repo	Sensitive values (API keys, OAuth tokens) in .env files with permission 600. Never committed. Rotation manual or automated depending on the secret.
Logs	journalctl + rotation	90-day retention, IPs partially anonymised after 30 days. No user payload logged.
Backup	Provider snapshots	Daily disk snapshots, 7-day retention. Application databases backed up separately with point-in-time recovery up to D-7.
Monitoring	systemd alerts	Service down → email alert. nginx 5xx errors monitored. Disk/memory thresholds at 85% → alert.
Client data	No re-training	DPAs signed with each AI provider (Anthropic, Mistral, OpenAI). Your prompts and feedback are never used to train a model.
—	End of engagement	Source code, schemas, secrets and data delivered to the client. Provider accounts transferred or deleted per client preference.

For a formal security pack (ANSSI audit, ISO 27001 client environment), contact alan@holco.co.

Hosting and compliance

European data, guaranteed exit.

Default data location: France or European Union
Server OS: Ubuntu 24.04 LTS
Reverse proxy: nginx 1.24
TLS: Let's Encrypt, automatic renewal
Client self-hosting: Available (healthcare, regulated finance, defence)
Model training on your data: Never. DPAs signed with each provider.
End-of-engagement deliverables: Source code, schemas, secrets and data handed over.
Compliance: GDPR by design. ANSSI on request for sensitive environments.

Method

6 to 7-week cycle, from scoping to usage.

№	Step	Duration	Output
01	Scoping	W+1	Mapping of systems and recurring questions. Response plan signed off by a senior operator.
02	MCP connection	W+2	Connection to your systems via Model Context Protocol (open standard, Anthropic, 2024).
03	Build	W+3 to W+6	Design and development (agent, mail, alert or app). Weekly demos, short iterations.
04	Production rollout	W+7	Deployment, training, documentation handover. Client retains control of code, keys, and data.
05	Run	Ongoing	Monitor real usage, adjust, add cases. Monthly cancellable engagement.

Technical FAQ

CTO questions.

Anthropic Claude Opus 4.7 by default for reasoning quality. Mistral for EU sovereignty. OpenAI when the engine warrants it. Hugging Face for self-hosted deployments. The choice is made at scoping.
No. DPA (Data Processing Agreement) signed with each AI provider. For sensitive contexts (healthcare, regulated finance), we deploy a self-hosted setup at the client with open-source models.
Model Context Protocol. Open standard published by Anthropic in November 2024. Lets an AI agent query external systems (CRM, ERP, databases, APIs) in a normalised way. Avoids rewriting existing tools.
Any SaaS exposing an API. Standard or ad-hoc MCP connectors: Salesforce, HubSpot, Pipedrive, SAP, Sage, Oracle, Notion, Airtable, Monday, Slack, Microsoft 365, Google Workspace, Stripe, Pennylane. In-house apps via REST/GraphQL.
Ubuntu 24.04 LTS on a dedicated European server. nginx 1.24 reverse proxy. TLS via Let's Encrypt (auto-renewal). systemd services. Client hosting available (self-hosting, sovereign cloud, K8s cluster).
6 to 7 weeks from scoping to production. 2 to 3 weeks for simple cases (recurring email, threshold alert). Weekly demos.
Full source code, architecture diagrams, secrets and API keys, versioned prompts, documentation. No imposed dependency. Client can take over with their team or another vendor.
Fixed-fee or success-fee tied to delivered value. Quotes at scoping. Monthly-cancellable engagement during the run phase.
No in-house certification (we're a small team). We operate within certified client environments and follow ANSSI guidelines for sensitive deployments. A documented security pack is provided per engagement.

Glossary

Useful terms.

AI agent: Program that interprets a request, picks the tools to query, aggregates, and formulates an answer. More advanced than a chatbot.
MCP: Model Context Protocol (Anthropic, 2024). Open standard for connecting an AI agent to external systems.
RAG: Retrieval Augmented Generation. Feed the AI the right documents at answer time. Enables precise responses without re-training.
Fine-tuning: Adapting a model to a domain. Rarely needed; RAG covers most cases.
Embedding: Vector representation of a text. Used to compare and search semantically related content.
SSE: Server-Sent Events. Protocol that lets the AI stream its answer as it is generated.
DPA: Data Processing Agreement. Contract framing data handling between client and processor (incl. AI providers).
Frontier model: The most advanced AI models at a given time: Claude Opus, GPT-5, Mistral Large, Gemini Ultra.
Prompt caching: Caching part of the system prompt provider-side. Cuts cost and latency on long shared contexts.
Tool use: Capability of an agent to call structured external functions (APIs, web search, code, databases).