SYSTEM ARCHITECTURE

A real distributed system, not a toy CRUD app.

Onboardly is a four-layer system: decoupled frontend (Angular + Ionic), a JWT-secured REST API (Django), an event-driven business layer (Django Signals + Celery), and a normalized MySQL schema. Every layer is independently deployable, observable, and scales horizontally.

Layered architecture

Client Layer

3 services

Angular 18

Primary admin dashboard (HR & Manager)

Ionic 8

Mobile app for iOS, Android & PWA (Employee)

Chart.js + RxJS

Real-time visualizations & reactive state

API Layer

3 services

Django REST Framework

44 REST endpoints across 8 resources

SimpleJWT + OAuth2

Stateless tokens + role-based permissions

DRF Throttling

Rate limiting, anonymous/user tiers

Business Layer

3 services

Django Signals

Auto task generation on user/onboarding events

Celery + Redis

Async emails, document processing, reminders

Custom Workflow Engine

Multi-stage approval chains

Data Layer

3 services

MySQL 8

Primary relational database (12 normalized tables)

AWS S3

Encrypted document & media storage

Redis Cache

Session & query result cache

Requests flow top-down; events flow up via Django Signals + Celery

End-to-end data flow

What happens between "HR creates a new hire" and "manager sees a 78% completion chart" — eight concrete steps.

HR Admin creates employee

POST /api/employees/ → Django ORM persists row + emits post_save signal

System

Signal triggers template

Workflow engine binds 'Engineering Onboarding' template to employee

System

Tasks auto-generated

23 tasks created across 5 categories, assigned to HR/IT/Manager/Employee

Celery

Notifications dispatched

Email + push queued; in-app notifications stored via Notification model

Employee

Employee completes tasks

PATCH /api/tasks/:id/ → progress % updated in real-time via WebSocket

Manager

Manager reviews & approves

Approval chain advances via Django signal → next task unlocked

System

Documents validated

Async OCR + manual approval → status updates in Document model

Dashboard

KPIs refreshed

DRF reads aggregated query → Chart.js redraws bars/lines

Database schema

Twelve normalized MySQL tables with foreign keys, indexes on hot paths, and soft-delete where compliance requires it.

Table

Key columns

Purpose

users

id, email, role, password_hash, jwt_version

Custom user with HR/MANAGER/EMPLOYEE enum

departments

id, name, head_id, budget, location

Organizational hierarchy

employees

id, user_id, dept_id, manager_id, join_date, status

1:1 with users, FK to manager (self)

templates

id, name, dept_id, version, is_active

Reusable onboarding blueprints

template_tasks

id, template_id, title, role, days_offset, sort_order

Tasks cloned per employee

tasks

id, employee_id, title, assignee_id, status, due_date

Live task instances

documents

id, employee_id, type, file_url, status, verified_by

KYC document vault

approvals

id, task_id, approver_id, level, status, decided_at

Multi-stage approval audit

notifications

id, user_id, type, payload, read_at

In-app inbox

activity_logs

id, actor_id, verb, target, timestamp

Immutable audit trail

comments

id, task_id, author_id, body, created_at

Threaded task discussion

sessions

id, user_id, jwt_jti, ip, user_agent, expires

JWT session tracking

REST API surface

44 endpoints grouped by resource. All under /api/v1/, all behind JWT auth.

Auth

6 routes

/login

/refresh

/logout

/me

/change-password

/sessions

Employees

7 routes

GET /

POST /

GET /:id

PATCH /:id

/:id/progress

/:id/timeline

/export

Tasks

8 routes

GET /

POST /

PATCH /:id

/:id/complete

/:id/approve

/:id/reassign

/:id/comments

/bulk

Templates

6 routes

GET /

POST /

PATCH /:id

/:id/tasks

/:id/clone

/:id/publish

Documents

5 routes

GET /

POST /upload

GET /:id

PATCH /:id/verify

/:id/download

Approvals

4 routes

GET /pending

POST /:id/approve

POST /:id/reject

GET /history

Notifications

4 routes

GET /

PATCH /:id/read

POST /read-all

GET /unread-count

Analytics

4 routes

GET /kpis

GET /trends

GET /departments

GET /export-csv

Security model

JWT Authentication

Access + refresh tokens via SimpleJWT, rotated every 15 min, revocable per session.

Role-Based Access

DRF permissions enforce HR / Manager / Employee scopes at view + queryset level.

Encrypted Documents

S3 SSE-KMS encryption, pre-signed URLs expire in 5 min, virus-scanned on upload.

Audit Logging

Every mutating action recorded in activity_logs with actor IP, timestamp, diff.

Rate Limiting

100 req/min anon, 1000 req/min auth. Burst tolerance via DRF Throttling.

HTTPS + HSTS

TLS 1.3 enforced, HSTS preload, secure cookies, SameSite=Strict.

Deployment topology

Development

Docker Compose
Local MySQL
MailHog

Staging

AWS ECS Fargate
RDS MySQL
CloudFront CDN

Production

3× ECS tasks
RDS Multi-AZ
ALB + WAF

ECS task replicas

Multi-AZ

RDS failover < 60s

99.95%

SLA target