iViu Insights
Request Briefing
iViu Insights Architecture & Deployment
System Architecture · Deployment Guide

Architecture &
Deployment

The iViu platform is a defense-grade, edge-to-cloud signal intelligence and analytics system. iDTag sensors perform passive WiFi spectrum capture at the edge, forwarding encrypted telemetry over MQTT to Azure cloud services where Go microservices process, correlate, and expose analytics through secured REST APIs.

iDTag Spec Sheet Schedule Deployment Review

System Overview

The platform spans four layers: sensor hardware at the edge, a secure transport layer via MQTT over TLS, Azure-hosted Go microservices for processing and API, and a MySQL analytics database. Each layer is independently scalable and communicates exclusively over encrypted channels with mutual TLS authentication.

Layer 1
Edge Sensors
iDTag iPS — passive WiFi spectrum sensor
150× / sec scan rate, 600+ ft range
PoE / USB-C direct power options
AES-256 on-device encryption
MQTT client with mTLS cert auth
Layer 2
Secure Transport
EMQX Broker — enterprise MQTT cluster
mTLS — per-device client certificates
TLS 1.2/1.3 in transit
MQTT 3.1.1 / 5.0 protocol
QoS 1 guaranteed delivery
Layer 3
Cloud Processing
Azure — IoT Hub + VM hosting
Go microservices — listener, MCDR, analytics
iViu UDID — proprietary identity resolution
Real time patented positioning services
REST APIs with Bearer token auth
Layer 4
Data & Analytics
MySQL — analytics_db, high-write optimized
Partner Portal — React SPA, JWT sessions
Admin Dashboard — operations & tuning
ORC — Organized Retail Crime - investigation tools and reporting
SumDF — summary data feed API

Go Microservices

All backend services are compiled Go binaries deployed on Azure VMs. Each service is single-purpose, runs as a systemd unit, and communicates internally over private VNet addresses. Services are independently deployable via the iViu deploy toolchain.

Listener

  • Ingests raw MQTT telemetry from all iDTag sensors
  • Validates mTLS client certificates per device
  • Writes raw signal records to analytics_db
  • Scales horizontally via MQTT broker clustering

MCDR Engine

  • Mobile de-randomizer — resolves randomized MAC identities
  • Classifies devices into persistent iViu UDIDs
  • Processes signal records in real-time pipeline
  • Configurable sensitivity and dwell thresholds

Positioning

  • Multi-sensor triangulation and zone assignment
  • Sub-1m accuracy using signal fingerprinting
  • Real-time device location feeds via MQTT
  • Configurable zone maps per site deployment

Partner API

  • Authenticated REST API for partner portal
  • Foot traffic, dwell, conversion, and journey analytics
  • Per-partner data isolation and access control
  • JWT Bearer token sessions with TOTP 2FA

ORC / SumDF

  • Organized Retail Crime - investigation tools and reporting
  • Summary data feed for downstream BI integrations
  • Configurable aggregation windows (5m, 1h, 1d)
  • REST + webhook push delivery options

Alerts & Heartbeat

  • Person-of-interest watchlist alerts via SMS and email
  • Sensor heartbeat monitor with auto-remediation
  • Configurable alert escalation tiers
  • Integration hooks for access control and PA systems

Deployment Topologies

iViu supports single-site, multi-site, and enterprise managed deployments. All configurations share the same cloud processing layer with per-site sensor isolation, independent MQTT namespacing, and segregated analytics partitions.

01
Single Site
2–32 sensors · one location
  • PoE switch or USB-C powered sensors on-premise
  • Direct MQTT connection to Azure broker over internet
  • Single location_id partition in analytics_db
  • Setup time: 4–8 hours including calibration
  • Ideal for retail flagship, casino floor, government facility
02
Multi-Site Enterprise
2–500+ locations
  • Independent sensor networks per location
  • Shared EMQX cluster with per-site topic isolation
  • Unified partner portal with per-site drill-down
  • Centralized alerting and watchlist management
  • Ideal for retail chains, mall portfolios, banking networks
03
Critical Infrastructure
Air-gapped & hybrid options
  • On-premise Azure Stack or private cloud deployment
  • Air-gapped operation with local MQTT broker option
  • FIPS 140-2 compliant encryption throughout
  • Integration with VMS and other SOC management platforms
  • Ideal for DoD, utilities, federal facilities, pipelines

Network Requirements

Sensor Uplink Protocol
MQTT 3.1.1 / 5.0 over TLS 1.2+
TCP port 8883 (mTLS) or 443 (WSS)
Required Bandwidth (per sensor)
~50 Kbps uplink typical
~200 Kbps peak (high-traffic environment)
Sensor LAN
10/100 Ethernet or 802.11ac WiFi
Isolated VLAN recommended
Firewall Rules Required
TCP 8883 outbound to broker IP
No inbound ports required on sensor LAN
DNS Requirements
Outbound DNS to broker FQDN
NTP sync required (time-sensitive signal data)
IP Assignment
DHCP or static IPv4
IPv6 optional
Proxy / NAT
NAT traversal supported
Authenticated HTTP proxy not supported
Latency Tolerance
< 500 ms RTT to broker
Buffering up to 30s on disconnect

Security Architecture

Security is enforced at every layer. No sensor can communicate without a valid client certificate. No API call is processed without a verified Bearer token. No PII is collected — device identifiers are anonymous UDIDs derived from signal fingerprints, never linked to personal identity.

mTLS Client Authentication

Every iDTag sensor is provisioned with a unique client certificate signed by the iViu CA. The EMQX broker rejects any connection without a valid certificate — no username/password fallback.

End-to-End Encryption

All sensor-to-cloud traffic is TLS 1.2+ encrypted. Data at rest in the analytics database uses AES-256. Internal service communication occurs over Azure private VNet with no public exposure.

API Authentication — TOTP + Bearer

All administrative and partner API access requires username + argon2-hashed password followed by RFC 6238 TOTP verification. Sessions use UUID v4 Bearer tokens stored server-side with configurable expiry.

Zero PII Architecture

iViu never collects, stores, or transmits personal identifiable information. The iViu UDID is a proprietary anonymous device fingerprint derived from signal characteristics — it cannot be reverse-mapped to a personal identity or linked to any device owner.

Network Segmentation

Sensor LANs are isolated on a dedicated VLAN with no route to corporate networks. Outbound-only firewall rules mean sensors can push telemetry without any inbound attack surface on the customer network.

On-Premise & Air-Gap Options

For critical infrastructure and federal deployments, iViu supports fully on-premise or air-gapped configurations using Azure Stack or private Kubernetes clusters, with no dependency on public internet connectivity.

Power & Installation

PoE Installation

  • IEEE 802.3af PoE (15.4W) or 802.3at PoE+ (30W)
  • Single CAT5e/CAT6 cable carries power and data
  • Compatible with all standard PoE switches and injectors
  • Mounting: wall, ceiling, pole, or underside of eave
  • Weatherproof enclosure — IP66 rated for outdoor use
  • Operating temp: −30°C to +70°C

Site Survey & Planning

  • iViu engineering performs pre-deployment RF site survey
  • Sensor placement plan optimized for coverage and accuracy
  • Overlap zone analysis to eliminate dead spots
  • Coverage map delivered before hardware ships
  • On-site calibration included with all deployments

Commissioning & Go-Live

  • Remote provisioning via iViu deploy toolchain
  • Certificate issuance and MQTT registration automated
  • Sensor health dashboard live within minutes of power-on
  • Typical go-live: same day as installation
  • Remote monitoring and firmware OTA throughout lifecycle

Integrations & APIs

iViu exposes a full REST API for all analytics data, alerting, and configuration. Custom integrations are supported via webhook push and the Partner API.

Partner REST API

  • Foot traffic counts, dwell times, zone analytics
  • Journey paths and conversion funnel data
  • Historical export — CSV, JSON, or webhook stream
  • OpenAPI 3.0 spec available on request

Alerting Webhooks

  • POI watchlist match — HTTP POST to your endpoint
  • Perimeter breach notifications with GPS coordinates
  • Sensor health alerts — offline, low battery, error
  • Configurable per-event retry and signing
Ready to Deploy

Schedule a Deployment Review

Our engineering team will review your facility requirements, design a sensor placement plan, and walk you through the full stack architecture for your deployment.

Request Deployment Review View iDTag Spec Sheet