PLATFORM ARCHITECTURE
Insight Ready Platform™ (IDPaaS)
A governed, AI-ready analytics platform built for regulated industries — deployed as a technical service inside your Azure tenant, not as a software product your team builds and maintains.
Insight Ready Platform™ is a managed analytics platform delivered as a subscription service. It is built on a three-plane model: a customer-tenant data plane where all processing occurs, a centralized governance layer in the On Point BI tenant that orchestrates and governs without accessing customer data, and an operational interface that surfaces visibility without exposure. The result is a regulator-defensible, AI-ready analytics foundation that organizations in healthcare, life sciences, CDMO, pharma, insurance, and financial services can operate predictably — without multi-year internal builds, without dedicated data engineering staffing, and without infrastructure overhead.
A technical service, not a software product. A foundation, not a toolset.
Insight Ready Platform™ delivers the full value chain — ingestion, modeling, curation, semantic alignment, and governed access — as a repeatable, subscription-based service. Organizations focus on insights, automation, and AI. On Point BI manages the architecture, governance, and continuous platform evolution that makes those outcomes possible.
CUSTOMER AZURE TENANT
Data Plane
All customer data lives here. All processing occurs here. Three governed environments — Foundation, Production, and Non-Production — are deployed directly into the customer subscription.
ON POINT BI TENANT
Governance Layer
Centralized governance and orchestration. The Control Plane enforces governance inside customer environments using Azure Data Factory, Azure Functions, Azure Key Vault, and Azure Monitor — without accessing customer data.
ON POINT BI TENANT
Operational Interface
The Control Panel is a secure, RBAC-controlled web application that surfaces pipeline status, data quality scores, governance exceptions, lineage visualizations, and audit logs — metadata and governance signals only, never customer data.
CUSTOMER AZURE TENANT
Three Governed Environments — All Inside Your Subscription
Every environment that processes, stores, or serves customer data is deployed directly inside the customer’s Azure subscription. On Point BI does not custody any customer data at any point. All compute, storage, pipelines, semantic models, and analytics assets belong to the customer.
You own all data, pipelines, compute, storage, secrets, monitoring, and analytics assets.
FOUNDATION ENVIRONMENT
The Authoritative Baseline
Establishes the standardized, governed foundation that ensures consistency across all downstream environments.
The Foundation Environment is the authoritative baseline of the platform. It enforces architectural consistency, semantic alignment, and data quality standards that all other environments inherit. Every customer deployment begins with the Foundation Environment — it is what makes the platform repeatable and regulator-defensible across organizations.
• Standardized ingestion pipelines — raw data lands in a governed, documented structure from the first touch
• Conformed dimensions — consistent dimensional models shared across all fact domains
• Reconciled fact tables — single authoritative fact tables eliminating cross-report discrepancies
• Semantic alignment rules — KPI definitions enforced at the data layer, not just in reporting tools
• Data quality enforcement — validation rules applied at every pipeline stage
• Lineage capture patterns — full traceability from source to gold layer for every transformation
• AI-ready data structures — clean, governed, semantically aligned data structures built for LLMs, copilots, and ML models
• Standardized Power BI semantic models — governed, reusable semantic models that enforce consistent definitions across all reporting assets
PRODUCTION ENVIRONMENT
Live Analytics and AI Workloads
The operational environment where governed analytics and AI workloads run under continuous Control Plane governance.
The Production Environment is where governed reporting, dashboards, and AI capabilities are delivered to the business. All workloads run under Control Plane governance — pipelines are controlled, lineage is captured, access is RBAC-secured, and every operation is auditable. This is the environment regulators evaluate during audits.
• Operational pipelines — governed, version-controlled, and documented end to end
• Production data lake and lakehouse — structured for both traditional analytics and AI workloads
• Production semantic models — versioned, governed, and aligned to the KPI registry
• AI agent access patterns — governed endpoints for LLMs, copilots, and ML model inference inside the customer tenant
• Audit and lineage logs — complete, regulator-defensible traceability for every transformation and data access event
• RBAC-controlled access — role-based permissions enforced across all analytics and AI assets
NON-PRODUCTION ENVIRONMENT
Safe Testing Under the Same Governance Rules as Production
A mirrored, governed environment for pipeline testing, semantic model validation, and UAT — enforcing identical governance rules to production.
The Non-Production Environment is not a loosely governed sandbox. It enforces the same governance rules as the Production Environment — the same pipeline architecture, the same semantic alignment checks, the same data quality validation, and the same lineage capture. New data sources, pipeline changes, and semantic model updates are tested and validated here before the Control Plane promotes them to production. Masked or synthetic data is used as required to satisfy data residency and compliance requirements during testing.
• Mirrored architecture of the Production Environment — identical governance rules enforced
• Masked or synthetic data as required — no production data exposure during testing
• Pipeline and semantic model testing — changes validated before promotion to production
• UAT workflows — stakeholder sign-off captured before the Control Plane executes the production promotion
PIPELINE ARCHITECTURE
Bronze to Silver to Gold — A Governed Three-Stage Data Flow
All data in the platform moves through a standardized three-stage pipeline architecture. Each stage enforces quality, conformity, and semantic alignment before data advances to the next layer. This structure is applied consistently across all data sources and all customer environments — it is what makes audit-ready lineage and regulator-defensible operations possible at scale.
Bronze
Raw ingestion with schema validation and metadata capture. Source data lands in its native form with full lineage tracking from the point of entry. No transformations are applied at this stage — data is preserved as-received for complete auditability.
Silver
Standardized, cleaned, and conformed datasets. Business rules are applied consistently across all sources. Transformations are version-controlled and documented. Conformed dimensions and reconciled fact tables are built at this stage.
Gold
Business-ready models aligned to KPIs and semantic definitions. This layer powers dashboards, AI models, reporting assets, and AI agent access patterns — governed, semantically consistent, and audit-ready.
ON POINT BI AZURE TENANT
Three Operational Environments — No Customer Data
The On Point BI tenant contains the three environments that build, govern, orchestrate, and surface visibility for every customer deployment. No customer data ever resides in the On Point BI tenant at any point. These environments operate exclusively on metadata, governance signals, platform telemetry, and deployment artifacts.
On Point BI accesses only metadata, logs, and governance signals — never customer data.
PLATFORM ENGINEERING ENVIRONMENT
Where the Platform Is Built, Versioned, and Validated
Platform development, versioning, and internal validation before any release reaches a customer environment.
The Platform Engineering Environment is where every platform release originates. New capabilities, pipeline updates, semantic template changes, and governance rule revisions are built, tested, and validated here before being packaged into a versioned release. This environment is the reason every customer runs the same enterprise-grade, regulator-defensible architecture — and the reason platform updates are delivered without introducing technical debt or environment drift.
• Azure DevOps and GitHub for CI/CD — all platform changes follow controlled, auditable release pipelines
• Infrastructure-as-Code templates — deterministic, repeatable environment provisioning for every customer deployment
• Standardized ingestion and modeling patterns — reusable, governed pipeline components applied consistently across customers
• Semantic templates — versioned KPI definition structures and semantic alignment rules
• Governance rule sets — policy definitions enforced by the Control Plane across all customer environments
• Automated test suites — every release validated before deployment to any customer environment
CONTROL PLANE ENVIRONMENT
Centralized Governance and Orchestration
The governance intelligence engine that enforces consistency, orchestrates deployments, and continuously improves every customer environment — without accessing customer data.
The Control Plane is the operational heart of Insight Ready Platform™. It governs every customer environment, manages every deployment, enforces every governance policy, and delivers every platform update — using Azure-native services designed for enterprise-grade, regulator-defensible operations. The Control Plane never accesses customer data. It operates on metadata, governance signals, deployment artifacts, and platform telemetry.
• Azure Data Factory and Synapse Pipelines for orchestration — manages deployments, updates, and configuration across all customer environments
• Azure Functions for governance logic — executes governance checks, policy enforcement, and automated exception detection
• Azure Key Vault for secrets — secure management of credentials and access tokens, scoped to platform operations only
• Azure Monitor and Log Analytics for audit and observability — all platform operations are logged, monitored, and auditable end to end
• Metadata and lineage services — tracks governance signals, definition comparisons, and lineage relationships across environments
• Deployment automation engine — packages and delivers versioned platform releases through the Non-Production to Production promotion lifecycle
CONTROL PANEL ENVIRONMENT
Operational Visibility Without Data Exposure
A secure, RBAC-controlled interface that surfaces environment health, governance status, and audit history — metadata and governance signals only.
The Control Panel is where client teams, governance leads, and On Point BI operators interact with the platform’s operational state. It surfaces everything needed to monitor, govern, and audit the platform — without any customer data passing through it. All access is role-based and auditable.
Pipeline Monitoring
Pipeline status · Data freshness · Ingestion run history · Error and retry logs
Data Quality and Lineage
Quality scores · Failed validation details · Lineage visualizations from source to gold layer · Anomaly detection results
Governance Visibility
KPI definitions · KPI lineage · Version history · Governance exceptions · Definition inconsistencies detected by the governance intelligence engine
Change Approval Workflows
Pending changes · Approval status · Promotion history from non-production to production
Audit Log Viewer
Full audit trail of platform operations · Change history · Access logs
Platform Version Management
Current version · Release notes · Upcoming enhancements · Update history
DEPLOYMENT LIFECYCLE
Deterministic, Repeatable, Regulator-Defensible
Every platform update — whether a new capability, a pipeline enhancement, a semantic template change, or a governance rule revision — follows the same controlled deployment lifecycle. This lifecycle is what makes Insight Ready Platform™ operations regulator-defensible: every change is built, validated, tested, approved, and promoted through documented, auditable stages before it reaches production.
1
Build and Validate in Platform Engineering
On Point BI builds and validates a new platform version in the Platform Engineering Environment. CI/CD pipelines enforce code review, automated testing, and release packaging before any version leaves this environment.
2
Package and Deploy Through the Control Plane
The validated version is packaged and deployed through the Control Plane using the deployment automation engine. The Control Plane manages all configuration, secrets, and environment-specific parameters.
3
Install in the Customer Non-Production Environment
The update is installed in the customer’s Non-Production Environment first. The same governance rules as production are enforced. Pipeline and semantic model changes are validated under realistic conditions.
4
UAT Approval
After validation, the customer’s governance contacts complete UAT approval through the Control Panel’s change approval workflow. No update proceeds to production without documented sign-off.
5
Promote to Production
After UAT approval, the Control Plane promotes the update to the Production Environment. The Foundation Environment ensures architectural alignment is maintained throughout the promotion.
6
Audit and Observability
The Control Panel provides full operational visibility, lineage confirmation, and audit logs following every deployment. All operations are logged in Azure Monitor and Log Analytics and accessible through the audit log viewer.
This lifecycle ensures deterministic, repeatable, regulator-defensible operations across every customer deployment and every platform release.
IMPLEMENTATION
What You Need to Implement IDPaaS
Implementation is designed to be fast, low-risk, and minimally disruptive to existing operations. The requirements below are what On Point BI needs from the client side to begin. All platform engineering, environment provisioning, pipeline deployment, and governance configuration is managed by On Point BI.
Technical Requirements
• Azure subscription with appropriate resource provisioning permissions
• Read-only access to priority data sources
• BI workspace or metadata access for semantic model alignment
• SSO integration via Azure AD or equivalent
• Networking configuration for private connectivity between customer and On Point BI environments
Organizational Requirements
• Data owners identified for priority data sources
• KPI definitions documented at the business level for semantic layer initialization
• Governance contacts established for sign-off workflows and UAT approvals
• Access approvals completed prior to environment provisioning
Production-Ready in Four Weeks
WEEK 1
Environment Provisioning and Ingestion Setup
Azure environments provisioned using Infrastructure-as-Code templates. Platform Engineering deploys the foundation configuration. Priority data sources connected and ingestion pipelines initialized with lineage capture active from day one.
WEEK 2
Pipeline Deployment and Semantic Layer Initialization
Bronze to Silver to Gold pipelines deployed across priority data sources. Foundation Environment established with conformed dimensions, reconciled facts, and semantic alignment rules. Semantic layer initialized with business-aligned KPI definitions. Data quality validation rules activated.
WEEK 3
Validation and Governance Workflow Configuration
End-to-end pipeline validation completed in the Non-Production Environment. Governance workflows configured in the Control Panel — change approval, exception tracking, and audit log access active. Control Plane connection verified.
WEEK 4
Executive Enablement and Go-Live
Executive dashboards delivered on governed semantic models. Team enablement completed for Control Panel and reporting assets. Platform promoted to production. Go-live confirmed.
SECURITY AND COMPLIANCE
A Regulator-Defensible Security Architecture
The platform’s security model is designed from the ground up to satisfy data residency, compliance, and audit requirements for regulated industries. Every architectural decision — the three-plane separation, the use of Azure-native security services, the controlled deployment lifecycle, the RBAC-secured Control Panel — reinforces the same principle: customer data stays in the customer environment, and every operation is documented, controlled, and auditable.
Data Residency and Access Controls
✓ All customer data remains entirely within the customer’s Azure tenant at all times — no exceptions
✓ On Point BI accesses only metadata, logs, and governance signals — never raw customer data
✓ All cross-tenant operations use Azure AD, managed identities, and scoped permissions — no standing access
✓ Azure Key Vault manages all secrets and credentials — scoped to platform operations only
✓ No customer data is stored, cached, or transmitted to the On Point BI environment under any circumstances
Audit and Compliance Controls
✓ All platform operations are logged in Azure Monitor and Log Analytics — fully auditable end to end
✓ All platform updates follow controlled CI/CD pipelines with documented build, validation, and promotion history
✓ Infrastructure-as-Code provisioning ensures deterministic, repeatable, regulator-defensible deployments — no manual configuration drift
✓ Full lineage captured from source ingestion through gold layer for every transformation
✓ UAT approval workflows documented in the Control Panel before any change reaches production
✓ Governance exceptions tracked with remediation workflows and resolution history
✓ This model satisfies data residency, compliance, and audit requirements for FDA, GxP, HIPAA, SOC, and equivalent regulated-industry frameworks
EXPLORE FURTHER
Continue Your Evaluation
The platform architecture answers how it works. The maturity model answers where your organization fits today. The pricing page answers what it costs — and how the numbers compare to building this internally.
Schedule a Strategy Session
Talk to our team about your organization’s data architecture, compliance requirements, and the fastest path to governed, AI-ready analytics.