search

System Architecture

Rockhopper is a cloud-hosted SaaS platform that integrates with Microsoft 365 and Google Workspace to provide version control and collaboration for spreadsheets. The system is designed with security isolation, least-privilege access, and defense in depth.

hashtag
Platform components

Component
Purpose

Web application

Browser-based interface for managing files, viewing change diffs, commenting, and reviewing

Excel add-in

Runs within Microsoft Excel (desktop and web) to track changes in real time

Google Sheets sidebar

Runs within Google Sheets to track changes in real time

API server

Processes all business logic, authentication, authorization, and data operations

Background job processor

Handles change attribution and file synchronization asynchronously

Database

Stores user accounts, file metadata, version history, comments, and review records

Object storage

Stores spreadsheet version snapshots

Real-time server

WebSocket server for live updates between concurrent users

hashtag
Cloud infrastructure

All infrastructure is hosted on Amazon Web Services (AWS):

  • Compute, networking, and storage are managed entirely within AWS

  • Production and staging environments are isolated in separate VPCs with no cross-environment access

  • Database clusters run in high-availability configurations with automatic failover

  • Object storage uses S3 with 99.999999999% (11 nines) durability for version snapshots

  • Secrets and credentials are managed via AWS Secrets Manager with KMS encryption

Rockhopper cloud architecture diagram showing test and production environments on AWS

hashtag
Integration approach

hashtag
Microsoft 365

Rockhopper connects to Microsoft 365 tenants via Microsoft Entra ID (Azure AD):

  • Users authenticate via industry-standard OAuth 2.0 / OpenID Connect

  • File access uses the Microsoft Graph API with delegated permissions scoped to the signed-in user

  • Only the minimum required permissions are requested (see Microsoft Permissions)

  • No Microsoft credentials are stored — authentication tokens are held in memory only

hashtag
Google Workspace

Rockhopper connects to Google Workspace via Google Identity:

  • Users authenticate via Google OAuth 2.0

  • File access uses the Google Drive and Sheets APIs with delegated permissions

  • Refresh tokens are encrypted and stored securely in the database

hashtag
Data flow

When a user edits an enrolled spreadsheet:

  1. The add-in or sidebar detects the change via platform APIs (Office.js or Google Apps Script)

  2. The change event is reported to the Rockhopper API server

  3. The backend records the change and runs a background job to attribute it to the specific user

  4. Attributed changes appear in the web application's change log and diff view

  5. When the user creates a new version, the backend downloads the current file, stores a snapshot, and mints a semantic version number

PreviousOverviewNextData Governance

Last updated