Skip to content

Simpaisa Technology Radar

Field Value
Version 1.0
Date 2 April 2026
Owner Daniel O'Reilly, Chief Digital Officer
Scope All Simpaisa markets (PK, BD, NP, IQ, EG)
Status Approved

How to Read This Radar

The Technology Radar is a living document that captures Simpaisa's position on technologies relevant to our platform. It is divided into four quadrants (what kind of technology) and four lifecycle stages (what we recommend).

Lifecycle Stages

Stage Meaning
EVALUATE Assessing fit, not yet in production. Worth exploring. We see potential but have not yet committed to production use.
INTRODUCE Deploying into production, building capability. Promising enough to invest in, actively rolling out.
STABLE Production, proven, default choice. Use by default for new work. Teams should be building capability here.
DECOMMISSION Replacing, do not start new work. Existing usage continues under maintenance, but migrate away when practical.

Quadrants

Quadrant Covers
Languages & Frameworks Programming languages, web frameworks, SDKs, specification formats
Platforms & Infrastructure Cloud providers, compute models, networking, CDN, identity, CI/CD
Tools Developer tooling, observability, documentation, analytics, AI assistants
Data & Storage Databases, caches, message brokers, search engines, object storage

Changes from Last Radar

Initial radar — no prior version.

Key Themes

  1. Simplification over enterprise bloat. We are systematically replacing heavyweight Java/Spring Boot services and Apache Kafka with leaner alternatives (Go, NSQ) that are easier to operate across six markets with a small engineering team. Operational simplicity is a first-class architectural concern.

  2. Edge-first delivery. Cloudflare Pages, Workers, R2, and Caddy replace legacy hosting (Surge.sh, EC2-served static assets). Latency-sensitive workloads move closer to users in Pakistan, Bangladesh, Nepal, Iraq, and Egypt.

  3. Polyglot by purpose. Go for core payment services, Python for data and analytics, Rust for security-critical modules, TypeScript for web front-ends and SDKs, Astro for marketing and documentation sites. Each language is chosen deliberately, not by accident.

  4. Observability as a platform concern. OpenTelemetry provides vendor-neutral instrumentation; Jaeger and Grafana give us distributed tracing and dashboards. PostHog covers product analytics. This replaces ad-hoc CloudWatch-only monitoring.

  5. Security posture uplift. JSESSIONID-based authentication is being retired. RSA-SHA256 request signing becomes the unified standard. ControlPlane.com is under assessment for centralised identity and policy management.

  6. API-first culture. OpenAPI 3.1 specifications, Stoplight for design-time governance, Scalar for developer portal, and KrakenD as the gateway enforce a consistent, documented API surface across all markets.

Quadrant 1 — Languages & Frameworks

STABLE

Go Primary language for all new core payment services. Go's static compilation, low memory footprint, and excellent concurrency model make it ideal for high-throughput transaction processing. It also simplifies deployment across our multi-market infrastructure.

TypeScript Standard language for all web front-ends, merchant-facing SDKs, and internal tooling UIs. TypeScript's type safety reduces integration defects, and its ecosystem (Node.js, Deno, Bun) gives us flexibility in runtime choice.

Python Designated language for data pipelines, analytics workloads, and machine-learning integrations. Python's library ecosystem (pandas, scikit-learn, SQLAlchemy) is unmatched for data engineering tasks.

Astro Adopted for all new website builds, including the AEO-optimised corporate site (Astro 6.1 + Preact + MDX). Astro's island architecture delivers near-zero client-side JavaScript by default, which is critical for performance in markets with variable connectivity.

OpenAPI 3.1 Mandatory specification format for all Simpaisa APIs. OpenAPI 3.1 aligns with JSON Schema 2020-12, enabling richer validation and better tooling integration with Stoplight and Scalar.

RSA-SHA256 Signing Unified authentication and integrity standard for all API interactions. Every request is signed with RSA-SHA256, replacing the patchwork of JSESSIONID, HMAC, and bearer-token approaches across legacy services.

INTRODUCE

(No items in this ring for this quadrant.)

EVALUATE

Rust Under assessment for security-critical modules such as cryptographic signing, token validation, and fraud-detection hot paths. Rust's memory safety guarantees without garbage collection make it attractive, but we need to evaluate hiring feasibility and build-toolchain complexity before committing.

Serverless Workflow (CNCF) A CNCF specification for defining workflows as code in a vendor-neutral, declarative format. We are assessing whether it complements Temporal for long-running orchestration or whether Temporal alone meets our needs.

DECOMMISSION

Spring Boot / Java Existing payment services (Pay-Ins, Pay-Outs, Merchant Portal) remain on Spring Boot and will be maintained. No new services shall be written in Java. Migration to Go is planned incrementally as services are refactored.

Next.js The current corporate site runs Next.js 15 + React 18 + Tailwind. This is being replaced by the new Astro-based site. No new projects should use Next.js.

Quadrant 2 — Platforms & Infrastructure

STABLE

Cloudflare (Pages, Workers, R2, CDN, DNS) Cloudflare is the standard edge platform for static site hosting (Pages), serverless compute (Workers), object storage (R2), and DNS management. It provides a global CDN with strong presence in our operating markets and simplifies the operational burden of multi-region delivery. R2 (S3-compatible object storage with zero egress fees) is being introduced as the replacement for AWS S3, with workloads migrating progressively.

Bitbucket Simpaisa's source-control platform. All repositories, pull requests, and code-review workflows run through Bitbucket. Integrates with our CI/CD pipeline and Jira for traceability.

AWS (EC2, VPC, ALB, WAF, GuardDuty, CloudWatch, Parameter Store) AWS remains the primary IaaS provider for backend compute. Multi-AZ VPC, Auto Scaling Groups, WAF, and GuardDuty provide the resilience and security baseline required for PCI-DSS-scoped workloads.

INTRODUCE

KrakenD High-performance API gateway under active evaluation. KrakenD's declarative configuration, request aggregation, and lack of a database dependency make it attractive for our microservices architecture. Currently being trialled for the merchant-facing API layer.

Caddy Modern reverse proxy with automatic HTTPS via ACME. Being trialled as a replacement for nginx in front of internal services. Caddy's configuration simplicity and built-in TLS management reduce operational overhead.

Temporal Durable workflow engine for orchestrating long-running payment processes (settlement, reconciliation, dispute management). Temporal's built-in retry semantics and visibility tooling address reliability gaps in our current ad-hoc job scheduling.

HashiCorp Vault Centralised secrets management, PKI certificate authority, and encryption as a service. Replacing AWS Secrets Manager and Parameter Store with a unified secret lifecycle across all environments and markets. Vault's dynamic secrets capability generates short-lived credentials on demand, eliminating static long-lived secrets. Transit engine provides encryption as a service without applications needing to manage keys. PKI engine automates certificate issuance for mTLS between services.

EVALUATE

Dynamic Service Discovery (Consul) As Simpaisa moves from a monolithic MySQL-backed architecture to Go microservices, services need to find each other dynamically. Today, service endpoints are hardcoded or managed through load balancer configuration. HashiCorp Consul provides DNS-based and HTTP-based service discovery, health checking, and key-value configuration. It eliminates static endpoint management and enables blue-green deployments, canary routing, and automatic failover. Particularly relevant as we decompose the shared database and services need to discover per-market database endpoints dynamically. Consul's service mesh capability (via Envoy sidecar) also provides mTLS between services without application-level changes, addressing the security architecture requirement for encrypted internal communication.

Unikraft (Unikernels) Exploring unikernel-based compute for ultra-lightweight, single-purpose service deployments. Unikraft promises sub-millisecond boot times and a drastically reduced attack surface. Assessment focuses on whether the developer experience and debugging story are mature enough for production payment workloads.

HashiCorp Nomad Lightweight workload orchestrator under evaluation as an alternative to Kubernetes. Nomad's single-binary deployment, native integration with Consul (service discovery) and Vault (secrets), and support for non-containerised workloads make it attractive for a team that doesn't want to operate a Kubernetes cluster. Evaluating for orchestrating Go microservices, batch settlement jobs, and Temporal workers across multi-market infrastructure.

OPA/OPAL (Open Policy Agent / OPAL) Policy-as-code framework for fine-grained authorisation and compliance enforcement. OPA evaluates policies written in Rego against structured data (API requests, infrastructure configs, deployment manifests). OPAL keeps OPA policies synchronised with real-time data sources. Evaluating for: API authorisation (replace hardcoded role checks), infrastructure policy (enforce tagging, encryption, region constraints via Terraform), and compliance automation (codify regulatory rules from the playbooks as machine-enforceable policies). Particularly relevant for multi-jurisdiction compliance where rules differ by market.

Zitadel Open-source identity and access management platform. Evaluating as an alternative to ControlPlane.com for user authentication, SSO, and machine-to-machine auth. Zitadel provides OIDC/SAML, multi-tenancy, and self-hosted deployment. Its Go-native implementation and single-binary deployment align with the technology stack direction. Evaluating for: merchant portal SSO, internal staff authentication, and API consumer identity management across markets.

ControlPlane.com Centralised identity and policy platform under assessment for managing service-to-service authentication, RBAC, and policy enforcement across markets. Could replace bespoke identity logic scattered across services.

DECOMMISSION

Jenkins Current CI/CD orchestrator. Jenkins' plugin-based architecture and stateful controller model create operational fragility. We are evaluating replacements (Bitbucket Pipelines, Dagger, or similar) and no new pipeline investment should assume Jenkins long-term.

Surge.sh Used only for ephemeral beta/preview deployments. Being replaced by Cloudflare Pages preview deployments, which integrate with our Bitbucket workflow and provide production-equivalent infrastructure.

commerceplex.com Domain Legacy domain from an earlier brand iteration. All new services, documentation, and public-facing assets must use the simpaisa.com domain. commerceplex.com should not be used for any new work and existing references should be migrated.

Quadrant 3 — Tools

STABLE

OpenTelemetry Vendor-neutral observability instrumentation standard. All new services must emit traces, metrics, and logs via OpenTelemetry SDKs. This decouples us from any single backend and enables a consistent observability posture across Go, Python, TypeScript, and legacy Java services.

PostHog Product analytics platform adopted for tracking user behaviour, feature-flag management, and session replay. PostHog's self-hostable architecture aligns with data-residency requirements in regulated markets.

Claude API + Claude Code Anthropic's Claude is the standard AI assistant for code generation, architecture review, documentation, and developer productivity. Claude Code is integrated into developer workflows for pair-programming and automated analysis.

INTRODUCE

Scalar Modern API documentation portal under trial. Scalar generates interactive, developer-friendly API reference pages from OpenAPI specifications. Being evaluated as the public-facing documentation layer for merchant and partner integrations.

Stoplight API design and governance platform under trial. Stoplight enforces style guides and linting rules at design time, ensuring API consistency before implementation begins. Paired with Scalar for the full API lifecycle.

Postal Open-source, self-hosted mail delivery platform (https://github.com/postalserver/postal). Replacing AWS SES for transactional email: merchant notifications, settlement alerts, OTP delivery, and regulatory correspondence. Self-hosting provides full control over deliverability, IP reputation, and data sovereignty. Eliminates per-email SaaS costs and keeps email infrastructure within Simpaisa's security boundary. Supports DKIM, SPF, DMARC, click/open tracking, and webhook delivery notifications.

EVALUATE

(No items in this ring for this quadrant.)

DECOMMISSION

AWS SES Current transactional email service for merchant notifications, alerts, and OTP delivery. Being replaced by Postal, a self-hosted open-source mail delivery platform. Self-hosting eliminates per-email costs at scale, provides full control over deliverability reputation, and keeps email infrastructure within Simpaisa's own security boundary rather than relying on a third-party SaaS.

GitBook Current documentation platform for internal and external API docs. Being replaced by the Stoplight (design) + Scalar (portal) combination, which provides tighter integration with OpenAPI specifications and better governance tooling.

Quadrant 4 — Data & Storage

STABLE

Redis (ElastiCache) Legacy in-memory cache. Being replaced by SurrealDB's in-memory capabilities as part of database consolidation to a single data platform. No new services should depend on Redis.

INTRODUCE

SurrealDB Multi-model database (document, graph, relational) under active evaluation for new services. SurrealDB's flexible data model, built-in permissions, and real-time capabilities make it a candidate for replacing MySQL in greenfield services. Currently being trialled with non-critical workloads.

NSQ Lightweight, distributed messaging platform being trialled as a replacement for Apache Kafka. NSQ's operational simplicity (no ZooKeeper, no complex partition management) is a significant advantage for a small platform team managing infrastructure across multiple markets.

Meilisearch Fast, typo-tolerant search engine under trial as a replacement for OpenSearch. Meilisearch is simpler to operate, offers excellent relevance out of the box, and has a significantly smaller resource footprint — important for cost-conscious deployments.

EVALUATE

(No items in this ring for this quadrant.)

DECOMMISSION

MySQL (RDS) Existing transactional data remains in MySQL on RDS and will be maintained. No new services should use MySQL as their primary data store; new services should evaluate SurrealDB. Existing MySQL databases will be migrated opportunistically.

Apache Kafka Currently used for event streaming between payment services. Kafka's operational complexity (ZooKeeper dependency, partition rebalancing, broker management) is disproportionate to our throughput requirements. Being replaced by NSQ for new messaging needs.

OpenSearch Current search and log-analytics engine. Being replaced by Meilisearch for application search and by the OpenTelemetry + Grafana stack for log analytics. No new OpenSearch clusters should be provisioned.

JSESSIONID Authentication (Pay-Ins) Legacy session-based authentication used by the Pay-Ins service. This is a critical security risk: sessions are not cryptographically signed, are vulnerable to session fixation, and do not support multi-market federation. Migration to RSA-SHA256 signed requests is a priority.

Summary Matrix

Technology Quadrant Stage
Go Languages & Frameworks STABLE
TypeScript Languages & Frameworks STABLE
Python Languages & Frameworks STABLE
Astro Languages & Frameworks STABLE
OpenAPI 3.1 Languages & Frameworks STABLE
RSA-SHA256 Signing Languages & Frameworks STABLE
Rust Languages & Frameworks EVALUATE
Serverless Workflow Languages & Frameworks EVALUATE
Spring Boot / Java Languages & Frameworks DECOMMISSION
Next.js Languages & Frameworks DECOMMISSION
Cloudflare (R2, Pages, Workers, CDN, DNS) Platforms & Infrastructure STABLE
Bitbucket Platforms & Infrastructure STABLE
AWS (EC2, VPC, ALB, WAF) Platforms & Infrastructure STABLE
HashiCorp Vault Platforms & Infrastructure INTRODUCE
KrakenD Platforms & Infrastructure INTRODUCE
Caddy Platforms & Infrastructure INTRODUCE
Temporal Platforms & Infrastructure INTRODUCE
Consul (Service Discovery) Platforms & Infrastructure EVALUATE
Nomad (Orchestration) Platforms & Infrastructure EVALUATE
OPA/OPAL (Policy) Platforms & Infrastructure EVALUATE
Zitadel (IAM) Platforms & Infrastructure EVALUATE
Unikraft Platforms & Infrastructure EVALUATE
ControlPlane.com Platforms & Infrastructure EVALUATE
Jenkins Platforms & Infrastructure DECOMMISSION
Surge.sh Platforms & Infrastructure DECOMMISSION
commerceplex.com Platforms & Infrastructure DECOMMISSION
OpenTelemetry Tools STABLE
PostHog Tools STABLE
Claude API + Claude Code Tools STABLE
Postal (Email) Tools INTRODUCE
Scalar Tools INTRODUCE
Stoplight Tools INTRODUCE
AWS SES Tools DECOMMISSION
GitBook Tools DECOMMISSION
Redis (ElastiCache) Data & Storage DECOMMISSION
SurrealDB Data & Storage INTRODUCE
NSQ Data & Storage INTRODUCE
Meilisearch Data & Storage INTRODUCE
MySQL (RDS) Data & Storage DECOMMISSION
Apache Kafka Data & Storage DECOMMISSION
OpenSearch Data & Storage DECOMMISSION
AWS S3 Data & Storage DECOMMISSION
JSESSIONID Auth Data & Storage DECOMMISSION

Governance

This radar is reviewed quarterly by the CDO and engineering leads. Any technology adoption that moves between rings requires documented justification and approval. Teams proposing a new technology not yet on the radar should submit a Technology Assessment Request (TAR) for inclusion in the next review cycle.

Next review: Q3 2026

Document generated 2 April 2026. Simpaisa Holdings — Confidential.