Compliance Solutions Case Study
Automotive Marketing Compliance Middleware Under Regulatory Deadline
Designed, scoped, and delivered a production-ready compliance middleware system within a 30-day implementation window — establishing a fully auditable, bidirectional data pipeline between the client's CRM and a proprietary dealership compliance platform across seven franchise locations.
The Compliance Gap
The client operated as a marketing services provider for a network of auto dealerships, managing outbound customer communications on their behalf. Their dealer partners were subject to regulatory requirements mandating that all customer consent changes and outbound communications be captured, synchronized, and auditable in real time.
The client faced a set of interlocking compliance obligations with no existing technical solutions to fulfill them. They were required to receive opt-out and consent directives from their dealer partners and apply them within their CRM, proactively send consent changes back to those same partners, and log all outbound customer communications to the dealership compliance system for audit purposes.
Failure to demonstrate a working system would have jeopardized all seven dealership contracts and the viability of the business itself. The requirement arrived with limited lead time, there was no existing integration between the two platforms, and no established data contract between them.
We were engaged to scope and implement the solution end to end.
The Mandate
Deliver a production-grade compliance system before the regulatory deadline — with zero data loss, full auditability, and bidirectional synchronization.
- ▪Implement reliable, bidirectional event synchronization between GoHighLevel and the dealership compliance API with no data loss under normal and degraded conditions
- ▪Ensure all outbound communications initiated through GHL were logged to the dealership system with full traceability to individual API transaction IDs
- ▪Capture and apply inbound Do Not Contact directives from the dealership platform back to the correct GHL contacts in real time
- ▪Provide a complete audit trail of all system activity sufficient to satisfy compliance review
- ▪Deliver the system within a 30-day implementation window following two weeks of discovery and scoping
The goal was a defensible compliance record, not an incremental process improvement.
From Zero to Production Compliance Relay
The delivered system is a Next.js-based middleware application deployed on Vercel's serverless infrastructure, purpose-built to act as a compliance relay between two distinct ecosystems: GoHighLevel (the client's CRM) and the dealership network's proprietary compliance platform.
Inbound Webhook Events
CRM events and dealership consent directives received via authenticated endpoints
Transactional Outbox
- ▪All events persisted to PostgreSQL before delivery
- ▪Decouples ingestion from downstream delivery
- ▪Guarantees zero data loss under degraded conditions
Cron-Driven Processor
Claims pending entries every 60 seconds — configurable batches with exponential backoff retry
Tag-Based Location Routing
Contact tags in GHL restrict routing using an intersection model — prevents over-routing to unintended dealer locations
Bidirectional Sync
- ▪Consent events fanned out to dealership locations
- ▪Inbound Do Not Contact directives from AWS SNS signature-verified
- ▪DNC flags written back to GHL contacts in real time
Transactional outbox pattern ensures zero data loss under degraded conditions across both integration directions.
Implementation Highlights
Six architectural decisions that ensured reliability, auditability, and zero data loss under production conditions.
Transactional Outbox Pattern
All inbound events written to a durable outbox table before delivery. Decouples ingestion from delivery, guaranteeing no event loss due to downstream API unavailability.
Zero data loss under degraded conditions
Idempotency & Deduplication
Every inbound event assigned a unique key at ingestion. Duplicate webhook deliveries (common with AWS SNS) detected and silently dropped before outbox entry creation.
Prevented double-processing without downstream complexity
Stale Event Detection
Consent state writes include timestamp comparison against stored records. Out-of-order events carrying older consent dates are discarded, guarding against race conditions.
Ordering guarantees without upstream transport dependencies
Exponential Backoff with Jitter
Configurable retry behavior with a ceiling of one hour between attempts and a maximum of eight attempts by default. Implemented in a dedicated module with unit test coverage.
Resilient delivery under third-party instability
Full API Audit Trail
Every outbound call to both platforms — including auth token requests — recorded with request/response bodies, timestamps, item counts, and error details. Traceable to exact downstream transaction IDs.
Queryable compliance record for regulatory review
SNS Signature Verification
Inbound consent notifications from the dealership platform delivered via AWS SNS. X.509 signature validated on every message before processing.
Only authentic notifications from configured topics are acted upon
Technical Stack
Runtime
Node.js via Next.js 16 serverless functions
Language
TypeScript (strict mode)
Framework
Next.js 16 (App Router)
Frontend
React 19, Tailwind CSS
Database
PostgreSQL via Supabase (managed)
Auth
Supabase Auth (magic link / passwordless)
Schema Validation
Zod 4
API Docs
Zod-to-OpenAPI, Swagger UI, ReDoc
Hosting
Vercel (serverless + cron)
Inbound Messaging
AWS SNS (X.509 signature verification)
External Integrations
GoHighLevel REST API, Dealership Compliance REST API (OAuth2)
Testing
Vitest
Package Manager
pnpm
DB Migrations
Supabase CLI (17 migrations)
Stack optimized for auditability, resilience, and compressed delivery timeline.
Measured Compliance Impact
Webhook Events Received
9,962 inbound events across both integration directions in 20 days
Compliance Events Delivered
24,436 events successfully delivered to downstream systems
Event Breakdown
21,509 consent sync events + 7,470 communication log events
Delivery Timeline
System live within 30 days, meeting regulatory deadline
Built for Regulatory Confidence
- ▪Client successfully passed compliance audit and retained all seven dealership contracts
- ▪Business relationship with the dealership network is ongoing and in good standing
- ▪All outbound communications traceable to individual API transaction IDs, providing defensible documentation in the event of a partner dispute
- ▪Client moved from no compliance systems to a fully auditable, production-grade solution in under six weeks total including discovery
Delivered as a Scoped Build Engagement
This engagement was executed as a scoped, fixed-timeline build — from discovery through production deployment — under significant time pressure and high business stakes.
- ▪Two weeks of discovery and scoping to define integration requirements, data contracts, and compliance obligations
- ▪30-day implementation phase with delivery to production within the committed window
- ▪Scope managed to prioritize reliability and auditability first, with operational tooling (admin dashboard, API documentation) built alongside core workflows rather than deferred
- ▪Post-launch stabilization and operational monitoring consistent with standard practice for integration middleware
Compliance Deadlines Don't Wait.
If your business depends on demonstrating regulatory compliance across partner systems, the gap between a standing start and audit-ready can be closed faster than you think.