Page 03 — C4 L1 + L2 · System Context & Containers

System
Context.

The complete boundary view of the Autonomous Finance system — C4 Level 1 context showing one system box and all external actors, followed by C4 Level 2 containers revealing agents, managed platform services, and inter-container communication.

C4 Levels L1 Context + L2 Containers
External Systems 8 Integrations
Human Actors 4 Veldtmann Roles
GCP Platform Deps Vertex AI · Cloud Pub/Sub
Compliance Regimes 6 Frameworks
03
Section 01 — C4 Level 1 · System Context

One system.
Every external actor.

C4 L1 Rule: A context diagram contains exactly one Software System box. No containers, components, agents, or shared services appear at this level — those are C4 L2 concerns. This diagram shows the system as a black box and maps every external relationship.

The C4 Level 1 diagram answers a single question: what does the Autonomous Finance system do, and who does it talk to? The system boundary is opaque. The agents, the Event Bus, the HITL manager — none of these appear here. They are container-level concerns documented in C4 L2 below.

Four human actors sit outside the boundary: CFO, Group Controller, Treasury Manager, and AP Lead. Eight external software systems surround the boundary. Every arrow carries a relationship description and integration protocol. Vertex AI and Cloud Pub/Sub are GCP-managed platform dependencies — they appear as external software systems at L1 because the system does not own or deploy them, it consumes them via API.

The BTP Integration Suite is shown as a distinct relay node between the system and SAP S/4HANA — it is not a direct RFC connection from GCP to on-premise.

L1 System Autonomous Finance [Software System]
Human CFO · Group Controller · Treasury Manager · AP Lead
External SAP S/4HANA (on-premise) via BTP Integration Suite
External Banking APIs × 4 — PSD2 Open Banking (REST/JSON)
External Banking APIs × 4 — SWIFT gpi / ISO 20022 (XML)
External FX Rate Feeds · ECB + Bank of Canada (REST)
External Supplier Invoice Ingestion · Email + EDIFACT
GCP Managed Vertex AI Prediction Endpoints (europe-west3, VPC-SC)
GCP Managed Cloud Pub/Sub — managed message bus (europe-west3)
AE Platform Data Governance M-08 · GreenOps M-06 · Strategy Dashboard M-07
C4 Level 1 System Context — one software system box · external actors · relationships only
C4 LEVEL 1 — SYSTEM CONTEXT — THE AUTONOMOUS FINANCE — VELDTMANN GROUP AUTONOMOUS FINANCE [Software System] AI-native finance operations platform IC reconciliation · cash & treasury · AP exception resolution — EU AI Act Annex III conformant GCP · europe-west3 · VPC-SC perimeter HITL-gated · Audit-trail native See C4 L2 below for internal containers CFO [Person] Veldtmann Group GROUP CONTROLLER [Person] TREASURY MANAGER [Person] AP LEAD [Person] Veldtmann Group HITL approval · high-risk gate IC override · annotation Hedge approval · cash review Exception review · escalation SAP BTP INTEGRATION SUITE [Software System — Relay] SAP S/4HANA On-premise · RFC [Software System] RFC OData/REST → RFC bridge approved journal posts BANKING APIs ×4 PSD2 Open Banking · REST/JSON Real-time balances · txn feeds BANKING APIs ×4 SWIFT gpi · ISO 20022 XML Intraday liquidity · cross-border reads balance feeds reads intraday msgs FX RATE FEEDS ECB + Bank of Canada · REST EUR/CHF/CAD spot + forwards 15-min REST pull SUPPLIER INVOICES Email IMAP · EDIFACT Document AI structured extract async ingest VERTEX AI PREDICTION GCP Managed · europe-west3 VPC-SC perimeter · 3 endpoints [GCP Software System] gRPC inference <200ms AE PLATFORM [External Software Systems] DATA GOVERNANCE M-08 Feature validation gate [AE Platform] GREENOPS M-06 Carbon-aware retraining schedule [AE Platform] STRATEGY DASHBOARD M-07 KPI feed: close · AP rate · cash acc. [AE Platform] LEGEND Software System (this system) Person [C4 notation] External Software System GCP Managed Service AE Platform (external) Human interaction COMPLIANCE ENVELOPE: EU AI ACT · GDPR Art.5/25 · CSRD · PIPEDA · IFRS · OECD TP — see C4 L2 and Compliance section for structural expression
C4 L1 Key Corrections Applied
Single system box — no agents at L1 BTP as distinct relay — not direct RFC PSD2 Open Banking split from ISO 20022 Vertex AI as GCP managed [Software System] Cloud Pub/Sub as GCP managed [Software System] AE Platform modules clearly external C4 [Person] notation — not diamond shapes
Section 02 — C4 Level 2 · Containers

Inside the
boundary.

C4 Level 2 opens the system box and shows the major containers — deployable/runnable units. Agents are containers. Cloud Pub/Sub and Vertex AI are GCP-managed platform dependencies — not internal components the system owns. They appear inside the system's GCP project boundary but with a distinct visual treatment indicating they are managed services.

C4 Level 2 Container Diagram — deployable units, GCP managed deps, inter-container communication
C4 LEVEL 2 — CONTAINER DIAGRAM — AUTONOMOUS FINANCE — VELDTMANN GROUP GCP PROJECT · europe-west3 · VPC-SC PERIMETER IC RECONCILIATION AGENT [Container: Python · Cloud Run] Entity-graph · TP docs · GL post CASH & TREASURY AGENT [Container: Python · Cloud Run] FX exposure · liquidity forecast AP EXCEPTION AGENT [Container: Python · Cloud Run] Priority score · resolution route CLOUD PUB/SUB [GCP Managed Service — not application-owned] publish publish / subscribe publish HITL STATE MANAGER [Container: Cloud Run + Firestore] Intercepts high-risk action proposals AUDIT TRAIL WRITER [Container: Cloud Run + BigQuery] Subscribes all topics · immutable log FEATURE STORE ADAPTER [Container: Cloud Run] Validates via M-08 before write agent.action.proposed all topics finance.feature.delta VERTEX AI PREDICTION ENDPOINTS [GCP Managed Service · regional endpoint · VPC-SC enforced] IC classifier · FX forecaster · AP priority scorer — inference only, no training gRPC inference (<200ms) · VPC-private endpoint GCP MANAGED SERVICES (dashed = not owned) approved → BTP → SAP EXTERNAL SYSTEMS (from C4 L1) SAP BTP + S/4HANA Banking APIs (PSD2 + ISO 20022) FX Feeds · Supplier Invoices AE Platform (M-06/07/08) See C4 L1 diagram above and Integration table below for full protocol, direction, and SLA specification PERSONS CFO [Person] GRP CONTROLLER [Person] TREASURY MGR [Person] AP LEAD [Person] reviews HITL queue C4 L2 · CONTAINERS · AUTONOMOUS FINANCE · VELDTMANN GROUP · europe-west3
Section 03 — Event & Signal Flow

How data
moves through the system.

Cloud Pub/Sub is a GCP-managed service. Agents publish to it; they do not own it. Topic names follow a structured namespace — domain.entity.event-type — reflecting the enriched, structured nature of the payloads (not raw SAP dumps). The HITL State Manager subscribes to finance.action.proposed and routes to human review or autonomous execution based on the risk classification schema.

HITL Risk Classification Schema — EU AI Act Annex III Operationalisation
Action Type Risk Tier Trigger Condition Disposition EU AI Act Basis
GL journal post — IC settlement High · HITL Required Amount > €50k OR cross-jurisdiction OR new counterparty entity Group Controller approval queue · 4h SLA Annex III §5(b) — AI influencing financial decisions for legal persons
GL journal post — IC settlement Low · Autonomous Amount ≤ €50k AND same-jurisdiction AND known entity AND confidence ≥ 0.92 Direct SAP write via BTP · logged to Audit Trail Annex III §5(b) — below materiality threshold, explainability logged
FX hedge recommendation High · HITL Required Notional > €500k OR tenor > 90 days OR model confidence < 0.80 Treasury Manager approval queue · 2h SLA Annex III §5(b) — material financial risk to legal entity
AP payment release routing High · HITL Required New supplier (first 3 invoices) OR disputed PO OR invoice > €100k AP Lead review queue · 8h SLA Annex III §5(b) — payment instruction with financial consequence
AP exception classification Low · Autonomous Known supplier · matched PO · amount within 2% tolerance · confidence ≥ 0.90 Auto-route to resolution queue · no SAP write · logged Classification only — no financial action, exempted
Model inference (all agents) Logged · No Gate Every inference call SHAP attribution + confidence logged to Audit Trail · no human gate on inference itself Art. 13 Transparency — model output explainability requirement
End-to-End Signal Flow — Corrected Topic Names (M-01)
EVENT & SIGNAL FLOW — CORRECTED TOPIC NAMES — CLOUD PUB/SUB (GCP MANAGED) ① INBOUND BTP DELTA FEED IC entries (enriched) BANK FEEDS ×4 PSD2 + ISO 20022 FX RATE FEEDS ECB · BoC REST SUPPLIER INVOICES Email + EDIFACT ② CLOUD PUB/SUB (GCP) sap.ic-entries.enriched bank.transactions.stream market.fx-rates.updated supplier.invoices.parsed finance.action.proposed hitl.decision.resolved audit.event.written sap.journal.committed ae.kpi.finance.updated finance.feature.delta CLOUD PUB/SUB GCP MANAGED not application-owned ③ AGENTS · PROCESS IC RECONCILIATION AGENT Sub: sap.ic-entries.enriched Pub: finance.action.proposed CASH & TREASURY AGENT Sub: bank.transactions.stream · market.fx-rates.updated Pub: finance.action.proposed AP EXCEPTION AGENT Sub: supplier.invoices.parsed Pub: finance.action.proposed ④ GATE & LOG HITL STATE MANAGER Sub: finance.action.proposed Routes per risk classification schema Pub: hitl.decision.resolved AUDIT TRAIL WRITER Sub: ALL topics (wildcard) BigQuery immutable append Pub: audit.event.written FINANCE PERSONS CFO · Controller · Treasury Mgr · AP Lead [Person — C4 notation] ⑤ EXECUTE & WRITE SAP GL POST (via BTP) IFRS-formatted · approved only TP DOCUMENTATION OECD BEPS Action 13 artifact AE STRATEGY KPIs ae.kpi.finance.updated → M-07 AUDIT TRAIL (BigQuery) Immutable · regulatory inspection HITL REVIEW QUEUE High-risk actions pending human gate FEATURE STORE (M-08 GATED) finance.feature.delta → validation ① Ingest ② Route (Pub/Sub) ③ Process ④ Gate & Log ⑤ Execute ALL TOPICS SUBSCRIBED BY AUDIT TRAIL WRITER · BIGQUERY IMMUTABLE APPEND · europe-west3 · VPC-SC
Section 04 — Integration Pattern Register

Every connection,
precisely specified.

Open Banking (PSD2) and ISO 20022 are distinct protocols with different transport formats, authentication mechanisms, and data semantics — they are listed separately. SLA targets and availability tiers are specified for each integration. GCP-managed services (Vertex AI, Cloud Pub/Sub) are listed with their VPC-SC and regional endpoint configuration requirements.

System Deployment Protocol Data In Data Out Latency SLA / Availability
SAP BTP Integration Suite SAP Cloud (relay) REST/OData → RFC translation IC delta events, GL entries, entity master data Approved journal posts forwarded to S/4HANA via RFC Near Real-Time 99.9% · SAP SLA
SAP S/4HANA On-premise RFC (via BTP relay) GL/IC entries, open item lists, entity master Journal posts, IC settlement confirmations, TP doc writes Near Real-Time Customer-managed · ≥99.5%
Banking APIs ×4 (PSD2) Cloud SaaS (banks) PSD2 Open Banking · REST/JSON · OAuth 2.0 Real-time account balances, retail transaction feeds, account metadata None — read-only Real-Time 99.5% · PSD2 mandated
Banking APIs ×4 (SWIFT) SWIFT Network ISO 20022 XML · SWIFT gpi · MX messages Intraday liquidity position, cross-border payment confirmations, MT→MX migrated messages None — read-only (payment initiation out of scope L1) 15-30 min batch 99.9% · SWIFT SLA
FX Rate Feeds (ECB + BoC) Public API REST pull (scheduled) · JSON/XML EUR/CHF/CAD spot rates, forward curves, historical series None — read-only 15-min Poll Public · no SLA · retry logic req'd
Supplier Invoice Ingestion Hybrid (email + EDI) Email IMAP · EDIFACT D.96A · Document AI API Structured invoice fields: supplier, PO ref, line items, amounts, currency, due date, exception flags None — intake only; AP posting via SAP Async / Event-driven Best-effort · dead-letter queue
Vertex AI Prediction (GCP) GCP europe-west3 (managed) gRPC · regional private endpoint · VPC-SC enforced Feature vectors: IC mismatch signals, cash position vectors, invoice exception embeddings Inference scores, confidence intervals, SHAP attribution values Real-Time <200ms 99.95% · GCP SLA · VPC-private
Cloud Pub/Sub (GCP) GCP europe-west3 (managed) Pub/Sub API · push + pull · VPC-SC enforced Agent action proposals, HITL decisions, audit events, feature deltas Routed messages to subscribers (HITL, Audit Trail, Feature Store Adapter) Real-Time 99.95% · GCP SLA
AE Data Governance (M-08) AE Platform (GCP) Feature Store API · synchronous gate Feature definitions, lineage metadata for validation Validated feature versions approved for Feature Store write; DQ score Pre-batch gate 99.9% · AE Platform SLA
AE GreenOps (M-06) AE Platform (GCP) Scheduler API · carbon-aware (Grid Carbon API) Retraining job manifests, carbon intensity signals Carbon-optimised batch schedule; green execution windows; Scope 3 emissions tags per run Batch / Scheduled Best-effort · carbon-aware
AE Strategy Dashboard (M-07) AE Platform (GCP) Pub/Sub push · ae.kpi.finance.updated topic None — write-only KPI feed: close duration (days), cash forecast accuracy (%), AP exception rate, IC mismatch count, hedge P&L attribution Near Real-Time 99.9% · AE Platform SLA
Integration Corrections Applied
BTP relay node explicit (H-05) PSD2 / ISO 20022 split (H-02) Vertex AI VPC-SC + regional endpoint (M-05) Cloud Pub/Sub GCP managed (H-01) SLA column added per integration (M-02) EDIFACT D.96A (not generic EDI)
Section 05 — Compliance Architecture

Six frameworks.
One structural answer.

Compliance constraints are expressed architecturally — not as policy overlays. Each framework maps to a specific structural decision. CSRD is cited at the correct category level for a manufacturing group (not Category 15, which applies to financial institutions' financed emissions). GDPR is cited at the correct articles with accurate scope. PIPEDA compliance is expressed through jurisdiction-aware routing visible in the architecture.

COMPLIANCE CONSTRAINT MAPPING — STRUCTURAL EXPRESSION PER FRAMEWORK AUTONOMOUS FINANCE [Software System] GCP europe-west3 · VPC-SC · HITL-gated Audit-trail native · jurisdiction-aware routing Personal data: pseudonymised at ingest · minimised EU AI ACT Annex III §5(b) · High-risk Art.13 Transparency → Risk taxonomy HITL gate GDPR Art.5 Lawfulness & purpose Art.25 Privacy-by-design → europe-west3 lock · VPC-SC → PII pseudonymised at ingest PIPEDA CA entity data privacy → CA routing tag on all events → Separate CA retention policy → BoC FX = CA data path flagged CSRD Scope 3 Cat.1 (Purchased goods/services) — IC ops → IC settlement emission tag → GreenOps M-06 integration IFRS Recognition & measurement → Journal post schema enforced → Policy configured per entity OECD TP BEPS Action 13 → TP doc per IC settlement → Contemporaneous at write time → DE/NL/CA penalty exposure ↓ STRUCTURAL OUTPUTS: HITL risk-classified gate · VPC-SC data residency · TP docs at settlement · Scope 3 Cat.1 emission tags · IFRS journal schema · CA jurisdiction routing · SHAP explainability log
EU AI Act
Annex III §5(b) · Art.13 Transparency
Classified as Annex III high-risk under §5(b) — AI influencing financial decisions for legal persons. HITL is not a blanket intercept: it activates per the risk taxonomy defined in Section 03. Art.13 Transparency requires SHAP attribution values logged with every inference output. Conformance documentation is generated per inference cycle, not per deployment event.
GDPR
Art.5 Lawfulness · Art.25 Privacy-by-design · europe-west3
Art.5 governs lawfulness, fairness, purpose limitation, and the data minimisation principle (one of seven Art.5 principles). Art.25 mandates privacy-by-design and by-default. The system processes personal data (supplier names, bank account references, employee reimbursement records) — this is pseudonymised at point of ingestion and minimised before Feature Store write. All storage and processing is locked to europe-west3 via VPC Service Controls. Retention windows are configurable per entity jurisdiction and data category.
CSRD
Scope 3 Category 1 · Double Materiality
For Veldtmann as a manufacturing and services group, the relevant CSRD Scope 3 category is Category 1 (Purchased goods and services) — not Category 15 (Investments / Financed Emissions), which applies to financial institutions' loan portfolios. Each IC settlement carries a Scope 3 Category 1 emission attribution tag derived from entity-level carbon intensity data, enabling consolidated group reporting without retrospective calculation. GreenOps M-06 handles Scope 3 attribution for retraining compute.
PIPEDA
Canadian Data Privacy · CA Entity Routing
PIPEDA obligations are expressed architecturally: all events originating from Canadian entities carry a jurisdiction: CA envelope tag. The routing layer applies CA-specific retention (7 years per CRA requirements), access controls aligned to PIPEDA's accountability principle, and ensures the Bank of Canada FX feed data path is tagged as a CA-jurisdiction data flow. This is visible in the Pub/Sub event envelope — not enforced only at the policy layer.
IFRS
Recognition · Measurement · Journal Schema
All SAP journal posts generated by the IC Reconciliation Agent conform to the entity's configured IFRS recognition and measurement policies. The agent implements these policies deterministically from a per-entity configuration store — it does not make accounting policy judgements. Journal post schema validation occurs before BTP submission; non-conformant outputs are rejected to the HITL queue, not silently corrected.
OECD TP
BEPS Action 13 · Contemporaneous Documentation
Transfer-pricing arm's-length documentation is generated synchronously at the point of each IC settlement — not retrospectively. BEPS Action 13 requires contemporaneous documentation; generating it at write time eliminates the audit exposure of retrospective reconstruction. For DE, NL, and CA entities, failure to maintain documentation exposes the group to TP adjustment surcharges of up to 25% of assessed underpayment. The IC agent eliminates this risk as a byproduct of normal operation.
Compliance Corrections Applied
GDPR Art.5 scope corrected (C-03) PII scope explicitly acknowledged (C-03) CSRD Cat.1 not Cat.15 (H-04) HITL risk taxonomy defined (H-03) PIPEDA CA routing architectural (M-06) VPC-SC per Vertex AI endpoint (M-05)