Marketplace Merchant Portal architecture overview

Edit on GitHub

This document explains how a Spryker Marketplace MerchantPortal is designed.

The following diagrams outline the relation between Zed, MerchantPortal, Back Office, and DB. To learn more about MerchantPortal, see Marketplace MerchantPortal Core feature.

MerchantPortal Architecture overview

Zed and MerchantPortal

Zed is an application layer at Spryker (next to Yves, Glue, Client, Service, and Shared).

This layer serves as a base for some backend-oriented applications such as MerchantPortal, Back Office, Gateway, Console (DataImport, Pub&Sync). This means that MerchantPortal shares the codebase with these applications, and the internal Zed infrastructure is available within the MerchantPortal runtime. It allows faster development and easier customizations of your Spryker Marketplace project.


While addressing different concerns, both MerchantPortal and Back Office have direct access to the main database where all the application transactions are stored. The Marketplace Operator Back Office application is hidden behind the VPN secure connection, but MerchantPortal needs to be exposed to WAN directly. That raises security risks, such as Unauthorized Data Access, and imposes higher requirements on both Application and Infrastructure layers.

Security of the Spryker Marketplace MerchantPortal application

The main database contains all the data of your system. It consists of the Merchant-specific data (MerchantOrders, MerchantOffers, and MerchantProducts) that should never be available to other Merchants in the system.

To provide an additional layer of protection for sensitive data, we have developed the Persistence ACL for MerchantPortal. It filters all the data coming from the database on query level.