01
Service-isolated, not a feature inside the PoS
The architectural decision that defined the engagement was the choice to build STARR as a service that integrated with the existing CPOS PoS surface, rather than as a feature inside it. Two reasons.
Case · CPOS / STARR
Compliance-grade sales tracking, in production.
A real-time, compliance-grade sales tracking system for Ontario Government reporting — built for a company most agencies would not have staffed for the work. Service-isolated, PCI-DSS-aligned, integrated with the PoS systems already in the field. Live in production.
Engagement
SectorPoint of sale · Regulated reporting
StatusCompleted · Live in production
Engagement1–1.5 years
TeamSenior engineers, end-to-end on STARR
TechJava · Spring Boot · PostgreSQL · Kubernetes · AWS S3 · PCI-DSS-aligned
§ 01
The situationA license problem, not a UX problem.
CPOS sells point-of-sale infrastructure. A growing share of their customers operate in categories where Ontario Government reporting is not optional — sales need to be tracked in real time, reconciled against regulated thresholds, and reported in a format the government accepts. Getting it wrong is not a UX problem. It is a license problem.
CPOS had two paths. Build the compliance reporting layer themselves, with a small in-house engineering team that did not have spare capacity for a multi-quarter compliance system. Or find a partner who could own the entire reporting workstream — the integration into the PoS data, the real-time pipeline, the database design that would survive an audit, and the deployment architecture that would meet PCI-DSS expectations.
The first path put the rest of CPOS's product roadmap on hold. The second path was the one they could afford.
§ 02
The approachService-isolated. The decision that defined the engagement.
Arc10 took the entire STARR workstream — the real-time sales tracking and reporting system — end to end. Architecture, build, deployment, and the integration into the PoS surface CPOS already shipped. Senior engineers, joined CPOS's standups, owned the outcome of "STARR ships, on time, audit-ready."
02
Reporting requirements would change with the regulation
Ontario's reporting rules evolve. Isolating STARR in its own service meant that reporting changes did not require redeploying the entire PoS product — the surface customers already trusted in production stayed where it was while the compliance layer absorbed the regulatory motion.
03
Compliance posture lives around STARR specifically
PCI-DSS-aligned design, append-only audit logs, restricted access patterns — these belong tightly scoped to the system that handles regulated data, not diluted across the broader PoS product. Service isolation is what made that scoping enforceable, not just aspirational.
The decision was not a preference. It was the architectural choice that made the rest of the engagement deliverable on a small team's bandwidth without slowing the broader product roadmap.
Senior engineers across the Java / Spring Boot backend, the PostgreSQL data model, the Kubernetes deployment surface, and the PoS-side integration. Arc10 owned STARR end to end while CPOS's in-house team continued the broader product roadmap in parallel.
§ 03
What we builtPipeline, posture, interface.
01
Real-time sales tracking pipeline
Sales events flow from the PoS layer into STARR continuously. The pipeline is built on Java and Spring Boot, with PostgreSQL as the system of record and S3 for long-retention storage of reporting artifacts. The pipeline is idempotent — the same sale event arriving twice does not produce two reported transactions — which is the kind of detail that matters when an auditor traces an entry.
02
Compliance-grade architecture
PCI-DSS-aligned design choices throughout. Cardholder data is not stored in STARR; PoS-side tokenization keeps it out. Audit logs are append-only and separately accessible, so the reporting system itself cannot quietly be the system that erases its own history. Kubernetes deployments segment the workloads that handle sensitive data from the workloads that don't.
03
Government reporting interface
Reporting outputs in the format Ontario Government systems accept, generated on the cadence the regulation requires, with reconciliation against the source pipeline so the report and the database tell the same story. Edge cases — refunds, voids, partial transactions — were specified, implemented, and tested against representative data.
§ 04
OutcomesLive, parallel, durable.
In production
StatusLive
STARR in production · serving CPOS customers in the regulated categories
RoadmapParallel
CPOS's in-house team kept shipping the broader PoS product alongside STARR
ArchitectureDurable
Service-isolated design has absorbed regulatory updates without redeploying the PoS surface
- →STARR is live in production and serving CPOS customers in the categories that require Ontario Government compliance reporting.
- →CPOS's in-house team did not have to slow the rest of the roadmap to ship the compliance system — the non-STARR product work continued in parallel throughout the engagement.
- →The architecture has held up across regulatory updates. STARR's service-isolated design has absorbed reporting changes without forcing CPOS to redeploy the broader PoS surface.
- →Append-only audit logs and PoS-side tokenization keep the regulated-data surface tightly scoped — the compliance posture is enforced architecturally, not by convention.
From the client
“Arc10 brought technical expertise, dedication, and customer service that we hadn't seen from other partners. The work was delivered well, and the team understood what compliance-grade work actually requires.”
— John Sbrolla, CPOS Inc.
Engagement footnote
Compliance-grade work, shipped on a small team's bandwidth — without slowing the rest of CPOS's roadmap.
StatusLive in production
Engagement1–1.5 years
WorkstreamArc10-owned, STARR end-to-end
CadenceEmbedded in CPOS's standups; in-house team continued the broader roadmap in parallel
Talk
Talk to a senior engineer.
Building a compliance-grade system on a small team? The senior engineer who shipped STARR will take the call.
What to expect
Emailhello@arc10.io
First replyWithin one business day
First call30 minutes with a senior engineer
No salesEngineering questions, engineering answers