Internal Sales CRM · 22 n8n Automations · 7 AI providers · 🇪🇺 EU-hosted Riskitera's commercial cockpit for selling GRC into ENS / NIS2 / DORA / ISO 27001 / EU AI Act accounts
+ 📋 Full sales cycle: leads · visits · pipeline · opportunities · offers · monthly reviews · NPS/CSAT
+ 🔁 22 n8n automations baked in: welcome sequences, daily summaries, escalations, pipeline alerts
+ 📨 6 email providers (Resend · Zoho · Brevo · SES · Mailgun · SMTP) with open/click tracking
+ 🤖 7 AI providers behind a unified chat assistant (incl. self-hosted vLLM for sensitive data)
+ 🔔 Real-time alerts via Telegram, Slack/Teams webhooks and outbound HMAC-signed webhooks
+ 🇪🇺 100% EU-hosted (Fly.io CDG + Cloudflare Pages + Supabase EU)
- ❌ No vendor lock-in to a single email provider
- ❌ No US-only data residency
- ❌ No SaaS-CRM seat tax — you own the stackst4rtup (a.k.a. Riskitera Sales) es el CRM comercial interno construido por Riskitera S.L.U. para vender su plataforma GRC a empresas españolas y europeas sujetas a regulaciones de ciberseguridad (ENS Alto · NIS2 · DORA · ISO 27001 · EU AI Act).
A diferencia de los CRMs SaaS clásicos (HubSpot, Pipedrive, Salesforce), que cobran por seat, fuerzan workflows pre-cocinados y dependen de servidores en US, st4rtup está diseñado como cockpit de founder:
|
|
| 📋 Sales Ops | 🔁 Automatización | 🤖 IA & Comms | 🛡️ Operaciones |
|---|---|---|---|
| Lead capture + scoring | 22 workflows n8n seed | 7 AI providers | RBAC: admin · comercial · viewer |
| Visitas + auto-follow-ups | APScheduler interno | Self-hosted vLLM option | Audit log inmutable |
| Pipeline drag-and-drop | Daily summaries | Content pipeline 4-agent | Cost control + guardrails |
| Ofertas + e-signature | Escalado de acciones | Social listening | Feature flags GrowthBook |
| NPS/CSAT públicos | Pipeline stage triggers | Hunter.io enrichment | Webhook HMAC dispatcher |
| Account plans + monthly reviews | Escheduler stale-deal | Waalaxy LinkedIn outreach | Telegram + Slack + Teams |
📋 Ver módulos de negocio cubiertos
| # | Módulo | Casos de uso |
|---|---|---|
| 1 | Leads | Captura desde web/Apollo/CSV, scoring, enriquecimiento Hunter.io, dedup |
| 2 | Visitas comerciales | Calendario, resultado, auto-creación de acciones de follow-up |
| 3 | Pipeline | Etapas drag-and-drop, alertas de deal estancado, weekly report |
| 4 | Oportunidades | Forecasting, probabilidad, weighted ARR |
| 5 | Ofertas | PDF white-label, e-signature DocuSign/YouSign, invoicing |
| 6 | Account plans | Planificación estratégica por cliente clave |
| 7 | Monthly reviews | Status de proyecto + reporting consolidado |
| 8 | Encuestas | NPS post-cierre + CSAT trimestral con links públicos |
| 9 | Email campaigns | Multi-provider, open/click tracking, follow-ups secuenciados |
| 10 | Notificaciones | DB + Telegram + Slack + Teams + webhooks salientes HMAC |
| 11 | Chat assistant | Conversaciones context-aware con 7 AI backends |
| 12 | Reports | Pipeline health, actividad, rendimiento por comercial |
| 13 | Content pipeline | 4 AI agents: keyword → draft → SEO → meta tags |
| 14 | Social listening | Brand + competitor monitoring |
| 15 | Cost control | Budget caps + cost events + guardrail engine para llamadas LLM |
flowchart TB
subgraph EDGE["🌐 Edge"]
CFP[☁️ Cloudflare Pages<br/>frontend SPA]
SUP[🟢 Supabase Auth<br/>JWT HS256]
end
subgraph FLY["🇫🇷 Fly.io · Région CDG"]
subgraph WEB["Web tier"]
FAST[🐍 FastAPI async<br/>Python 3.11]
end
subgraph SVC["Services tier"]
EMAIL[📨 Email service<br/>6 providers]
NOTIF[🔔 Notification service]
CHAT[🤖 AI chat service<br/>7 providers]
HUNT[🔎 Hunter.io enrichment]
CP[✍️ Content pipeline<br/>4 AI agents]
COST[💰 Guardrail engine<br/>budget caps]
end
subgraph SCHED["Schedulers"]
APS[⏰ APScheduler<br/>internal cron]
end
subgraph DATA["Data tier"]
PG[(🐘 PostgreSQL 15<br/>50+ tables · asyncpg)]
end
end
subgraph EXT["🔌 External"]
N8N[🟠 n8n<br/>22 workflows]
TG[📨 Telegram Bot]
SLACK[💬 Slack / Teams]
WAA[💼 Waalaxy LinkedIn]
VLLM[🚀 vLLM self-hosted<br/>sovereign option]
APOLLO[🟣 Apollo.io]
GCAL[📅 Google Calendar]
STRIPE[💳 Stripe-ready]
end
CFP --> FAST
CFP --> SUP
SUP -.JWT.-> FAST
FAST --> PG
FAST --> EMAIL
FAST --> NOTIF
FAST --> CHAT
FAST --> HUNT
FAST --> CP
FAST --> COST
APS --> FAST
NOTIF --> TG
NOTIF --> SLACK
EMAIL -.providers.-> FAST
CHAT --> VLLM
CP --> VLLM
N8N -.webhooks.-> FAST
FAST -.HMAC dispatch.-> N8N
HUNT -.API.-> FAST
APOLLO -.sync.-> FAST
GCAL -.bidirectional.-> FAST
WAA -.outreach.-> FAST
style CFP fill:#F38020,stroke:#fff,color:#fff
style SUP fill:#3FCF8E,stroke:#fff,color:#fff
style FAST fill:#009688,stroke:#fff,color:#fff
style PG fill:#4169E1,stroke:#fff,color:#fff
style N8N fill:#EA4B71,stroke:#fff,color:#fff
style TG fill:#26A5E4,stroke:#fff,color:#fff
style VLLM fill:#FF6F00,stroke:#fff,color:#fff
sequenceDiagram
autonumber
participant W as 🌐 Web form
participant N as 🟠 n8n LD-01
participant API as 🐍 FastAPI
participant DB as 🐘 Postgres
participant H as 🔎 Hunter.io
participant TG as 📨 Telegram
participant U as 🙋 Comercial
participant V as 🚀 vLLM
W->>N: webhook submit
N->>API: POST /leads (HMAC verified)
API->>DB: INSERT lead (status=new)
API->>H: enqueue enrichment (LD-03)
H-->>API: company data + email validity
API->>DB: UPDATE lead (enriched)
API->>API: lead scoring (LD-04)
API->>DB: UPDATE lead.score
API->>TG: notify "🔥 nuevo lead score=85"
TG-->>U: push notification
U->>API: GET /leads/{id}
U->>API: POST /visits (schedule)
Note over API,DB: VI-01 auto-creates follow-up actions
U->>API: POST /chat (ask AI assistant)
API->>V: invoke vLLM (sensitive data)
V-->>API: contextual answer
API-->>U: answer + sources
Note over API,DB: AC-01 next morning sends daily summary
st4rtup/
├── 📄 CLAUDE.md # Reglas de desarrollo + contexto
├── 📄 ARCHITECTURE.md # Patrones del sistema y gaps
├── 📄 SECURITY_REVIEW.md # OWASP Top 10 audit
├── 📄 CODE_REVIEW.md # Revisión de calidad
├── 📄 QA_PLAN.md # Estrategia de testing
├── 📄 README.md # ← estás aquí
│
├── 📁 backend/ # FastAPI async
│ ├── 📁 app/
│ │ ├── 🌐 api/v1/endpoints/ # 19 routers (leads, visits, emails, ...)
│ │ ├── 🛠️ core/ # config · database · security
│ │ ├── 🗂️ models/ # SQLAlchemy 2 (por dominio)
│ │ ├── 📋 schemas/ # Pydantic v2 (por dominio)
│ │ ├── 🔧 services/ # Email · notif · AI · content · cost · vLLM
│ │ ├── 🤖 agents/ # Agent definitions
│ │ ├── 📨 email_templates/ # Plantillas Jinja
│ │ ├── ⏰ tasks.py # APScheduler jobs
│ │ └── 🛠️ utils/
│ ├── 📁 alembic/ # Migraciones async
│ ├── 📁 tests/ # 33 test files (pytest-asyncio)
│ ├── 🐳 Dockerfile
│ └── requirements.txt
│
├── 📁 frontend/ # React 18 + Vite SPA
│ └── 📁 src/
│ ├── 📁 pages/ # 48+ pages: Dashboard · Leads · Pipeline ·
│ │ # Actions · GTM · Marketing · ContentPipeline ·
│ │ # ReportBuilder · Webhooks · CostControl · ...
│ ├── 📁 components/ # Layout · widgets · common reusable
│ ├── 📁 services/ # Axios api client
│ ├── 📁 hooks/ # useUserRole · usePersistedFilters · ...
│ ├── 📁 store/ # Zustand: UI · userPrefs · auth
│ ├── 📁 contexts/ # AuthContext (Supabase)
│ ├── 📁 i18n/ # ES + EN
│ ├── 📁 mocks/
│ └── 📁 test/ # Vitest setup
│
├── 📁 docs/
│ ├── 📁 adr/ # ADR-001-architecture
│ ├── 📁 skills/ # Claude Code skill files
│ ├── 📁 templates/
│ ├── 📁 manuales/
│ ├── 📁 operations/
│ ├── 📁 admin-dashboard/
│ ├── 📄 PRD-riskitera-sales.md
│ ├── 📄 ROADMAP.md
│ ├── 📄 SCHEDULER.md
│ ├── 📄 N8N_VS_INTERNAL.md
│ ├── 📄 HETZNER_SECURITY_PLAN.md
│ └── 📄 USER_MANAGEMENT_GUIDE.md
│
├── 📁 zoho-extension/ # Zoho Mail extension companion
├── 📁 ops/ # Ops scripts
├── 📁 scripts/ # SQL helpers
├── 📁 sql/
├── 📁 migrations/
├── 📁 content/
└── 📄 fly.toml / railway.toml # Deploy configs
| ID | Categoría | Nombre | Prioridad |
|---|---|---|---|
| EM-01 | 📨 Email Automation | Secuencia Welcome | 🔴 Crítica |
| EM-02 | 📨 Email Automation | Tracking de Email | 🔴 Crítica |
| EM-03 | 📨 Email Automation | Re-engagement | 🟠 Alta |
| EM-04 | 📨 Email Automation | Follow-up Post-Visita | 🟠 Alta |
| LD-01 | 🎯 Leads & Captación | Webhook Formulario Web | 🔴 Crítica |
| LD-02 | 🎯 Leads & Captación | Sincronización Apollo.io | 🟠 Alta |
| LD-03 | 🎯 Leads & Captación | Enriquecimiento Automático | 🟡 Media |
| LD-04 | 🎯 Leads & Captación | Lead Scoring Automático | 🟠 Alta |
| VI-01 | 📅 Visitas | Auto-crear Acciones Post-Visita | 🟠 Alta |
| VI-02 | 📅 Visitas | Recordatorio Pre-Visita | 🟡 Media |
| VI-03 | 📅 Visitas | Sync Google Calendar | 🟡 Media |
| AC-01 | ⚡ Acciones & Alertas | Resumen Diario de Acciones | 🔴 Crítica |
| AC-02 | ⚡ Acciones & Alertas | Escalado Automático | 🟠 Alta |
| AC-03 | ⚡ Acciones & Alertas | Auto-cierre Acciones | 🟡 Media |
| PI-01 | 📊 Pipeline | Triggers por Cambio de Etapa | 🟠 Alta |
| PI-02 | 📊 Pipeline | Report Semanal Pipeline | 🟠 Alta |
| PI-03 | 📊 Pipeline | Alerta Deal Estancado | 🟠 Alta |
| MR-01 | 📅 Seguimiento Mensual | Auto-generación Monthly Review | 🔴 Crítica |
| MR-02 | 📅 Seguimiento Mensual | Informe Mensual Consolidado | 🟠 Alta |
| SV-01 | 📝 Encuestas | Encuesta Post-Cierre (NPS) | 🟠 Alta |
| SV-02 | 📝 Encuestas | Encuesta Trimestral CSAT | 🟡 Media |
| IN-01 | 🔌 Integraciones | Importar Leads Scraping | 🟠 Alta |
| IN-02 | 🔌 Integraciones | Notificaciones Telegram Hub | 🟠 Alta |
Las 22 automatizaciones se inicializan desde
/api/v1/automations/seedy se gestionan vía dashboard. Definidas enbackend/app/services/+ workflows JSON en n8n.
| Módulo | Endpoint | Estado |
|---|---|---|
| Dashboard | /dashboard/stats |
✅ |
| Leads | /leads |
✅ CRUD + import + scoring |
| Visitas | /visits |
✅ CRUD + auto-actions |
| Emails | /emails + /emails/{id}/send |
✅ Multi-provider |
| Acciones | /actions |
✅ CRUD + escalado |
| Oportunidades | /opportunities |
✅ CRUD |
| Ofertas | /offers |
✅ PDF + e-sign |
| Account Plans | /account-plans |
✅ CRUD |
| Monthly Reviews | /monthly-reviews |
✅ CRUD + auto-gen |
| Encuestas | /surveys |
✅ NPS + CSAT públicos |
| Contactos | /contacts |
✅ CRUD |
| Automatizaciones | /automations + /seed |
✅ Toggle + executions |
| Tareas Auto | /automation-tasks |
✅ |
| Notificaciones | /notifications |
✅ DB + push |
| Chat | /chat |
✅ 7 AI providers |
| Reports | /reports |
✅ Pipeline · actividad · rendimiento |
| Usuarios | /users + /me/profile |
✅ RBAC 3 roles |
| Configuración | /settings |
✅ Admin only |
cd backend
python -m venv venv && source venv/bin/activate
pip install -r requirements.txt
cp .env.example .env # Configurar SUPABASE_*, DATABASE_URL, providers
alembic upgrade head
uvicorn app.main:app --reload --port 8001cd frontend
npm install
cp .env.example .env # VITE_API_URL, VITE_SUPABASE_*
npm run dev| Servicio | URL |
|---|---|
| Frontend | http://localhost:5173 |
| Backend API | http://localhost:8001 |
| Swagger | http://localhost:8001/docs |
| ReDoc | http://localhost:8001/redoc |
| Producción | https://sales.riskitera.com |
# Backend
cd backend && pytest tests/ -v --asyncio-mode=auto
cd backend && ruff check app/
# Frontend
cd frontend && npm run lint && npm run build
cd frontend && npm test # watch
cd frontend && npm run test:run # CI| Componente | Plataforma | Método |
|---|---|---|
| Backend | Fly.io riskitera-sales-backend (CDG) |
fly deploy (auto en push a main) |
| Frontend | Cloudflare Pages | Auto-build en push a main |
| DB | Fly.io Postgres riskitera-postgres (CDG) |
Managed |
| CI/CD | GitHub Actions | .github/workflows/ci.yml |
gantt
title st4rtup Roadmap 2026
dateFormat YYYY-MM-DD
axisFormat %b
section 🧱 Foundation
Stack base + auth :done, f1, 2026-01-08, 14d
19 routers + 50 tablas :done, f2, after f1, 21d
33 test files :done, f3, after f2, 7d
section 🔁 Automations
22 n8n workflows :done, a1, 2026-02-15, 21d
APScheduler internal :done, a2, after a1, 7d
Webhook HMAC dispatch :done, a3, after a2, 7d
section 🚀 Production
CI/CD GitHub Actions :done, p1, 2026-03-01, 5d
Fly.io deploy :done, p2, after p1, 3d
Cloudflare frontend :done, p3, after p2, 3d
Sentry hardening :active, p4, 2026-04-08, 10d
section ✨ Mejoras
MOD-LINKEDIN-001 : m1, after p4, 30d
Offers e-sign full : m2, after m1, 14d
Content pipeline GA : m3, after m2, 14d
Cost control v2 : m4, after m3, 10d
section 🎯 v2.0
Multi-tenant SaaS : v1, after m4, 60d
Public launch :crit, pl, after v1, 1d
- Sprint 1 · FastAPI async + Postgres + Supabase Auth
- Sprint 2 · 19 routers + 50 tablas + 33 test files
- Sprint 3 · 22 workflows n8n seed + APScheduler interno
- Sprint 4 · 6 email providers + Telegram + Slack/Teams + webhooks HMAC
- Sprint 5 · 7 AI providers + content pipeline 4-agent + vLLM self-hosted
- Sprint 6 · CI/CD GitHub Actions → Fly.io + Cloudflare auto-deploy
- Sprint 7 · Cost control + guardrails + GrowthBook feature flags
- Hardening 9.5 · Sentry findings (2026-04-08): 7 bugs reales en prod
- MOD-LINKEDIN-001 · Taplio-killer para founders (Waalaxy + content pipeline)
- v1.3 · Offers e-signature production-ready
- v2.0 · Multi-tenant SaaS evolution
Estado actual: PRODUCCIÓN en
sales.riskitera.com· 19 routers · 50+ tablas · 33 test files backend · Auto-deploy Fly.io + Cloudflare · 22 automations live
|
| 🇪🇺 EU-hosted | 🔐 Cifrado | 📜 Compliance | 🔍 Auditoría |
|---|---|---|---|
| Fly.io CDG (Francia) | TLS 1.3 in-transit | RGPD-friendly | Workflow audit log |
| Cloudflare Pages | JWT HS256 (Supabase) | ENS Alto-aligned | Cost events log |
| Supabase EU | Webhook HMAC dispatch | Sin transferencias US | 33 test files (pytest) |
| Postgres CDG | API keys env vars | Right to erasure | Sentry observability |
⚠️ Sentry monitoreado — sprint 9.5 hardening en curso (2026-04-08).Auditoría interna sobre Sentry production logs detectó 7 bugs reales en producción que bloquean el siguiente release. Trackeados en
project_st4rtup_sentry_errors_20260408:
| ID | Severidad | Componente | Categoría |
|---|---|---|---|
| PYTHON-FASTAPI-6 | 🟠 Alta | PendingRollbackError en sesión async | Database |
| DRIP-EMAILS | 🟠 Alta | Syntax error en drip_emails task |
Scheduler |
| SCHEDULER-IMP-1..3 | 🟠 Alta | 3 imports rotos en scheduler | Scheduler |
| JSON-LIKE | 🟡 Media | Query JSON LIKE mal formada | API |
| USER-NDF | 🟡 Media | User not defined en endpoint |
API |
Plan de remediación detallado en el memo interno. Empezar el siguiente sprint por PYTHON-FASTAPI-6.
🔒 Política de credenciales Todas las API keys (email providers, AI providers, Apollo, Hunter, Telegram, Slack) viven en variables de entorno y secrets de Fly.io. Nunca hardcoded ni en
.envcommiteado.
🛡️ Política de webhooks Todos los webhooks salientes se firman con HMAC. Los entrantes desde n8n se verifican contra
X-Webhook-Signatureantes de ejecutar cualquier acción de negocio.
| Aspecto | 🚀 st4rtup | HubSpot | Pipedrive | Salesforce | Close.io |
|---|---|---|---|---|---|
| Modelo de pricing | 🟢 Stack propio (cero seat tax) | 🔴 Por seat | 🔴 Por seat | 🔴 Por seat | 🔴 Por seat |
| Hosting | 🟢 EU (Fly CDG + CF) | 🔴 US | 🟡 EU + US | 🔴 US | 🔴 US |
| Email providers | 🟢 6 intercambiables | 🟡 Propietario | 🟡 Propietario | 🟡 Propietario | 🟡 Propietario |
| Automations | 🟢 22 n8n + APScheduler | 🟡 De pago | 🟡 De pago | 🟡 De pago | 🟡 Limitadas |
| Self-hosted LLM | 🟢 vLLM nativo | 🔴 No | 🔴 No | 🔴 No | 🔴 No |
| Webhook HMAC | 🟢 Out-of-the-box | 🟡 Add-on | 🟡 Add-on | 🟢 Sí | 🟡 Add-on |
| Telegram alerts | 🟢 Nativo | 🔴 No | 🔴 No | 🔴 No | 🔴 No |
| GRC vertical | 🟢 First-class | 🔴 Genérico | 🔴 Genérico | 🟡 AppExchange | 🔴 Genérico |
| Idioma español | 🟢 First-class | 🟡 Parcial | 🟡 Parcial | 🟡 Parcial | 🔴 EN only |
| Vendor lock-in | 🟢 Cero (open-source stack) | 🔴 Total | 🔴 Total | 🔴 Total | 🔴 Total |
Este es un proyecto propietario de Riskitera S.L.U. en producción interna. No aceptamos contribuciones externas todavía.
Si quieres seguir el desarrollo, dale ⭐ al repo. Si te interesa el producto como early adopter de la versión multi-tenant SaaS (v2.0), contacta abajo.
👨💻 Para colaboradores internos
- Lee
CLAUDE.mdantes de cualquier PR — convenciones backend/frontend - Branch strategy:
main(producción) ·develop(staging) ·feature/* - Commits en inglés conventional (
feat:,fix:,docs:,refactor:,chore:) - Backend: async/await siempre · SQLAlchemy 2.0 (
select(), noquery()) · Pydantic v2 (model_validate,model_dump) · type hints obligatorios - Frontend: componentes funcionales · React Query keys descriptivos · Zustand para state global · Tailwind utilities · alias
@/ - Tests obligatorios para: nuevos endpoints, services, hooks, store mutations
- Nunca commitear
.env, credenciales, dumps de Postgres ni JWT secrets - PR requiere: descripción + checklist + screenshots si toca UI
David Moya García · Founder & CTO · Riskitera S.L.U.
Copyright © 2026 Riskitera S.L.U. — Todos los derechos reservados.
Este software es propiedad exclusiva de Riskitera S.L.U.
Su uso, copia, modificación o distribución sin autorización
expresa por escrito está estrictamente prohibido.
Para licenciar st4rtup / Riskitera Sales para uso comercial, contacta:
david@riskitera.com
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Built with 🧡 in 🇪🇸 by Riskitera S.L.U.
🚀 Selling GRC, one automated workflow at a time.