Customer: SkinSmart
Short Description
SkinSmart is a smart-beauty mobile app that turns a short, conversational skin survey into a personalized skincare routine. Digico Solutions migrated SkinSmart off Azure and onto a production-grade, fully automated AWS platform, containerizing the backend on Amazon ECS Fargate, re-platforming its AI onto Amazon Bedrock with Anthropic’s Claude, and cutting over with zero unplanned downtime.
Overview
SkinSmart’s core experience is an AI assistant: a friendly chatbot asks users a guided set of questions and produces a tailored skincare routine. The team had already proven the concept and built real momentum on Azure, with the AI powered by an OpenAI API key. As they set their sights on growth, scale, and stronger security, they wanted a cloud foundation built to match those ambitions.
Digico Solutions was engaged to consolidate the platform onto AWS: to containerize and harden the backend, bring the AI in-house under a governed managed service, and deliver the entire estate as reproducible infrastructure-as-code across isolated staging and production environments, all without disrupting the live app.
The Challenge
SkinSmart came to Digico Solutions with clear ambitions: to grow its user base, scale its AI experience, and put production-grade foundations under a product that was already resonating with users. The app ran on Azure with its AI powered by an OpenAI API key, and its media and database services were spread across a few different providers. The goal was to bring all of it together on AWS as a single, cohesive, and fully automated platform, engineered for scale and resilience from day one, with a self-healing runtime so that rapid growth would never come at the cost of availability.
The bar was set high by the sector SkinSmart operates in. As a beauty and skin product making user-facing recommendations, its AI called for a governed safety layer that enforces content, PII, and regulatory-language rules independently of any prompt. The engagement also carried a defining requirement around data: under strict KSA data-protection law, Digico Solutions would carry out the entire migration without ever accessing SkinSmart’s customer data. Every step, from moving the database to re-pointing the media library, had to be executed blind, with zero data loss and zero data access. The challenge was to consolidate everything into a coherent, governed, and provably compliant AWS platform, without a moment of disruption to the live app.
The Solution
Digico Solutions rebuilt SkinSmart’s platform on AWS, delivered end-to-end as Terraform infrastructure-as-code, parameterized across staging and production, with a deploy-time guard preventing changes from ever landing in the wrong account.
- Containerized the backend on Amazon ECS Fargate, running the Spring Boot service across two Availability Zones with autoscaling, a deployment circuit breaker with automatic rollback, and health-gated rolling deploys. A failed release now rolls back on its own and unhealthy containers are replaced automatically, so the live app keeps serving traffic without interruption.
- Fronted the API with an Application Load Balancer terminating TLS protected in production by AWS WAFwith managed rule groups (OWASP Top 10, known-bad inputs) and per-IP rate limiting.
- Established a private-by-default network. Workloads run in private subnets with no public IP; the load balancer is the only internet-facing component. Traffic to AWS services (ECR, Secrets Manager, Bedrock, CloudWatch, S3) is kept on the AWS private network through VPC endpoints.
- Migrated the application database to MongoDB Atlas on AWS, reached privately over VPC peering, with zero data loss, executed as a blind migration in which Digico Solutions moved the data without ever accessing its contents, honoring the client’s KSA data-privacy obligations.
- Migrated the media library from Azure Blob Storage to Amazon S3 using AWS DataSync and re-pointed every asset reference from Azure Blob URLs to the new Amazon CloudFront CDNs performed blind, without inspecting asset contents. Objects are served through CloudFront with Origin Access Control so the bucket stays private and assets are delivered only through the CDN.
- Re-platformed the AI from Azure/OpenAI to Amazon Bedrock, running Anthropic’s Claude Sonnet over a private Bedrock VPC endpoint. Every inference call passes through a Bedrock Guardrail that enforces content, PII, and regulatory-language policies in both English and Arabic independently of the application’s prompts, with full model-invocation logging for auditability. Bedrock’s data-retention posture guarantees that no customer data is ever shared with model providers or retained by AWS itself, so SkinSmart keeps full ownership of all its AI data indefinitely.
- Eliminated static cloud credentials. CI/CD authenticates to AWS through OIDC federation, and the application reads its secrets at runtime from AWS Secrets Manager and SSM Parameter Store via tightly scoped IAM roles meaning no long-lived keys anywhere.
- Built an automated delivery pipeline. The frontend is hosted on AWS Amplify; the backend pipeline builds and pushes images to Amazon ECR and triggers a Terraform-driven ECS rollout, with formatting, validation, linting, and security scanning enforced on every change.
- Instrumented full-stack observability including centralized CloudWatch logs, metrics, alarms, and dashboards; distributed tracing with AWS X-Ray; and real-time alerting into Slack via AWS Chatbot.
- Added account-level governance with a multi-region CloudTrail audit trail with tamper-evident logging and security alarms (root-account usage, failed console sign-ins), plus AWS Budgets with alerting.
- Provided zero-trust developer access to the private database through a Twingate connector ensuring no VPN, no bastion host, and no public database endpoint.
The Results
- Full migration and cutover completed in four weeks (18 May – 9 June 2026).
- Zero unplanned downtime. The only interruption was a planned 90-minute cutover window, and the team finished ahead of it.
- Zero data loss across both the database and the media library migrations.
- Compliance by design. Both migrations were completed without DS ever accessing SkinSmart’s customer data, satisfying strict KSA data-privacy requirements end to end.
- A self-healing runtime. Failed deployments roll back automatically and unhealthy containers are replaced without taking the service offline.
- A governed AI stack. Every model call is screened by a Bedrock Guardrail and logged, with access locked to a single approved model over a private endpoint, the assurance a beauty and skin product needs.
- One reproducible platform. Staging and production are defined entirely in code, isolated by design, and consistent with one another.
The Outcome
SkinSmart now runs on a single, secure, and fully automated AWS foundation. What once spanned multiple providers is now consolidated into one platform that is observable, self-healing, and built to scale, with its AI governed to the standard its sector demands and its entire infrastructure reproducible from code. With autoscaling, private networking, and account-level auditing built in from day one, SkinSmart is positioned to scale its AI-guided skincare experience with confidence.
