· Process · 5 min read

How to Conduct an Architecture Review


One thing that we like to do with most of our bigger projects at VMLY&R is an Arc Review (short for Architecture Review). These are the common questions we ask ourselves and answer then review as a team to make sure it all makes sense before we go off and build the site.

One thing that we like to do with most of our bigger projects at VMLY&R is an Arc Review (short for Architecture Review). These are the common questions we ask ourselves and answer then review as a team to make sure it all makes sense before we go off and build the site.

Below is a template for conducting an Arc Review. I will try to make it as easy to follow as possible. I will be putting in a placeholder for the company name where relevant.


Here is the list of questions we ask in an Arc Review:

  1. New client?

  2. New team?

  3. New platform for [COMPANY]?

  4. New systems integration?

  5. Budget is over $500k?

  6. Potential for PII/PCI?

  7. Market-driven launch date?

  8. Team members and Stakeholders?

  9. Key Dates

  10. Reference Links

  11. Client Engagement Model

We then do an Application Overview. In it, we ask for Key Assumptions, Known Risks, Best Practices & Reuse, and Opportunities & Growth. Then we list any diagrams. After that, we go through a series of categories of questions.


  1. What technology stack does the project primarily use (including client and server-side)?

  2. Does this project utilize a web content management system (WCMS)? If so, which one(s)?

  3. What programming languages does the project use?

  4. What frameworks does the project use?

  5. Does this project include a mobile application or use single-page web applications?

  6. How is authentication handled for this project and if custom-built, did you follow [COMPANY]‘s Application Security Guidelines?

  7. Does your project handle session management using a well-known implementation or, if it is custom-built, did it follow [COMPANY]‘s Application Security Guidelines?

  8. Does your project include personalization? Is personalization out of the box functionality? 3rd party? Custom?

  9. Does your project include A/B Testing and if so, how is it tracked and reported on?

  10. List any 3rd party web services this project uses.

  11. List any custom-built web services that are publicly exposed or utilized by external processes.

  12. List any systems you are integrating with your project (e.g. eCommerce, CRM, email, ESB).

  13. How does your project handle search and does it use any 3rd party platforms?

  14. How does your project handle caching (CDN, other)?


  1. What platforms, infrastructure, languages, and technologies does your API leverage for implementation and how are they used?

  2. What API standards are you using?

  3. How does the API handle authentication and authorization?

  4. Is the API idempotent, other than POSTs? If not, explain why.

  5. How does the API present error messages to consumers? How are errors logged?

  6. Describe any caching or compression used by the API

  7. How does the API implement pagination?

  8. Will you provide content negotiation?

  9. Is the API versioned, and if so how is the version represented to the client?

  10. Does the API support bulk operations? If so, how is the request formed?

  11. How do you document your API?


  1. Are [COMPANY] internal team passwords, secrets, admin accounts, etc. stored in Enterprise Lastpass?

  2. Have you scheduled or already executed an application security scan? 

  3. What Personally Identifiable Information (PII) or Payment Card Industry (PCI) compliant data does your project capture?

  4. What data encryption techniques does the project use (in transit, at rest)?

  5. How is authentication and authorization accomplished for the application?

  6. What is the plan for Incident Report and Response (client specific, [COMPANY] standard)?

  7. What is the plan for proactive patching of servers, platforms, and libraries?

  8. If there is a security breach, is there any risk of [COMPANY] liability? If so, has this liability been reviewed with the senior leadership team?

  9. What is the plan for executing a threat assessment?

  10. Did you evaluate your project against the GDPR Checklist? How are you addressing concerns from the CCPA?

  11. Have you read the MSA between the client and [COMPANY] to see if there are any specific security practices or concerns detailed in that document?


  1. How is the team handling code reviews? How often are they scheduled?

  2. What 3rd party JavaScript libraries or frameworks does your project utilize?

  3. Describe the automation for builds, deployments, and testing.

  4. Does your project use any mapping and geolocation tools?

  5. Does your project use video or other rich media types?

  6. Does your project collect form data? Where and how are you storing that data?

  7. How does your project handle exceptions and how are you logging?

Web Content Management System (WCMS):

  1. Which WCMS does the project use and what were the drivers for the selection of the WCMS?

  2. What is the process for creating new pages/content and moving them between the environments (dev, qa, prod, etc.)?

  3. Are there any current or future plans to display content in a language other than the primary language and will it require additional coding for support?

  4. What “Out of the Box” features of your platform are, or are not, included in your architecture (e.g. Drupal LIFT, Adobe Analytics/target, Sitecore Forms for Marketers)?


  1. Describe the process for Application/Unit testing

  2. Describe the process for Sanity testing

  3. Describe the process for Integration testing

  4. Describe the process for Business Process testing

  5. Describe the process for Performance (Load) testing

  6. Describe the process for Analytics testing

  7. Describe the process for Globalization testing

  8. Describe the process for Browser/Device testing

  9. Describe the process for Regression testing

Non-Functional Requirements


  1. How are analytics gathered and reported on for the site (e.g. Google Analytics, WebTrends or Omniture)?

  2. Do you have a baseline for what is currently being captured?

  3. Has configuration been done to ensure that internationalized sites are tracking appropriately with the baseline?


  1. Where are the environments (production and non-production) for the project hosted? 

  2. What level of responsibility does [COMPANY] have for supporting infrastructure for the project?

  3. When provisioning, what Infrastructure as Code (IaC) tools are in use? What IaC tools are used to manage configuration?

  4. Did you validate the project against the “TechOps New Project Planning Checklist”?

Performance and Scalability:

  1. Are there any planned promotions or heavy traffic tied to the site/launch?

  2. What processes are in place to mitigate high traffic that affects performance?

  3. Are there other services the project depends on able to scale and meet traffic demands? Are you implementing any caching to protect those services?

  4. Did you validate the project against the Performance Checklist?

  5. Where are baselines and requirements recorded for performance and scalability?


  1. How are 301 redirects being handled to ensure SEO ranking is not adversely affected?

  2. Did you validate the project against the “Technical SEO Checklist for Website Launches”?


  1. Did you validate the project against the “Site Prelaunch Checklist”?


With this, we hope to ensure greater rates of success in a project and make sure we don’t forget anything along the way. Good luck and happy software building.

Back to Blog