Building Culturemap on Solid Ground: A Secure AWS Foundation for Country-First Technology
Right Place Geospatial provides training and geospatial development services to land management and heritage professionals Australia-wide.
The Client
Right Place Geo, Right Place being a bush term for something “bang on,” “perfect,” or “schmick”, is an Australian geospatial consultancy delivering “Tech Solutions for People in the Bush.” Led by Stafford Smith, the business brings over a decade of on-Country experience across cultural mapping, drone programs, GIS strategy, field data collection, and custom geospatial software development. They’re an official Fulcrum Partner and CesiumJS Certified, the kind of technical credentials backed by real time spent working alongside Traditional Owners, Rangers, and land management groups across Australia.
Their flagship software product, Culturemap, is a 3D cultural database co-designed with Traditional Owners and Rangers, a private Google Earth and YouTube combined, purpose-built for Native Title organisations to record, protect, and share cultural knowledge on Country. What began as a build with four people has grown into a platform shaped by codesign sessions with 40+ Traditional Owners, Rangers, and board members, with each client organisation getting its own private instance.
The promise that runs through everything Right Place Geo does, your data, your Country, your control, is non-negotiable. That promise had to be matched in the infrastructure underneath it.
The Challenge
As Culturemap moved from passionate prototype toward a production platform serving multiple Native Title organisations, the underlying AWS environment needed to evolve with it. Right Place Geo had built the application itself with care and conviction, but cloud infrastructure is its own discipline, and the existing setup had grown organically alongside the product rather than being designed for the scale and assurance it was now heading toward.
Three broad themes emerged:
A foundation built for prototyping, not for scale. The environment had served well during early co-design and pilot deployments, but stretching it across multiple client organisations, multiple environments, and a growing roadmap meant the architecture needed a step change rather than another iteration.
Manual where automation was needed. Infrastructure changes, application deployments, and certificate management were largely hands-on processes. That was workable for a small team shipping carefully, but it was becoming a bottleneck, and every manual step is a step where something subtle can drift.
A clearer story on multi-client separation. Culturemap’s core promise is that each Traditional Owner organisation gets a private instance with their data sovereign to them. Making that promise architecturally watertight, rather than relying on application-layer conventions, was essential before onboarding the next wave of clients.
The brief was clear: Culturemap needed a cloud foundation that matched the integrity of the product itself, secure by design, automated end-to-end, and ready to onboard new Traditional Owner groups without bespoke infrastructure work each time.
The Approach
Rather than retrofit the existing environment, we rebuilt the foundation properly, a greenfield AWS landing zone designed around modern DevSecOps practices, with Culturemap migrated onto it through a controlled cutover.
A proper landing zone, built with AWS Control Tower and AWS Organisations. We stood up a multi-account architecture with security guardrails enforced at the organisation level, Service Control Policies, region restrictions, and account-level controls that make insecure configurations difficult to create in the first place. Centralised audit logging was established with appropriate separation from workload accounts, following AWS best practice for landing zone design.
VPCs rebuilt to a three-tier private architecture. Backend infrastructure moved into private subnets with appropriate network isolation. Administrative access was modernised to use AWS-native, identity-based mechanisms rather than legacy approaches. Sensitive configuration values moved out of code and into managed secret storage.
Everything as code, deployed through GitHub Actions. We restructured the Terraform codebase to remove per-environment duplication, locked toolchain versions, added state management appropriate for team-based collaboration, and moved all deployments behind a CI/CD pipeline. Policy-as-code scanning now gates every change, catching misconfigurations before they reach an environment rather than after. DNS and TLS certificate management were brought into the same automated workflow.
Frontend decoupled from backend. The React frontend now ships as static assets to S3, served globally through CloudFront, faster for users wherever they are, scaling independently from the API. The load balancer was reconfigured for API-only traffic, and Lambda deployment was streamlined into a maintainable pattern.
Per-client data and network isolation. Multi-tenant data architecture was re-designed so that each client organisation has its own dedicated storage, subdomain, and content delivery distribution, separation enforced at the infrastructure layer rather than relying on application logic alone. Existing data was migrated cleanly into the new structure.
Application deployment automated end-to-end. Repository structures were rationalised, branching strategy aligned to environment promotion, and application builds now run automatically through the pipeline rather than as manual steps on the server.
The Outcome
A modern, well-architected AWS foundation. Culturemap now runs on a landing zone aligned with AWS Well-Architected best practices, multi-account, properly segmented, with security and governance enforced at the organisation level rather than per-resource.
Per-client architectural separation. Each Traditional Owner organisation’s instance sits in its own dedicated infrastructure, matching Right Place Geo’s “Country first” promise in the architecture itself, not just in policy documents.
A repeatable path to onboard new organisations. What used to be a custom infrastructure exercise is now a parameterised, code-driven deployment through a reviewed pipeline. New build slots can be filled without re-litigating the foundations each time.
Global performance gains for users in the bush. Static frontend assets now serve from CloudFront edges rather than a single region, meaningful for the remote and regional users this platform exists to serve.
A self-sufficient team. The landing zone, pipelines, IaC patterns, and guardrails are Right Place Geo’s. Future feature work, and Stafford’s roadmap of new build slots for 2025-2026, sits on infrastructure the team can extend, audit, and evolve without ongoing external dependency. That last point matters: Right Place Geo’s whole ethos is that Traditional Owners retain control of their data and tools. We extended the same principle to them, building something they own rather than something they depend on us for.
Why It Mattered
Culturemap isn’t a typical SaaS product. The data it holds, stories, songlines, sacred sites, ranger observations, heritage records, carries weight that ordinary infrastructure standards don’t account for. Data sovereignty isn’t a compliance checkbox here; it’s the entire reason the product exists.
Getting the foundation right meant Right Place Geo could keep their promise to Traditional Owners with technical conviction behind it: each organisation properly isolated, access controlled by least privilege, encryption enforced throughout, and the option for clients to fully self-host on their own cloud account whenever they choose.
That’s the kind of foundation that lets a small, principled team scale without compromising what made them worth scaling in the first place.
The Results
- Production-ready AWS landing zone.
- Per-client data isolation at the infrastructure layer.
- Repeatable, code-driven onboarding for new organisations.
- Global performance gains for remote and regional users.
- End-to-end automation across infrastructure and deployment.
- A self-sufficient team in control of their platfor
