What DAPITA Core actually is
DAPITA Core is not a CMS, and not a framework. It's a self-hosted application engine written in Go, which orchestrates a set of isolated plugin processes through its own binary protocol called DPP (DAPITA Plugin Protocol).
Every plugin is a separate operating-system process running under its own system user, with its own AppArmor profile, with no direct access to other plugins' data, files, or network. Plugins talk to the engine exclusively over Unix sockets, and every message is signed with HMAC-SHA256. Which means: even if a vulnerability is found in one plugin, the attacker doesn't get access to anything outside that plugin.
In plain language: it's a business platform that installs on your own server in five minutes, and from that point on hosts your online store, warehouse, CRM, corporate email, messenger, and dozens of other functions — all under one roof, on one machine, with no SaaS dependencies in between.
DAPITA Core is the only self-hosted platform that delivers e-commerce, CRM, warehouse, its own email server, its own messenger, an interface builder, and AI agents — all in a single sandbox, on a single server, in five minutes of installation.
What's inside: 32 plugins across seven categories
The DAPITA Core registry currently has 32 plugins, grouped into seven categories by purpose.
Core — the foundational modules of the platform: admin, auth, dashboard, plugins, settings, encryption, monitoring, algo, baas, wizard2, appconnector. The pieces without which the engine doesn't function: admin UI, passkey and 2FA authentication, encryption, monitoring, first-time setup wizard.
Commerce — everything for online retail: catalog, cart, orders, payments, shipping, customers, pricing, localization. The full lifecycle from product browse to order completion, with multi-currency, multi-language, and per-country tax support.
Inventory — managing physical goods: warehouse, suppliers, import. Multi-warehouse with FIFO batches, barcodes, serial numbers, and stocktakes. Suppliers with price lists and purchase orders. Universal import from files, APIs, web sources, and webhooks.
Marketing — customer relationships and reputation: crm, email, reviews. A full CRM, your own SMTP server running on Postfix with DKIM signing and DMARC pass, and a review system that emits structured data for search engines.
Content — pages: static pages, blog, corporate sections.
Design — design: visual builder for interfaces and themes.
Tools — general-purpose extensions: cookie-consent for GDPR compliance, messenger for talking to customers through a channel the business actually owns, telephony for phone integration, ai-mcp as a bridge to AI agents through the Model Context Protocol, and architect for generating new plugins via AI directly from the admin panel.
Every plugin runs in one of two modes: persistent (always on, for critical components like auth and admin) and lazy (sleeps when idle, wakes within milliseconds on demand). Which means: even when a lot of plugins are installed, only the ones actually needed at this moment are using resources.
Real size and consumption: numbers from a working server
Instead of abstract claims about being "lightweight" — concrete numbers from a live test installation running an email server and a dozen other modules.
Disk usage:
- Full core installation — 230 MB
- All plugins combined — 195 MB
- PostgreSQL database with real data — 196 MB
RAM consumption (systemd Memory):
- Normal operation with 11 running plugins — 87.5 MB
- Peak consumption over the observation period — 181.7 MB
Per-process (RSS):
- Engine — 36.8 MB
- encryption plugin — 7.7 MB
- auth plugin — 10.6 MB
- admin plugin — 6.6 MB
- email plugin (a full SMTP/IMAP server) — 10.8 MB
- monitoring plugin — 13.4 MB
- Other plugins — 6–9 MB each
This is the consumption level where DAPITA differs from typical Docker-based stacks: container orchestration alone usually requires 350–1200 MB before any business functionality is even loaded. Here, plugin orchestration is implemented inside the engine as its primary job — not as an extra layer on top of containers.
Performance
Benchmarks on a real four-core VPS, measured with ab and wrk:
/api/dashboard/stats(with database access) — 5,593 RPS, 0 errors at 1,000 concurrent connections- Over the public internet with 500 connections — 5,334 RPS, 0 errors
- Version endpoint without database access — 17,299 RPS
- Health check with DB ping — 2,711 RPS
auth/status— 3,800+ RPS- Cross-plugin call admin → auth via core.call — 332–456 RPS
- Dashboard batch (9 widgets from 6 plugins in one operation) — 180 RPS at 5 concurrent users
- app-manifest endpoint — 5,000+ RPS
- Encryption: 13 microseconds per operation, key rotation in 0.56 seconds
- 500,000 encrypted records — 51 RPS at 99.99% success rate
Plugin cold start — about 200 milliseconds. Full engine restart — 1.7–3 seconds.
These figures, on a single small VPS, are enough to handle the traffic volume of a mid-sized e-commerce project without vertical scaling and without a cluster.
How data is protected
Security in DAPITA Core is built across several layers, and what matters here is that each of them actually works — not as bullet points in a marketing list.
OS-level plugin isolation. Every plugin is a separate operating-system process. It has its own system user, its own AppArmor profile, its own Unix socket for talking to the engine. A plugin cannot read another plugin's files, cannot run an arbitrary SQL query outside its own data, cannot open an arbitrary network connection. This is standard Linux practice — applied at the platform level: isolation is not opt-in, it's enforced for every plugin without exception.
The DPP protocol. Plugins communicate with the engine exclusively over Unix sockets, and every message is HMAC-SHA256 signed. Forging a request or injecting a foreign one is impossible — the engine verifies the signature on every operation. SQL queries are validated. File-system access happens only via storage.read/write with permission checks. Network requests happen only via http.request with an allow-listed set of hosts.
Encryption. Sensitive data is encrypted with AES-256-GCM. Keys are stored in HashiCorp Vault — a separate service, physically isolated from the application. DEK versioning is used: every object is encrypted with its own data encryption key, which is itself encrypted by a master key from Vault. Key recovery uses Shamir 3-of-5 — even compromising two key-holders does not give access to the data.
How passwords and contacts are stored. Passwords are hashed with Argon2id — an algorithm deliberately slowed down so brute-force attacks are economically infeasible. Email and phone are not stored in plain text — they are encrypted via Vault, and to allow lookup by email we use HMAC hashing with a secret "pepper". This makes it possible to verify "does this email exist" without the database containing the address itself.
Audit and monitoring. Every action in the system is written to audit logs. Plugin binaries are checksum-verified on startup — any tampering with a binary is detected immediately. A watchdog checks each plugin's status and logs failures.
What this gives the owner
DAPITA Core is a tool for those who want to own their business infrastructure rather than rent it.
Data physically lives on the owner's server. Backups, server migration, business handover at sale, moving across jurisdictions — all of this happens at the file-system and database level. No external party can shut down, throttle, or lose your data.
One interface for every function. Through a unified design layer all plugins share a single visual system. An employee learns the platform once and gets access to everything: catalogue, warehouse, orders, CRM, email, messenger.
Extensibility without rewrites. When the standard functionality isn't enough, the Architect plugin lets you describe the desired behavior in plain language and receive a working plugin — without hiring a developer and without touching the engine.
Failure isolation. If one plugin crashes or misbehaves, others keep running. If a plugin is compromised, the attack does not cross its boundary.
Lightweight on modest hardware. What in Docker-based stacks starts with 500 MB of orchestration overhead, in DAPITA fits into 90 MB for the entire system — because plugin orchestration is the engine's main job, not an extra layer on top of containers.
Where to start
DAPITA Core installs on any Ubuntu 24 VPS in five minutes — the wizard installer configures PostgreSQL, Redis, Nginx, SSL via Let's Encrypt, the firewall, and the base plugins automatically. From there, the wizard lets you pick the additional plugins you need — the system installs them and wires them together.
Product site: core.dapita.net