Architecture — How It Works¶
A high-level overview of how the platform processes your data. Details for clients who want context for security review.
General model¶
graph TB
User[You/team] -->|HTTPS| Web[Web Portal]
Web --> API[BCP API]
API --> DB[(Database<br/>encrypted)]
API --> Workers[Detection Workers]
Workers --> External[External sources<br/>HIBP, GitHub, Pastebin, ...]
API --> Notifications[Email / Webhook]
Notifications --> User
Components¶
| Component | What it does |
|---|---|
| Web Portal | The interface you work with — dashboard, settings, reports |
| BCP API | Business logic, authorization, request handling |
| Database | Encrypted DB for findings, settings, users |
| Detection Workers | Background processes running scans on schedule |
| Notification engine | Email and webhook delivery |
How your data is processed¶
- Configuration (DataSources, third-party API keys) — stored in DB, encrypted at-rest with per-organization keys.
- Scans are run by workers — they query external sources (HIBP, GitHub, etc.) on your behalf using your keys.
- Findings are written to the DB tied to your organization — other organizations never see them.
- Notifications go through your configured channels (email, webhook).
Multi-tenancy¶
The platform runs in multi-tenant mode: all clients live in shared infrastructure, but data is strictly isolated at the organization level.
- Every API request goes through row-level security — even with a code bug, the DB won't serve other clients' data.
- Each user belongs to one or more organizations and switches between them in the UI.
- Bytecode platform admins don't have routine access to client data. Access is possible only on explicit client request (e.g., support) and is logged.
Where the data lives¶
- Primary DB — PostgreSQL in EU (Frankfurt) region via Neon.
- Backups — same region, separate availability zone.
- Logs — capped at 90 days.
- Temporary files (downloaded pastes, leak-site screenshots) — block storage, also EU.
If you have a data-residency requirement (e.g., data must not leave a specific country), contact sales@bytecode.team — Enterprise can run in dedicated regions.
Security¶
Details — in the Security section. In short:
- TLS 1.3 for all traffic.
- AES-256 for data at rest.
- 2FA optional for all users, mandatory for Admin.
- Audit log for critical actions.
- Regular penetration tests.