Skip to content

Architecture — How It Works

A high-level overview of how the platform processes your data. Details for clients who want context for security review.

General model

graph TB
    User[You/team] -->|HTTPS| Web[Web Portal]
    Web --> API[BCP API]
    API --> DB[(Database<br/>encrypted)]
    API --> Workers[Detection Workers]
    Workers --> External[External sources<br/>HIBP, GitHub, Pastebin, ...]
    API --> Notifications[Email / Webhook]
    Notifications --> User

Components

Component What it does
Web Portal The interface you work with — dashboard, settings, reports
BCP API Business logic, authorization, request handling
Database Encrypted DB for findings, settings, users
Detection Workers Background processes running scans on schedule
Notification engine Email and webhook delivery

How your data is processed

  1. Configuration (DataSources, third-party API keys) — stored in DB, encrypted at-rest with per-organization keys.
  2. Scans are run by workers — they query external sources (HIBP, GitHub, etc.) on your behalf using your keys.
  3. Findings are written to the DB tied to your organization — other organizations never see them.
  4. Notifications go through your configured channels (email, webhook).

Multi-tenancy

The platform runs in multi-tenant mode: all clients live in shared infrastructure, but data is strictly isolated at the organization level.

  • Every API request goes through row-level security — even with a code bug, the DB won't serve other clients' data.
  • Each user belongs to one or more organizations and switches between them in the UI.
  • Bytecode platform admins don't have routine access to client data. Access is possible only on explicit client request (e.g., support) and is logged.

Where the data lives

  • Primary DB — PostgreSQL in EU (Frankfurt) region via Neon.
  • Backups — same region, separate availability zone.
  • Logs — capped at 90 days.
  • Temporary files (downloaded pastes, leak-site screenshots) — block storage, also EU.

If you have a data-residency requirement (e.g., data must not leave a specific country), contact sales@bytecode.team — Enterprise can run in dedicated regions.

Security

Details — in the Security section. In short:

  • TLS 1.3 for all traffic.
  • AES-256 for data at rest.
  • 2FA optional for all users, mandatory for Admin.
  • Audit log for critical actions.
  • Regular penetration tests.