🚀 SecureCheap is live — Start free →
Architecture & Security
Overview

Architecture Overview

SecureCheap is designed as a multi-tenant SaaS platform with a clear separation between the data collection layer, the processing layer, and the presentation layer.

High-level architecture

Your Infrastructure                    SecureCheap Platform
────────────────────────────────       ──────────────────────────────────────────

  Your Servers                           API Gateway (nginx + TLS 1.3)
    └── SC Agent (lightweight)   ──────▶  │
         collected every 15s              │  Ingest Service
                                          │  (validates + normalizes metrics)
  Your Domains                            │
    └── HTTP/SSL Checks ───────────────▶  │  Storage Layer
         from 3 probe locations           │  ┌──────────────┬──────────────────┐
                                          │  │ TimescaleDB  │ PostgreSQL       │
  Your Cloud APIs                         │  │ (time-series)│ (accounts, config)│
    └── Provider read-only ────────────▶  │  └──────────────┴──────────────────┘
         calls to AWS/DO/CF APIs          │
                                          │  Processing Layer
                                          │  ├── Alert Engine (threshold eval)
                                          │  ├── Security Scanner
                                          │  ├── Cost Analyzer
                                          │  └── AI Assistant (LLM inference)

                                          │  Notification Service
                                          │  └── Email / Slack / Discord / Telegram

                                          │  Dashboard (Next.js, Vercel Edge)
                                          │  API (Next.js API Routes + Node.js)

Data flow

Server metrics (agent-based)

1. Agent collects metrics from OS (procfs, sysfs)
2. Agent sends compressed JSON payload over HTTPS to api.securecheap.com/v1/ingest
3. Ingest validates auth token and workspace
4. Data written to TimescaleDB (compressed time-series)
5. Alert engine evaluates thresholds every 15s
6. Dashboard queries via REST API with time-range parameters

HTTP monitors (probe-based)

1. Scheduler dispatches check job to all configured probe locations
2. Each probe independently performs: DNS → TCP → TLS → HTTP → keyword match
3. All probe results collected and aggregated
4. Consensus: monitor is DOWN only if ALL probes agree
5. Results written to TimescaleDB
6. Response time percentiles computed on read

Regional probes

LocationASNPurpose
FrankfurtHetzner AS24940EU primary
New YorkDigitalOcean AS14061US primary
SingaporeVultr AS20473APAC primary

All probes run independently and their results are cryptographically signed to prevent spoofing.

Probe source IPs are published at https://api.securecheap.com/v1/probe-ips. You can allowlist these in your firewall to ensure checks complete even when blocking unknown traffic.

Agent architecture

See: Monitoring Agent

Security practices

See: Security Practices