Architecture
Surface Security uses a layered architecture designed for security, scalability, and operational simplicity. All components are self-hosted within your environment.
System Architecture
Data Flow
The following sequence shows how telemetry flows from the browser extension to the dashboard:
Observability
Surface Security includes a built-in observability stack for monitoring platform health and performance:
- OpenTelemetry Collector — receives traces and metrics from all backend services
- Tempo — stores and queries distributed traces for request-level debugging
- Grafana — pre-configured dashboards for system health, event throughput, and alert trends
Data Storage
Surface Security uses purpose-built databases for different workloads:
PostgreSQL (Transactional Data)
Stores operational state that requires strong consistency and relational integrity:
- Organizations — tenant configuration, licensing, and settings
- Users and devices — employee records and registered browser extensions
- Authentication endpoints — discovered identity providers and login pages
- Policies — security rules and group-based policy assignments
- Alerts — alert state and triage workflow
- Audit log — immutable record of all administrative actions
- Certificates — device certificates and encryption keys
ClickHouse (Analytics)
Stores high-volume telemetry events optimized for fast analytical queries:
- Navigation events — page visit telemetry
- Credential events — login form interactions (no passwords)
- Authentication flow events — SSO, MFA, and IDP detection signals
- Technology fingerprints — detected technology stacks on visited pages
- Phishing events — domain analysis, similarity scores, and threat indicators
- Alert events — security alert history
Redpanda (Event Streaming)
Acts as the durable event bus between the ingestion layer and ClickHouse. Redpanda is a Kafka-compatible streaming platform that ensures no telemetry data is lost, even during high-volume bursts or temporary downstream outages.
MinIO (Object Storage)
Stores binary artifacts such as phishing page screenshots for forensic analysis and alert investigation.
Scalability
Surface Security is designed to handle 10,000 to 50,000+ concurrent browser extensions in a Kubernetes deployment. Key scaling features include:
- Horizontal pod autoscaling for API and ingestion services
- Sharded rate limiting to avoid bottlenecks under high concurrency
- Batch event ingestion to minimize HTTP overhead from large extension fleets
- Worker pools for concurrent event processing
- In-memory caching of frequently-read configuration data
- Configurable connection pools sized for multi-pod deployments
| Extensions | API Pods | Ingestion Pods |
|---|---|---|
| 1,000 | 3 | 3 |
| 10,000 | 10 | 8 |
| 50,000 | 20 | 15 |
Network Architecture
All communication between the browser extension and the backend is protected by two independent layers:
- Transport layer (mTLS) — mutual TLS via Envoy Gateway ensures both client and server authenticate each other
- Application layer (E2E encryption) — request bodies are encrypted with AES-256-GCM and signed with ECDSA, providing end-to-end protection even if the transport layer is compromised
See the Security page for details on the encryption architecture.