Software Architecture

The Secubit platform is designed with a layered architecture that separates trust domains and ensures that sensitive operations are performed only within secure boundaries. Each component plays a distinct role in providing security, scalability, and usability. 

flowchart LR
    subgraph HSM["🔒 Secubit HSM"]
        V("vault")
    end

    N{{"Blockchain </br> Nodes"}}

    subgraph CS["☁️ Secubit Cloud Service"]
        S("server")
        DB[("database")]
    end

    C("Customer </br> System")
    
    subgraph U["User Machine"]
    direction TB
        B("browser")
        JS("secubit.js")  
        SE("🔑 secure element")
    end
    
    N --- S
    V --- S
    S -- Secubit API --- C
    C --- B

At the foundation is the Secubit HSM, which serves as the hardware root of trust. Inside the HSM, the vault module is responsible for generating, storing, and using cryptographic keys. All private key material remains confined to this environment, and only cryptographic results (such as signatures) leave the device.

The Secubit Cloud Service operates as the orchestration layer. It provides a secure API, manages the database of wallet metadata and policies, and coordinates requests between customer systems, blockchain nodes, and the HSM. Importantly, the cloud service never has access to raw private keys. Instead, it enforces access policies, tracks audit logs, and provides integration points for institutional workflows.

On the client side, the Customer System interacts with the Secubit API to request operations such as wallet creation, transaction signing, or policy updates. These systems represent funds, custodians, or other organizations managing crypto assets through Secubit’s platform.

End users interact through the User Machine, which may include a browser, the secubit.js client library, and the user’s local Secure Element. The secure element ensures that end-to-end authentication is maintained between the user and the HSM, preventing attacks from compromised servers or intermediaries.

Finally, Blockchain Nodes connect Secubit’s custody layer to public networks. The system interacts with nodes to broadcast signed transactions and query blockchain state, but no sensitive operations are performed outside the HSM.