Answer to your first question is all the databases are real time unless there is no delay in transmission of data from feeding point to the database server and when you dont care about micro seconds.
You can run you web site on secure network even without purchasing a certificate by using default certificate. But users will be alerted for invalid certificates. So if you don't want you users to be warned for this invalidity you must purchase the certificate. Infact this is the only option for a secure site.
Sub-domain can not be secure enough to take care of database manipulation from outsite world. Again if you trust the IPs from where users are loggin in you can filter the IPs and only allow them to login but then anyone can snoop the data over the network. It can be risky