Security at Gamut

Last Updated: January 2026

Trust is our currency.

At Gamut Intelligence Lab, we understand that we are processing your most valuable asset: your Investment Thesis. Our platform is built on a "Security-First" philosophy, leveraging our patent-pending Defense-in-Depth architecture to ensure data integrity, isolation, and confidentiality.

SOC 2 Type II 99.9% Uptime SLA Tenant Isolation No Cross-Customer Training

1. Architectural Security (The "Iron Dome")

Unlike standard AI wrappers that blindly pass data to LLMs, Gamut employs a rigid, deterministic security layer before any inference occurs.

Hallucination Firewall™: A pre-inference layer that validates the cryptographic and network identity of every target. We block malicious domains, honeypots, and "ghost" sites before they can interact with our analysis engine. This prevents "Prompt Injection" attacks where a website might try to trick the AI into a false analysis.
Zero-Evidence Circuit Breaker: To maintain data integrity, our system mechanically rejects inputs that lack sufficient verifiable evidence. This prevents "Prompt Injection" attacks and ensures we never process potentially compromised or manipulated data.
Sanitized Inputs: All scraped data undergoes strict HTML sanitization and token limitation before entering the Context Window, mitigating XSS (Cross-Site Scripting) and context-overflow risks.

This Defense-in-Depth architecture ensures that malicious or compromised data never reaches our analysis engine, protecting both your investment decisions and our system integrity.

2. Data Privacy & Tenant Isolation

Your "Alpha" belongs to you. We have designed our system to prevent data leakage between workspaces.

Logical Tenant Isolation: Every "Team" and "Workspace" in Gamut is logically isolated. The specific constraints and negative feedback you provide to your Memory Bank are scoped strictly to your tenant ID. Database queries automatically filter by team context, ensuring zero cross-tenant data access.
No Cross-Customer Training: We do NOT use your private deal flow, investment memos, or custom thesis constraints to train our foundational models for other customers. Your "Secret Sauce" remains yours. This is the most critical security guarantee for financial clients: your investment strategies will never be used to improve the Service for your competitors.
Ephemeral Processing: For sensitive "Deep Dive" tasks, data is processed in ephemeral containers on Google Cloud Platform (GCP) and is not persisted longer than necessary to generate the audit trail.
Audit Logging: All data access is logged for security monitoring, with complete audit trails for compliance requirements.

💡 Why This Matters

For financial clients, Security = Privacy of Alpha. They don't just care about hackers; they care about competitors seeing their investment thesis. Our tenant isolation ensures that your proprietary investment strategies remain confidential and are never used to benefit other users.

3. Infrastructure & Encryption

We build on the shoulders of giants. Gamut Agent is deployed on Google Cloud Platform (GCP), inheriting the same security standards used by the world's largest financial institutions.

3.1. Encryption in Transit

All data transmission between your browser, our API, and our AI providers is encrypted via TLS 1.3 (Transport Layer Security):

HTTPS for all web traffic (enforced with HSTS)
TLS 1.3 for all API communications
End-to-end encryption for sensitive data transfers

3.2. Encryption at Rest

All persisted data (Memory Bank records, User Profiles, Deal Flow Pipeline) is encrypted at rest using AES-256 standards in our managed databases:

BigQuery: All tables encrypted with Google-managed encryption keys
Firestore: Database encryption at rest by default
Cloud Storage: All objects encrypted with AES-256
Backups: All backup data is encrypted before storage

3.3. Google Cloud Platform Security

Our infrastructure benefits from Google's enterprise-grade security:

Global Network Security: Google's private fiber network reduces exposure to public internet threats
DDoS Protection: Multi-layered DDoS mitigation at the network edge
Physical Security: Data centers with 24/7 monitoring, biometric access controls, and redundant power systems
Compliance Certifications: GCP maintains ISO 27001, SOC 2/3, PCI DSS, HIPAA, and other certifications

3.4. Vertex AI Security

We utilize Google Vertex AI for enterprise-grade inference, ensuring that data sent for analysis is handled according to Google's strict enterprise data governance policies (not consumer-grade data harvesting). Your data is processed in isolated, enterprise-compliant environments.

4. Access Control

Authentication: We support secure, token-based authentication (JWT) for all API access. All API requests require valid authentication tokens, which are validated on every request and expire after a set period of inactivity.
Multi-Factor Authentication (MFA): Supported for all accounts to add an additional layer of security.
Role-Based Access Control (RBAC): (Coming Soon) Granular permissions to control which team members can modify the "Memory Bank" or approve deals.
Session Management: Secure, time-limited session tokens with automatic expiration.

5. Compliance and Certifications

5.1. SOC 2 Type II

Gamut Agent is SOC 2 Type II compliant, demonstrating our commitment to:

Security: Protection against unauthorized access
Availability: System availability and performance monitoring (99.9% uptime SLA)
Processing Integrity: Accurate and complete data processing
Confidentiality: Protection of confidential information (including investment theses)
Privacy: Collection, use, and disclosure of personal information

Our SOC 2 report is available to enterprise customers under NDA. Contact security@gamutagent.ai for access.

5.2. Data Protection Regulations

We comply with major data protection regulations:

GDPR (EU): Full compliance with General Data Protection Regulation requirements
CCPA (California): Compliance with California Consumer Privacy Act
Data Residency: Options for data storage in specific regions (EU, US, Asia-Pacific)

6. Security Monitoring and Incident Response

We employ comprehensive security monitoring and maintain a defined incident response plan:

Continuous Monitoring: Real-time intrusion detection, log aggregation, and anomaly detection
Vulnerability Scanning: Regular automated scans for known vulnerabilities
Incident Response: Automated alerts, immediate containment, forensic investigation, and timely notification to affected users

We commit to notifying affected users within 72 hours of discovering a data breach, as required by GDPR and other regulations.

7. Vulnerability Disclosure

We take security reports seriously. If you believe you have found a vulnerability in Gamut Agent, please report it immediately to security@gamutagent.ai. We appreciate the contributions of the security research community.

Please include:

Steps to reproduce the vulnerability
Potential impact assessment
Suggested fixes (if applicable)

We acknowledge responsible disclosures and may offer rewards for significant security findings. Please allow us time to fix the issue before public disclosure.

11. Contact Us

For security-related questions or concerns:

Security Team: security@gamutagent.ai
General Inquiries: contact@gamutagent.ai