Four layers around the data.
SOC 2 ready. AES-256 at rest, per-issuer key isolation, row-level security on every table, and an immutable mutation log. The platform was built around the handling requirements for material non-public information rather than retrofitted to them.
What this module does, end to end.
Layer 1. Multi-Tenant Isolation
Row-level security on every table, queries scoped by issuer_id at the policy layer. Cross-tenant leakage is structurally impossible.
Layer 2. App-Layer Encryption
AES-256-GCM at rest for all MNPI. Per-issuer key isolation with FIPS 140-2 validated cloud KMS backing the production KEK. DEKs wrapped per user.
Layer 3. AI Data Isolation
Gemini API for public data. Vertex AI for MNPI, configured per Google Cloud's enterprise terms (no training data use, no log retention, no human review). Routing enforced by an internal classifier with append-only audit.
Layer 4. Audit & Immutability
No soft deletes. Every mutation logged with user, IP, timestamp, and before/after snapshots. Vault records permanently sealed once published.
Transport Security
TLS 1.3 in transit. WebAuthn/FIDO2 passwordless auth. CSP, CORS, HSTS headers. IP allowlisting for API access.
Post-Quantum Hybrid Mode
ML-KEM plus classical key exchange ready for the cryptographic transition. Forward-secrecy maintained even if today's ciphers fall.
See it in production.
Early-access program by invitation. Onboarding in minutes. Your Vault is live the moment your ticker is recognized.