Technical Deep Dive

Security Architecture for Financial Services

This document provides complete technical detail on every layer of the Alpheous security architecture. It is intended for CCOs, CIOs, operations teams, and due diligence evaluators who need to understand exactly how the system protects your firm's data, enforces regulatory compliance, and maintains fiduciary-grade operational integrity.

Network Architecture

Your Alpheous infrastructure has no public ports, no open SSH, and no externally routable IP address. Advisor data sits behind infrastructure that does not exist on the public internet.

Tailscale Mesh VPN

Every connection is encrypted end-to-end and authenticated by device identity. There is no VPN concentrator to compromise. The mesh topology means no single point of failure. Access from anywhere without opening ports or configuring a traditional VPN. Critical for asset managers who need secure remote access to distribution operations.

macOS PF Firewall

A second layer of defense at the packet filter level. Even if Tailscale were bypassed, the firewall blocks all inbound connections that do not originate from the Tailscale network. Advisor data has defense in depth.

SSH Lockdown

Access restricted exclusively to Tailscale IP addresses. Password authentication is disabled. Only key-based authentication is accepted. No external party can reach the system.

The Result

There is no attack surface to scan, no port to probe, and no login page to brute-force. The infrastructure is invisible to the public internet. For asset managers handling sensitive advisor data, this eliminates the most common categories of cyber attack.

Agent Permission Matrix

Security defaults to least privilege. Every expansion of permissions is intentional and documented.

Targeting & Signals

6 agents

Distribution Intelligence, Territory Monitor, Trigger Monitor, Prospecting, Prospect Rebuild, Market Intel

Read Access

CRM records, advisor filings (Form ADV, 13F), territory data, public market data, news feeds

Write Access

FIT scores, prospect profiles, territory alerts, Slack reports

Requires Approval

All outbound advisor-facing communications require human approval

Restrictions

Read-only on CRM source data; cannot modify advisor records directly

Outreach & Coverage

6 agents

Meeting Prep, Follow-Up, Advisor Communications, Roadshow & Video, Events Intel, Pitch Book

Read Access

CRM records, meeting transcripts, advisor communication history, knowledge base, calendar data

Write Access

Meeting briefs, follow-up drafts, pitch decks, event plans, Slack messages

Requires Approval

Every outbound communication requires wholesaler approval via Slack

Restrictions

All drafts pass blocklist scanner; no auto-send capability

Compliance & Governance

5 agents

Regulatory Digest, Compliance Review, Content Compliance, Enforcement Watch, Audit & Action Log

Read Access

All outbound content, regulatory databases, compliance rules, SEC/FINRA guidance, audit logs

Write Access

Compliance review reports, flagged items, regulatory digests, audit entries

Requires Approval

Can block distribution of non-compliant materials; CCO makes final call

Restrictions

Cannot approve content; advisory and gate-keeping role only

Research & Intelligence

6 agents

Knowledge Base, Investment Strategist, Research Writer, Thought Leadership, Performance Reporting, Attribution Analytics

Read Access

Market data, fund performance, research databases, FRED economic data, knowledge base collections

Write Access

Research drafts, market commentary, performance reports, analytics dashboards

Requires Approval

All published research and external-facing content requires compliance review

Restrictions

Cannot publish directly; all outputs are drafts for review

Infrastructure

3 agents

Orchestrator, Security Monitor, Operations Intelligence

Read Access

All agent statuses, system health, service logs, configuration files, security baselines

Write Access

Task dispatch, security remediation, upkeep scripts, Slack alerts

Requires Approval

Cross-agent coordination and escalation triggers

Restrictions

Cannot modify agent configurations or access raw advisor data directly

Internal Data Boundaries

Data separation inside the appliance is enforced at the database level, not through prompt instructions. Territory boundaries, knowledge tiers, and agent access controls are architectural.

ABC

XYZ

QRS

MRD

Agent Query

→ABC only

+ Global Knowledge (Regulatory guidance, market data)

Two-Tier Knowledge Separation

The knowledge system uses two separate database tiers to enforce access control at the database boundary:

Market & Public Knowledge: FOMC data, FRED economic indicators, general market research (accessible to all queries)
Firm-Level Knowledge: Investment philosophy, compliance frameworks, operational playbooks (accessible to firm-scoped queries only)

Cross-Agent Isolation Rules

No advisor data is shared between agents except through explicit, logged handoffs. The orchestrator coordinates workflows across agents but does not merge contexts. All data access is logged, making unauthorized cross-contamination both preventable and detectable.

Identity Protection

AI-generated communications must never reveal that AI was involved, internal operations, or that any other firm relationship exists.

Identity Injection

Every draft generation prompt includes a mandatory identity block. The AI is instructed that it is a team member at the specific firm, writing in the distribution leader's voice. It cannot reference AI tools, internal systems, other firms, or the fact that it is an AI system. Advisor-facing communications maintain institutional quality.

The Blocklist Scanner

After marketing content is generated, it passes through a deterministic scanner. The scanner checks for AI tool references, competitor brand names, and content that could reveal AI involvement.

If any match is detected, the content is flagged. There is no override mechanism for the brand-guard scanner.

This is a hard gate by design for marketing content. The cost of a false positive is dramatically lower than the cost of a brand violation.

Draft Scan

Hi Sarah, thanks for the update on the Q2 timeline. We have reviewed the revised schedule and the adjusted launch dates work for our team.

Self-Healing Infrastructure

All agents and supporting services monitored continuously. When something breaks, the system fixes itself before it impacts distribution operations.

Watchdog Service

A dedicated monitor checks all agents and services continuously. When a service fails consecutive health checks, the watchdog auto-restarts it. If the restart fails, an alert escalates to the critical channel. Distribution operations are never silently degraded.

Scheduled Job Monitoring

Tracks whether all scheduled operations ran on time and completed successfully. Missing or late jobs trigger alerts. This includes compliance checks, research data ingestion, and filing deadline monitors.

Critical Escalation

If a core service is down for 10+ continuous minutes, or if 3+ services are simultaneously down, the system escalates to the dedicated critical alert channel. Distribution operations disruptions are never silent.

Boot Recovery

All services use process managers with KeepAlive and RunAtLoad settings. If the infrastructure reboots, every service comes back automatically. Each service pins a specific runtime version to prevent breakage from system updates.

Daily Encrypted Backup

Every database, knowledge base, and audit log is backed up daily with encryption. Combined with nightly snapshots, the system can be restored to any previous day's state. Advisor data is never at risk of loss.

Service Health

Last checked: 47s ago

Distribution Intelligence

Healthy

Territory Monitor

Healthy

Trigger Monitor

Restarting...

Meeting Prep

Healthy

Follow-Up

Healthy

Advisor Communications

Healthy

Regulatory Digest

Healthy

Compliance Review

Healthy

Knowledge Base

Healthy

Investment Strategist

Healthy

Research Writer

Healthy

Orchestrator

Healthy

Security Monitor

Healthy

Operations Intelligence

Healthy

Alert System

A dedicated alert channel surfaces the most important signals across all agents, all services, and all distribution operations.

Compliance Risk

critical

Marketing Rule violations detected in drafts, missing disclaimers, unsubstantiated performance claims, filing deadline warnings

Security Violations

critical

Cross-firm data references in drafts, credential exposure, unauthorized access attempts, configuration drift

Operational Failures

critical

Core service down 10+ minutes, 3+ services simultaneously down, crash-looping agents

Advisor Relationship Signals

high

Unanswered advisor inquiries, warm-gone-cold detection, negative sentiment in communications

Distribution Operations

high

Stalled outreach sequences, missed follow-up windows, coverage gaps detected

Data Integrity

high

Audit log integrity violations, backup failures, credential drift detection, dependency vulnerabilities

30-minute deduplication prevents alert fatigue. All agents feed into the alert system. Graceful fallback ensures that if the alert system itself is unavailable, all agents continue running normally.

Audit Trail and Compliance Documentation

SEC-Ready Audit Trail

Comprehensive Action Logs Every agent action records: which agent, which advisor data accessed, what action taken, what output produced, timestamp, compliance status, and whether a human approved it. Designed for SEC recordkeeping requirements.

Cryptographic Hash Chain Every log entry carries a SHA-256 hash of its contents and a reference to the previous entry's hash, forming a tamper-evident chain. Any modification, insertion, or deletion of entries breaks the chain. A single verification command confirms integrity back to the first entry. Essential for regulatory examination defense.

Write Safety Log writes protected by file locking with retry timeout. Hash chain computation happens under the exclusive lock. No data corruption from concurrent agent operations.

Log Rotation with Chain Continuity Rotating file handlers prevent unbounded disk growth. Hash chains bridge rotation boundaries automatically. Nightly cleanup deletes temp logs older than 30 days while preserving audit-relevant records.

Version Control Daily auto-commit captures the full state of all non-secret files to a private repository. Roll back to any previous day's state. Combined with the hash-chained audit logs, this provides complete historical documentation for regulatory inquiries.

Code Quality as Security

Zero bare except clauses in production code. Every exception handler catches specific types. No silent failures that could mask compliance issues.

Explicit timeouts on all external API calls. No call hangs indefinitely. Distribution operations are never blocked by an unresponsive external service.

Parameterized queries throughout all database operations. Formal audit identified and fixed all injection patterns. Advisor data is never exposed through query manipulation.

Atomic file writes using the tmp-plus-rename pattern. No corruption from interrupted writes. Audit logs and firm data are never partially written.

Formal code audits with documented, repeatable process. All critical issues resolved. Audit documentation maintained for due diligence review.

Threat Mitigation for Financial Services

Not theoretical risks. These are documented attack vectors relevant to AI systems handling firm data and advisor communications.

Prompt Injection

Risk

Inbound emails, document uploads, and ingested content could contain adversarial instructions designed to manipulate AI behavior: causing an agent to leak advisor data, fabricate data, or bypass compliance gates.

Mitigation

A dedicated multi-category sanitization engine strips adversarial content from all untrusted input before it enters any AI model. It detects instruction overrides, role markers, boundary injection, jailbreak patterns, role spoofing, and unicode control character attacks. Deployed across every agent that processes external content. The compliance gate and human approval provide additional defense layers.

Data Exfiltration

Risk

AI agents with access to advisor data could be manipulated into including sensitive information in outputs: advisor contact details in public content, fund terms in marketing materials, or performance data in non-compliant contexts.

Mitigation

Per-firm data isolation at the database level prevents cross-firm exposure. The identity protection scanner checks all outbound content for sensitive information. The Compliance Review agent validates that no non-public fund information appears in public-facing content. No agent can access data outside its defined firm boundary.

Excessive Agency

Risk

The OWASP Agentic AI guidelines identify this as a primary failure mode: an AI system taking actions beyond its intended scope. For asset managers, this could mean unauthorized advisor communications or unapproved performance disclosures.

Mitigation

The trust escalation model, agent permission matrix, compliance gate, and human approval framework are direct mitigations. No agent can expand its own permissions. Every new capability follows a defined deployment process with compliance review. Advisor-facing approval gates are permanent and cannot be disabled.

Inbound Defense

Every piece of external content passes through multiple detection layers before it reaches any AI model or distribution operations workflow.

Prompt Injection Sanitization

A dedicated multi-category sanitization engine processes all untrusted input before it enters any AI model. It detects and strips instruction overrides, role markers, boundary injection, jailbreak patterns, role spoofing, and unicode control character attacks. The sanitizer never raises exceptions: it logs warnings and returns cleaned text. Deployed across every agent that processes external content.

Phishing Detection

Inbound communications are scanned for brand spoofing, display name impersonation, leet-speak evasion, and homoglyph typosquatting across financial institution domain mappings. Detected phishing attempts are flagged and quarantined before any agent processes them. Critical for protecting distribution operations from social engineering.

Document Screening

Uploaded documents and data feeds are screened for embedded adversarial content before entering agent workflows. Malicious payloads hidden in advisor documents, research reports, or data files are neutralized before they can influence any AI model.

sanitize_for_prompt()

Credential Management

Credentials are treated as high-value targets at every layer. Financial services data requires financial services security.

File Permissions

All credential-bearing files set to owner read/write only. No credential file is world-readable. All service configurations locked to restrictive permissions.

No Hardcoded Keys

All API keys externalized to configuration files. Source code loads secrets at runtime via dedicated loader functions. Zero inline API keys in production files, validated through formal security audit.

Git Prevention

Comprehensive exclusion rules block all auth files, credential configs, and backup files from version control. History scrubbed to remove any previously committed secrets from every historical commit.

Centralized Config

A single configuration file with restrictive permissions serves as the source of truth for primary credentials. Service-specific configs stored separately, each excluded from version control and permission-locked. Compromise of one service does not expose others.

Credential Audit

Formal audit documents every credential: where stored, what scopes it has, minimum required scopes, and remediation needed. All actionable items resolved including over-scoped permissions. Credential drift monitoring detects unauthorized changes to credential files in real time.

See the Full Security Architecture Live

We do not send a PDF. We show you the production system: approval flows, compliance gates, audit logs, data isolation, and every security layer described in this document. On a live call with your operations team.