Technical Deep Dive

Security Architecture for Financial Services

This document provides complete technical detail on every layer of the AssetBoxx security architecture. It is intended for CCOs, CIOs, operations teams, and due diligence evaluators who need to understand exactly how the system protects LP data, enforces regulatory compliance, and maintains fiduciary-grade operational integrity.

Network Architecture

Your AssetBoxx infrastructure has no public ports, no open SSH, and no externally routable IP address. LP data sits behind infrastructure that does not exist on the public internet.

Tailscale Mesh VPN

Every connection is encrypted end-to-end and authenticated by device identity. There is no VPN concentrator to compromise. The mesh topology means no single point of failure. Access from anywhere without opening ports or configuring a traditional VPN. Critical for asset managers who need secure remote access to fund operations.

macOS PF Firewall

A second layer of defense at the packet filter level. Even if Tailscale were bypassed, the firewall blocks all inbound connections that do not originate from the Tailscale network. LP data has defense in depth.

SSH Lockdown

Access restricted exclusively to Tailscale IP addresses. Password authentication is disabled. Only key-based authentication is accepted. No external party can reach the system.

The Result

There is no attack surface to scan, no port to probe, and no login page to brute-force. The infrastructure is invisible to the public internet. For asset managers handling sensitive LP data, this eliminates the most common categories of cyber attack.

Agent Permission Matrix

Security defaults to least privilege. Every expansion of permissions is intentional and documented.

AI Gateway

Read: All agent statuses, task queues, system health, Slack channels
Write: Task dispatch, routing decisions, Slack alerts
Approval: Cross-agent coordination and escalation triggers
Restrictions: Cannot modify agent configurations or access raw data stores directly

Knowledge Base & RAG Agent

Read: All knowledge sources, fund documents, SOPs, transcripts, email archives
Write: None
Approval: None required
Restrictions: Blocks queries about compensation, HR, personal communications

Operations Intelligence Agent

Read: Service health, cron schedules, disk usage, credentials expiry, logs
Write: Upkeep task execution, remediation scripts, Slack reports
Approval: None required
Restrictions: AI-gated execution with safety checks; cannot modify security configs

Security Monitor Agent

Read: All configs, logs, file permissions, network ports, dependencies
Write: Permission fixes, config corrections, security remediation scripts
Approval: None required
Restrictions: Cannot modify application code; allowlisted commands only

Team Leader Agent

Read: All agent statuses, task queues, performance metrics, Slack channels
Write: Priority adjustments, coordination directives, Slack reports
Approval: Cross-agent task reassignment
Restrictions: Cannot override individual agent security permissions

Investment Strategist Agent

Read: Market data feeds, competitor filings, fund databases, knowledge base
Write: Strategy memos, research drafts, Slack reports
Approval: All external-facing strategy content
Restrictions: Cannot access portfolio-level trade data or execute transactions

Managing Partner Assistant Agent

Read: Gmail, Calendar, CRM, Knowledge Base, meeting transcripts
Write: Email drafts, calendar suggestions, Slack messages
Approval: All outbound emails require MP confirmation
Restrictions: Drafts must pass blocklist scanner; no auto-send capability

LP Experience Agent

Read: LP inboxes, CRM records, email history, knowledge base
Write: Email drafts, triage reports, Slack alerts
Approval: All LP-facing replies require human confirmation
Restrictions: Drafts pass blocklist scanner; correction loop active

Fundraising & BD Agent

Read: CRM, prospect databases, LinkedIn, news feeds, knowledge base
Write: Prospect profiles, meeting briefs, Slack reports
Approval: All outbound prospect communications
Restrictions: GP approval gate on any external-facing messages

Fund Operations Agent

Read: Fund admin data, capital account records, calendars, compliance deadlines
Write: Deadline reminders, workflow triggers, Slack reports
Approval: All capital call and distribution notices
Restrictions: Cannot initiate wire transfers or modify capital accounts

General Purpose Reasoning Agent

Read: Knowledge base, public data sources, all non-restricted internal data
Write: Research memos, analysis drafts, Slack messages
Approval: External-facing documents require human review
Restrictions: Cannot access restricted LP data or compliance-sensitive records without escalation

LP Communications Expert Agent

Read: Fund performance data, LP records, prior communications, knowledge base
Write: Letter drafts, notice drafts, communication templates
Approval: All LP-facing communications require GP sign-off
Restrictions: Cannot send communications directly; all outputs are drafts

CRM & Portal Builder Agent

Read: CRM data, portal configuration, investor records
Write: CRM workflows, portal pages, automation rules
Approval: Portal publish and workflow activation require confirmation
Restrictions: Human confirmation gate before any CRM or portal write

Compliance Review Agent

Read: All outbound content, regulatory databases, compliance rules, knowledge base
Write: Compliance review reports, flagged items, remediation suggestions
Approval: Can block distribution of non-compliant materials
Restrictions: Cannot approve content — only flag and recommend; CCO makes final call

Investment Research Writer Agent

Read: Market data, fund performance, research databases, knowledge base
Write: Research drafts, commentary drafts, white paper drafts
Approval: All published research requires CIO and compliance review
Restrictions: Cannot publish directly; all outputs pass through compliance gate

LinkedIn & Thought Leadership Agent

Read: Published content, brand guidelines, engagement metrics, knowledge base
Write: Post drafts, content calendar entries, Slack reports
Approval: All social posts require GP and compliance approval
Restrictions: Cannot post directly to any social platform

Content Guardian Agent

Read: All content drafts, brand guidelines, style guides, terminology dictionaries
Write: Style correction suggestions, quality scores, Slack alerts
Approval: Can flag content for revision before distribution
Restrictions: Cannot modify content directly; only suggests corrections

Fund Performance & Reporting Agent

Read: Fund performance data, capital accounts, benchmark databases, fund admin feeds
Write: Performance reports, attribution analyses, capital account drafts
Approval: All LP-facing performance data requires CFO sign-off
Restrictions: Cannot modify source performance data; read-only on fund admin systems

Analytics & Attribution Agent

Read: Portal analytics, email engagement data, content metrics, CRM activity logs
Write: Analytics dashboards, engagement reports, Slack digests
Approval: None (internal reporting only)
Restrictions: Cannot access raw PII; works with anonymized/aggregated engagement data

Institutional Visibility Agent

Read: News feeds, conference databases, award registries, public filings
Write: Visibility reports, citation alerts, Slack digests
Approval: None (monitoring only)
Restrictions: Cannot submit award applications or register for events directly

Pitch Book Designer Agent

Read: Fund data, performance metrics, brand assets, prior decks, knowledge base
Write: Deck drafts, one-pager drafts, design templates
Approval: All external decks require IR and compliance review
Restrictions: Cannot distribute materials; outputs are drafts for review

Virtual Roadshow & Video Agent

Read: LP lists, event calendars, prior transcripts, brand guidelines
Write: Script drafts, event plans, follow-up sequences
Approval: All scripts and event plans require GP and compliance review
Restrictions: Cannot send invitations or publish videos directly

Market Intelligence Monitor Agent

Read: News APIs, podcast feeds, research databases, public filings
Write: Intelligence digests, trend reports, Slack briefings
Approval: None (internal intelligence only)
Restrictions: Cannot redistribute third-party copyrighted content

Conference Intelligence Agent

Read: Conference databases, CRM contacts, LP travel intel, calendars
Write: Meeting requests, conference briefs, follow-up tasks
Approval: Meeting requests require GP confirmation
Restrictions: Cannot book travel or register for events without approval

Web & Portal Developer Agent

Read: Website CMS, portal configuration, compliance rules, analytics
Write: Page drafts, portal configurations, audit reports
Approval: All public page changes require compliance and GP review
Restrictions: Cannot publish to production without explicit approval

Deal Flow Intelligence Agent

Read: Deal pipeline, market data, portfolio company data, knowledge base
Write: Screening memos, deal scores, monitoring reports, Slack alerts
Approval: All screening memos require IC review before circulation
Restrictions: Cannot approve or reject deals; advisory role only

LP Data Isolation

Every firm gets complete data isolation enforced at the database level, not through prompt instructions. LP records, fund documents, and investor communications are separated by infrastructure controls.

ABC

XYZ

QRS

MRD

Agent Query
ABC only

+ Global Knowledge (HubSpot docs, best practices)

Per-Firm Data Boundaries

Every firm's data is completely isolated: LP contact information, fund performance records, investor communications, compliance documents, and research outputs. This isolation is enforced at the database level across every agent and every data store. When any of the 26 agents operates on Fund A's data, Fund B's data is architecturally inaccessible.

Three-Tier Knowledge Separation

The knowledge system uses three separate database tiers to enforce access control at the database boundary:

  • Market & Public Knowledge: FOMC data, FRED economic indicators, general market research (accessible to all queries)
  • Firm-Level Knowledge: Investment philosophy, compliance frameworks, operational playbooks (accessible to firm queries only)
  • LP-Specific Knowledge: Investor communications, fund documents, LP records, performance data (accessible only when the matching firm code is active)

Cross-Agent Isolation Rules

No LP data is shared between agents except through explicit, logged handoffs. The orchestrator coordinates workflows across the 26 agents but does not merge firm contexts. All data access is logged with the firm code attached, making unauthorized cross-contamination both preventable and detectable. This is critical for firms managing multiple funds.

Multi-Instance Isolation

The system runs across isolated process spaces, each with its own file permissions. A shared group grants controlled read-only access to common market data. Cross-instance file exchange uses a permission-locked dropbox directory. No instance can write to another's data directly.

Blocked Knowledge Sources

When drafting LP-facing content, the system is explicitly blocked from querying firm-internal knowledge and other sources that could cause data leaks. Only safe sources are queried: public market data, the specific firm's own communication history, and fund documents filtered by firm code.

Identity Protection

AI-generated communications must never reveal that AI was involved, internal operations, or that any other fund relationship exists.

Identity Injection

Every draft generation prompt includes a mandatory identity block. The AI is instructed that it is a team member at the specific firm, writing in the GP's voice. It cannot reference AI tools, internal systems, other funds, or the fact that it is an AI system. Investor communications maintain the institutional quality LPs expect.

The Blocklist Scanner

After every draft is generated, it passes through a hard-gate scanner before it can be approved or sent. The scanner checks for AI tool references, internal system names, cross-fund information, and any content that could reveal AI involvement to LPs or the public.

If any match is detected, the draft is blocked entirely. It is not posted. It is not sent. A violation alert fires immediately. There is no override mechanism.

This is a hard gate by design. The cost of a false positive (a delayed communication) is dramatically lower than the cost of a false negative (an LP discovering AI involvement or a cross-fund data leak).

Draft Scan

Hi Sarah, thanks for the update on the Q2 timeline. We have reviewed the revised schedule and the adjusted launch dates work for our team.

Self-Healing Infrastructure

26 agents and all supporting services monitored continuously. When something breaks, the system fixes itself before it impacts fund operations.

Watchdog Service

A dedicated monitor checks all agents and services continuously. When a service fails consecutive health checks, the watchdog auto-restarts it. If the restart fails, an alert escalates to the critical channel. Fund operations are never silently degraded.

Connection Integrity Monitoring

Monitors all communication channels and detects duplicate or stale connections that cause message routing issues. Auto-restarts affected services when anomalies are detected. Critical for ensuring LP communications and compliance alerts are never missed.

Scheduled Job Monitoring

Tracks whether all scheduled operations ran on time and completed successfully. Missing or late jobs trigger alerts. This includes compliance checks, research data ingestion, and filing deadline monitors.

Critical Escalation

If a core service is down for 10+ continuous minutes, or if 3+ services are simultaneously down, the system escalates to the dedicated critical alert channel. Fund operations disruptions are never silent.

Boot Recovery

All services use process managers with KeepAlive and RunAtLoad settings. If the infrastructure reboots, every service comes back automatically. Each service pins a specific runtime version to prevent breakage from system updates.

Daily Encrypted Backup

Every database, knowledge base, and audit log is backed up daily using chunked resumable uploads with exponential backoff. Failed uploads retry automatically. Backup failures alert to the critical channel. Combined with nightly snapshots, the system can be restored to any previous day's state. LP data is never at risk of loss.

Service Health

Last checked: 47s ago
AI Gateway
Healthy
Email Poller
Healthy
Draft Service
Restarting...
Slack Monitor
Healthy
Front Monitor
Healthy
Email Draft Agent
Healthy
Time Tracking
Healthy
Meeting Intel
Healthy
Security Agent
Healthy
Upkeep Brain
Healthy
Watchdog
Healthy
Cron Dispatcher
Healthy

Alert System

A dedicated alert channel surfaces the most important signals across all 26 agents, all services, and all fund operations.

Compliance Risk

critical

Marketing Rule violations detected in drafts, missing disclaimers, unsubstantiated performance claims, filing deadline warnings

Security Violations

critical

Cross-firm data references in drafts, credential exposure, unauthorized access attempts, configuration drift

Operational Failures

critical

Core service down 10+ minutes, 3+ services simultaneously down, crash-looping agents

LP Relationship Signals

high

Unanswered LP inquiries, redemption language detected, negative sentiment in investor communications

Fund Operations

high

Stalled quarterly reports, missed distribution deadlines, capital call notice delays

Data Integrity

high

Audit log integrity violations, backup failures, credential drift detection, dependency vulnerabilities

30-minute deduplication prevents alert fatigue. All 26 agents feed into the alert system. Graceful fallback ensures that if the alert system itself is unavailable, all agents continue running normally.

Autonomous Security Agent

A dedicated security agent monitors the entire infrastructure around the clock, diagnoses issues, and fixes them automatically with safety guardrails designed for financial services operations.

Continuous Security Checks

On a continuous cycle, the security agent validates file permissions on all credential-bearing files, scans for unexpected open ports, checks service logs for credential leaks and prompt injection attempts, verifies configuration integrity, detects configuration drift via SHA-256 baselines, and monitors log health across all 26 agents.

Weekly Deep Security Audit

Every week, a comprehensive audit adds additional checks: data access control verification across all firm boundaries, cross-agent permission validation, dependency vulnerability scanning, and threat intelligence monitoring. A full report with risk scoring is produced automatically.

Monthly Compliance Posture Report

Monthly automated assessment of the platform's compliance posture: SEC recordkeeping adherence, audit trail integrity, data isolation verification, access control review, and documentation completeness. Designed for CCO review and regulatory examination readiness.

AI-Powered Self-Healing

When the security agent finds an issue it cannot auto-fix with standard rules, it escalates to a multi-stage diagnostics pipeline: gather context, diagnose with a reasoning model, execute the fix with safety guardrails, and verify the result. Dangerous commands are blocked by an explicit allowlist and blocklist system.

Credential and Config Drift Monitoring

All configuration files and credential stores are baselined with SHA-256 hashes. Any unauthorized modification triggers an immediate alert and investigation. Configuration drift is detected before it becomes a security exposure. Critical for maintaining the security posture financial regulators expect.

Log Integrity Monitoring

Integrity is verified at two levels: per-entry SHA-256 hash chains detect modification, insertion, or deletion of individual log entries, while file-level hashes detect bulk truncation or replacement. Stale services trigger alerts. Tamper-evident logging is essential for SEC recordkeeping compliance.

Audit Trail and Compliance Documentation

SEC-Ready Audit Trail

Comprehensive Action Logs Every agent action records: which agent, which LP data accessed, what action taken, what output produced, timestamp, compliance status, and whether a human approved it. Designed for SEC recordkeeping requirements.
Cryptographic Hash Chain Every log entry carries a SHA-256 hash of its contents and a reference to the previous entry's hash, forming a tamper-evident chain. Any modification, insertion, or deletion of entries breaks the chain. A single verification command confirms integrity back to the first entry. Essential for regulatory examination defense.
Write Safety Log writes protected by file locking with retry timeout. Hash chain computation happens under the exclusive lock. No data corruption from concurrent agent operations.
Log Rotation with Chain Continuity Rotating file handlers prevent unbounded disk growth. Hash chains bridge rotation boundaries automatically. Nightly cleanup deletes temp logs older than 30 days while preserving audit-relevant records.
Version Control Daily auto-commit captures the full state of all non-secret files to a private repository. Roll back to any previous day's state. Combined with the hash-chained audit logs, this provides complete historical documentation for regulatory inquiries.

Code Quality as Security

Zero bare except clauses in production code. Every exception handler catches specific types. No silent failures that could mask compliance issues.
Explicit timeouts on all external API calls. No call hangs indefinitely. Fund operations are never blocked by an unresponsive external service.
Parameterized queries throughout all database operations. Formal audit identified and fixed all injection patterns. LP data is never exposed through query manipulation.
Atomic file writes using the tmp-plus-rename pattern. No corruption from interrupted writes. Audit logs and fund data are never partially written.
Formal code audits with documented, repeatable process. All critical issues resolved. Audit documentation maintained for due diligence review.

Threat Mitigation for Financial Services

Not theoretical risks. These are documented attack vectors relevant to AI systems handling fund data and investor communications.

Prompt Injection

Risk

Inbound emails, document uploads, and ingested content could contain adversarial instructions designed to manipulate AI behavior — causing an agent to leak LP data, fabricate performance numbers, or bypass compliance gates.

Mitigation

A dedicated multi-category sanitization engine strips adversarial content from all untrusted input before it enters any AI model. It detects instruction overrides, role markers, boundary injection, jailbreak patterns, role spoofing, and unicode control character attacks. Deployed across every agent that processes external content. The compliance gate and human approval provide additional defense layers.

Data Exfiltration

Risk

AI agents with access to LP data could be manipulated into including sensitive information in outputs — investor contact details in public content, fund terms in marketing materials, or performance data in non-compliant contexts.

Mitigation

Per-firm data isolation at the database level prevents cross-fund exposure. The identity protection scanner checks all outbound content for sensitive information. the Compliance Review agent (Compliance Review) validates that no non-public fund information appears in public-facing content. No agent can access data outside its defined firm boundary.

Excessive Agency

Risk

The OWASP Agentic AI guidelines identify this as a primary failure mode: an AI system taking actions beyond its intended scope. For asset managers, this could mean unauthorized investor communications or unapproved performance disclosures.

Mitigation

The trust escalation model, agent permission matrix, compliance gate, and human approval framework are direct mitigations. No agent can expand its own permissions. Every new capability follows a defined deployment process with compliance review. LP-facing approval gates are permanent and cannot be disabled.

Inbound Defense

Every piece of external content passes through multiple detection layers before it reaches any AI model or fund operation workflow.

Prompt Injection Sanitization

A dedicated multi-category sanitization engine processes all untrusted input before it enters any AI model. It detects and strips instruction overrides, role markers, boundary injection, jailbreak patterns, role spoofing, and unicode control character attacks. The sanitizer never raises exceptions: it logs warnings and returns cleaned text. Deployed across every agent that processes external content.

Phishing Detection

Inbound communications are scanned for brand spoofing, display name impersonation, leet-speak evasion, and homoglyph typosquatting across financial institution domain mappings. Detected phishing attempts are flagged and quarantined before any agent processes them. Critical for protecting fund operations from social engineering.

Document Screening

Uploaded documents and data feeds are screened for embedded adversarial content before entering agent workflows. Malicious payloads hidden in investor documents, research reports, or data files are neutralized before they can influence any AI model.

sanitize_for_prompt()

Credential Management

Credentials are treated as high-value targets at every layer. Financial services data requires financial services security.

File Permissions

All credential-bearing files set to owner read/write only. No credential file is world-readable. All service configurations locked to restrictive permissions.

No Hardcoded Keys

All API keys externalized to configuration files. Source code loads secrets at runtime via dedicated loader functions. Zero inline API keys in production files, validated through formal security audit.

Git Prevention

Comprehensive exclusion rules block all auth files, credential configs, and backup files from version control. History scrubbed to remove any previously committed secrets from every historical commit.

Centralized Config

A single configuration file with restrictive permissions serves as the source of truth for primary credentials. Service-specific configs stored separately, each excluded from version control and permission-locked. Compromise of one service does not expose others.

Credential Audit

Formal audit documents every credential: where stored, what scopes it has, minimum required scopes, and remediation needed. All actionable items resolved including over-scoped permissions. Credential drift monitoring detects unauthorized changes to credential files in real time.

See the Full Security Architecture Live

We do not send a PDF. We show you the production system: approval flows, compliance gates, audit logs, data isolation, and every security layer described in this document. On a live call with your operations team.

Every claim in this document is verifiable in the live system.