Kamba — Symphony Deployment Architecture
Symphony AWS VPC  ·  Single-container deployment

Kamba — Symphony
Deployment Architecture

Kamba operates exclusively within Symphony's approved infrastructure perimeter — isolated from Symphony's own internal systems, and isolated from the outside world. Nothing enters. Only user-initiated, allowlisted data queries leave.

Contained within Symphony's approved perimeter Isolated from Symphony's internal systems No access to anything outside Symphony VPC Zero inbound connections Ephemeral — no data persistence CloudWatch · CloudTrail full audit
Deployment model
Single container · ECS / EC2
Perimeter
Fully within Symphony's approved VPC
Internal isolation
No access to Symphony core systems
Inbound connections
Zero — none accepted
Data persistence
None — ephemeral only
🔐 Dual Isolation
Fully contained within Symphony's approved perimeter — isolated on both sides

Kamba operates exclusively inside Symphony's AWS VPC — the same infrastructure Scotiabank has already reviewed, approved, and deployed. It is isolated in two directions simultaneously: inward, with no lateral access to Symphony's own databases, services, or core infrastructure; and outward, with no access to any system outside Symphony's VPC except user-initiated, explicitly allowlisted data provider endpoints. Kamba cannot reach Scotiabank's internal network, the public internet, or any other environment independently. It accepts zero inbound connections. All egress is user-initiated and governed by Symphony's own network controls.

01  ·  System Architecture
Single-container deployment inside
Symphony's AWS VPC.
Symphony Platform
Symphony Messaging
Chat interface & bot framework. Kamba connects here to receive and respond to user queries.
WebSocket connection
Kamba-initiated
WSS:// · outbound
☁ Symphony AWS VPC Region: us-east-1 (configurable)
Private Subnet — Kamba Dedicated
Docker Host (ECS / EC2)
Container: kamba:latest
Kamba Engine
AI-powered financial analysis platform
Symphony WS Client
LLM Orchestration Layer
Query Parser & Router
Data Provider Connectors
Response Synthesizer
LLM-agnostic — any approved model. The LLM interprets queries only. No client data is ever shared with the LLM.
⚠ Container Local Filesystem
Ephemeral Storage
Transient scratch space for intermediate processing during each request.

No data persists beyond a single request lifecycle. All scratch files, query data, and results are wiped automatically. No external volumes or persistent storage attached.
Request → Process → Wipe
Data Connectors
Internal Sources
Admin-provisioned · read-only access
Data Lakes & Warehouses
Snowflake · Redshift · BigQuery · S3
Outbound Read-only
Documents & Files
PDFs · Excel · CSV · Research docs
Outbound Read-only
Internal Systems
Portfolio systems · Emails · Feeds
Outbound Read-only
External Sources
User-selected & connected · no provider active without explicit user action
Outbound only · TLS 1.2+
Licensed Data Providers
FactSet · Bloomberg · Refinitiv
HTTPS Outbound User-connected
Public APIs
SEC EDGAR · regulatory filings
HTTPS Outbound User-connected
Web Search
Configurable provider
HTTPS Outbound User-connected
02  ·  Security Controls
Four layers of network enforcement —
by design, not by configuration.
🔒
Security Groups
No inbound rules
Outbound: port 443 allowlist only
🛡
Network ACLs
Allowlisted user-connected
endpoints only
🚧
Subnet Isolation
No lateral access to
Symphony core infrastructure
📋
CloudWatch / CloudTrail
Full audit logging
of all network traffic
03  ·  Data Flow & Security Posture
Isolated inward. Isolated outward.
Contained entirely within Symphony's perimeter.
Data Flow
Kamba-initiated WebSocket — within Symphony

Kamba Engine opens an outbound WebSocket (WSS) to Symphony Messaging to receive and respond to user queries. This connection stays entirely within Symphony's VPC. No inbound connections are accepted by the container.

External data calls are user-initiated and outbound only

The only traffic that leaves Symphony's VPC is outbound HTTPS to data providers explicitly connected by the user. No provider is reachable without a deliberate user action to connect it. Every active endpoint is enforced at the Security Group and Network ACL layer — no other external destination is reachable.

Zero data persistence

Transient storage is scoped to individual request lifecycles. No PII, query data, or results survive beyond a single message. Nothing is written to external storage.

Key Security Properties
Dual isolation — the complete picture

Kamba is isolated from Symphony's own internal systems (no lateral access to Symphony databases, services, or core infrastructure) and from everything outside Symphony's VPC (no independent access to Scotiabank's internal network, the public internet, or any unapproved destination). The container exists in its own sealed subnet with no path in or out except what is explicitly defined.

LLM-agnostic — client data never reaches the model

Kamba works with any institutionally approved LLM. The model receives only the user's natural language query — never the underlying data. Data retrieval, validation, and synthesis happen entirely within Kamba's engine inside Symphony's VPC. The LLM interprets intent; it never sees or processes client data.

Symphony's network controls govern all egress

Egress from the container flows through Symphony's own Security Groups and Network ACLs. Scotiabank's approved vendor controls are enforced at the network layer on every connection Kamba makes — internal connectors are read-only and admin-provisioned; external connectors are user-connected with no provider active by default.

04  ·  Why data is safe inside Symphony's environment
Symphony is the financial industry's most
trusted secure messaging infrastructure.

Symphony Communications is purpose-built for regulated financial institutions — banks, asset managers, broker-dealers — where data confidentiality is non-negotiable. Scotiabank has already completed its vendor due diligence and approved Symphony as a platform. Kamba runs entirely within that approved perimeter, inheriting its security architecture by design.

🏦
Built for regulated finance
Symphony was architected from day one for banks, not adapted for them. Every security property — encryption, isolation, access controls, audit logging — was designed with financial regulatory requirements as the baseline, not an afterthought.
Symphony is an approved vendor at Scotiabank
Scotiabank's IT and compliance teams have already assessed and approved Symphony as a vendor. Kamba runs inside that same approved infrastructure — operating within a perimeter the bank already trusts and governs.
🔒
Bank-grade encryption everywhere
Symphony enforces end-to-end encryption with customer-managed keys. The institution controls its own encryption keys — Symphony itself cannot access message or data content. This is the gold standard for financial data confidentiality.
Symphony's security architecture — property by property
🗝️
Customer-Managed Encryption Keys (CMEK)
Each institution holds its own encryption keys. Data encrypted with Scotiabank's keys cannot be decrypted by Symphony, by Kamba, or by any other party — including in the event of a Symphony-side breach. The bank retains cryptographic control at all times.
Zero-knowledge architectureBank controls keys
🏗️
Dedicated tenant isolation
Scotiabank's Symphony environment is fully isolated from other institutions. No shared infrastructure, no shared databases, no co-tenancy. Kamba's container runs in a private subnet dedicated exclusively to Scotiabank's deployment.
Single-tenant per institutionNo co-tenancy
🛡️
SOC 2 Type II certified
Symphony holds SOC 2 Type II certification — an independent, third-party audit of security, availability, processing integrity, confidentiality, and privacy controls over a sustained period. The certification financial institutions require for cloud-hosted infrastructure.
Third-party auditedAnnual recertification
📋
Immutable audit trails
Every action within Symphony generates an immutable, tamper-evident audit log. Every Kamba query, data access, and model invocation is logged with full user attribution, timestamps, and outcomes. Logs are exportable and retained to the institution's required schedule.
User-attributed per actionExportable & immutable
🌐
DLP & content controls
Symphony includes Data Loss Prevention controls configurable by the institution's compliance team. Policies can flag or block content matching sensitive patterns — account numbers, trade identifiers, client data — before it reaches any downstream system including Kamba.
Configurable by ScotiabankPolicy-enforced
👤
Role-based access & eDiscovery
Access to Kamba within Symphony is governed by Symphony's role-based access controls. Scotiabank's administrators control who can interact with Kamba and which channels it can access. Symphony's eDiscovery tools allow compliance teams to search, retrieve, and preserve any Kamba interaction for regulatory purposes.
Admin-controlled accesseDiscovery-ready
🏢
Regulatory compliance certifications
Symphony is deployed at over 1,000 financial institutions globally and maintains compliance with MiFID II, FINRA, SEC Rule 17a-4, GDPR, and regional financial regulations including Canadian OSFI guidelines. Communication archiving meets the record-keeping standards required for regulated financial institutions.
MiFID II · FINRA · SEC 17a-4OSFI-aligned
Kamba's ephemeral layer on top
On top of Symphony's institutional security, Kamba adds its own zero-persistence guarantee: no query data, no results, no intermediate files survive a completed request. Even in the unlikely event of a container compromise, there is no data to exfiltrate — the attack surface is bounded by a single request lifecycle.
Request-scoped onlyNo persistent state
1,000+
Financial institutions on Symphony globally
500,000+
Financial professionals using Symphony daily
Tier 1
Banks — including Scotiabank — approved & deployed
SOC 2 T2
Independently audited security certification
Kamba · Deployment Architecture v1.3
Confidential — Do not distribute externally  ·  kambagroup.com