Security & Compliance
Security is infrastructure. Not a feature.
All controls in production | Not a roadmap
Kamba is built for regulated environments where governance, auditability, and data controls are requirements. Every control documented below is in production.
Design principles
Three commitments that shape every control.
Security at Kamba isn't layered on — it's built into the architecture from the ground up.
01
Your data never leaves your perimeter
Kamba queries data you already license in the environment where it already lives. No aggregation, no shadow copies, no re-hosting. Data residency stays under your control.
02
Every action is logged and traceable
Every query, work product, and data access event produces a full audit record. From question to sign-off, the chain is defensible in an IC, a compliance review, or a regulatory examination.
03
No model is trained on client data
Client data, queries, and outputs never train or update any shared model. Your alpha, your strategy, and your institutional knowledge stay entirely within your environment.
Controls
Six controls. All in production. Zero on the roadmap.
Risk and legal evaluate Kamba as infrastructure, not an unmanaged AI experiment. These controls are what make that possible.
No model training on your data
Client data, queries, and work product never train or update any shared model. Your alpha, your strategy, and your institutional knowledge stay entirely within your environment.
Vendor entitlements intact
Bloomberg under your Bloomberg license. Refinitiv under Refinitiv. Kamba queries data you already license — it does not copy, aggregate, or re-host it. No re-licensing. No shadow copies.
Full audit trail
Every query, every work product, and every data access event logged with timestamp, user, and source. Full chain from question to sign-off — defensible in an IC, a compliance review, or a regulatory examination.
End-to-end encryption
AES-256 encryption at rest. TLS 1.3 in transit. Encryption applied at every boundary — storage, network, and inter-service. No data unprotected at any point in the pipeline.
Role-based access control
Granular permissions across every workflow, dataset, and work product. PM, analyst, quant, data, risk, and compliance roles configured separately. Access boundaries enforced at the data layer, not just the UI.
Siloed environments
Each client operates in an isolated environment. Data, queries, and work product are never co-mingled across accounts. Zero-trust architecture applied across all internal service boundaries.
SOC 2
Type II in progress
AES-256
Encryption at rest
TLS 1.3
Encryption in transit
RBAC
Role-based access
Zero trust
Internal architecture
Built for regulated environments from day one. Every control is in production — not in a roadmap. Risk and legal evaluate Kamba as infrastructure, not an unmanaged AI experiment.
Data controls
How your data stays yours.
The questions compliance and legal ask most often — answered at the architecture level.
Data residency
Your data never moves without your control
Kamba connects to data where it lives — inside your environment, under your vendor licenses. Nothing is copied to a shared cloud layer or aggregated across clients. Data residency obligations stay intact.
Model behavior
Frontier models reason. They don't retain.
Kamba routes queries to frontier models for reasoning only. No client input or output is used for model training or fine-tuning. The model sees the query; it does not keep it.
Vendor entitlements
Existing licenses are fully respected
Kamba does not require re-licensing of any data you already subscribe to. Bloomberg stays under your Bloomberg agreement. Refinitiv stays under Refinitiv. No shadow copies, no re-hosting, no entitlement bypass.
Audit & reproducibility
Every number traces back to source
Full lineage chain logged for every work product: source → quality gate → validation → analysis → output → review. Every number in every memo is traceable. Every access event timestamped and attributed.
Talk to us
Questions for risk or legal? We'll answer them directly.
We work with compliance, risk, and legal teams directly. Send us your security questionnaire or request a technical review.