Your Data. Your Network.
Your Compliance Program, Strengthened.
Single-tenant on-premise appliance. AES-256 encryption at rest. Versioned compliance gate on every outbound. Tamper-evident audit logs retained seven years. Built for the people who answer to the SEC, FINRA, NYDFS, and a CCO.
Where Your Data Lives
Single-tenant, on-premise. No shared cloud. No inbound surface.
Alpheous runs as a hardened, single-tenant appliance on your network, behind your firewall, in your facility. Your advisor records, meeting transcripts, governance rules, and compliance decision logs never leave your infrastructure except for narrowly scoped, audited calls to a short list of sub-processors — each bound by a signed Data Processing Agreement.
Data residency is yours by default
Customer data does not leave customer-controlled infrastructure except for narrowly scoped, audited calls over TLS to DPA-bound sub-processors.
Books and records stay with you
Your audit log is on your hardware, written to your storage, exported to your archive provider. Alpheous does not hold the long-term copy.
No inbound public surface
The appliance accepts no inbound connectivity from the public internet. Operator support is via a Tailscale identity mesh with hardware-key MFA.
Each appliance is its own blast radius. No multi-tenant cloud database to over-share, no inbound port to scan, no shared bot account that can act on behalf of “someone.”
Three Parties. Narrow Privileges.
No Single Point of Compromise.
A compromise of any one party is recoverable. No single party can access customer data without the cooperation or failure of at least one other.
Customer
The appliance, the network, the data, user identities, governance rules, and the backup decryption key.
Alpheous
The software, code-signing keys, and operator credentials. Does not hold customer data or backup decryption keys.
Sub-Processors
Receive minimum data per call, under signed DPAs, with retention bounded. Zero-retention for LLM providers.
Two Independent Encryption Layers
Not redundancy — complementary protection against different attackers.
Disk Layer
FileVault 2 with institutional recovery key escrowed off-device. Secure Boot at Full Security on Apple Silicon. Stops an attacker with the physical disk.
Application Layer
AES-256-GCM authenticated encryption on every database, vector store, and audit log line. SQLCipher with per-page HMAC. Stops an attacker with filesystem read on a running system.
Key Hierarchy
Master key in macOS System Keychain. Per-purpose keys derived via HKDF-SHA256. Annual rotation. Cryptographic erasure on offboarding — rotate the key, data becomes unreadable.
If the appliance is stolen, FileVault, the firmware password, the application-layer encryption, and the customer-held recovery key each have to fail before data is at risk.
Invisible to the Internet
Three independent layers at network, kernel, and application level.
Inbound
None. The appliance accepts no inbound connections from the public internet. LAN access to the dashboard requires IdP authentication (OIDC or SAML 2.0).
Operator Access
Tailscale (private WireGuard mesh) → macOS Packet Filter (kernel-level) → OpenSSH (public-key only, hardware-token-bound). A lost operator laptop is revoked in seconds. Every session is recorded and sealed into the audit stream.
Outbound
Every HTTP(S) call goes through an explicit hostname allowlist — which doubles as the customer-facing sub-processor disclosure. A prompt-injected agent that tries to POST data to an attacker URL fails immediately. PF backstops with port-level rules: no SMTP, SMB, RDP, no DNS to unauthorized resolvers.
All Inbound Content Screened
Before Any Agent Processes It
Every email, document, and data feed screened through multiple layers: spam filtering, phishing detection, and prompt injection defense. Every untrusted-text boundary — inbound email, transcript, enrichment document, web-scraped content — runs through a sanitization layer that strips adversarial content before any LLM sees it. Outputs are validated before they leave the appliance.
Nothing Leaves Your Firm
Without Passing the Compliance Gate
Every outbound communication runs through versioned, CCO-editable compliance rules before it reaches a human, and again before it leaves the firm.
The CCO owns the rules
The ruleset is editable by your compliance team, versioned, and every change writes an audit entry with who, when, before, and after. The AI applies rules you wrote.
No auto-send
Client-facing communications require a human approver. Where a BD principal review is required in addition to the RIA CCO, both reviews are routed and logged.
Approvals are reproducible
The audit log captures the ruleset version in force, the model output, the human approver, and the rationale. Three years from now, the answer is a query, not a reconstruction.
Separation of duties in code
A wholesaler cannot approve their own outbound. A rule editor cannot be the sole approver. The gate refuses the action and writes a sod.violation_blocked event.
Compliance Gate
To: sarah@meridiangroup.com
Fund: Fund III
Subject: RE: Q4 Distribution Notice
Following up on the Q4 distribution. The final waterfall calculations are attached. Total distribution of $4.2M across 23 LPs. Please review and approve for distribution.
This is how Alpheous supports SEC Marketing Rule 206(4)-1, Compliance Rule 206(4)-7, and FINRA Rules 3110 (Supervision) and 2210 (Communications with the Public).
The Artifact a Regulator Points At.
Built to That Standard.
Append-only, tamper-evident, regulator-ready.
Decryption of payloads in an export requires JIT operator approval (two-person control) so a regulator response goes through a documented and audited gate.
Written. Drilled. Designed to Give You Headroom.
Tabletop-drilled before every go-live and at least quarterly. 48-hour customer notification gives you four weeks of headroom against the Reg S-P 30-day clock.
15 min
Contain
Revoke credentials, kick sessions, pull destinations off egress allowlist, halt automation. No deep investigation before the bleeding stops.
4 hours
Eradicate
Root-cause removal and system hardening.
48 hours
Notify
Customer notification with full scope and affected-individual enumeration by state of residence.
Continuous
Preserve
Audit-log slices, in-process state, suspicious files — all preserved before any reset or restore.
5 days
Review
Post-incident review producing a code change, runbook change, new monitoring rule, or an explicit 'no change required, here’s why.'
Documented scenarios
Appliance theft/loss, suspected malware, credential compromise, sub-processor breach notification, anomalous agent output (prompt injection), governance rule misconfiguration.
Updates Are the Most Dangerous Surface.
We Treat Them Accordingly.
Dual-key signing, staged rollout, automatic rollback.
- Two distinct signing keys: Apple Developer ID (HSM-backed) signs the artifact. Ed25519 release key (hardware token) signs the manifest. Compromising one is not enough.
- Snapshot-and-swap install via APFS clone. Rollback is one command and seconds. Post-install health check can auto-rollback on failure.
- Anti-replay: each manifest carries version and min_required_version. The appliance refuses older signed-but-vulnerable artifacts.
- Staged rollout: Canary (24h) → Pilot (72h) → Stable. Emergency releases with release-captain sign-off.
- Material change acknowledgement: behavior changes, new sub-processors, or schema changes require customer admin approval before install.
- CycloneDX SBOM shipped with every release. CVE monitoring runs nightly.
7 calendar days
Critical (CVSS ≥ 9.0)
30 days
High (7.0–8.9)
Next scheduled release
Medium / Low
Alpheous Never Holds the Key
That Decrypts a Customer Backup.
RPO 1 hour. RTO 4 hours. Customer-key encryption.
The appliance encrypts each backup to a customer-supplied public key (RSA-4096 or X25519). The matching private key lives in your KMS, hardware token, or password manager. A breach of any Alpheous-side system does not give an attacker access to the backup tail.
- Hourly incrementals, daily full, plus an automatic pre-update full before any software update.
- Destination is customer-controlled: NAS, S3, Azure Blob, on your terms.
- Each backup ships with a manifest signed by the appliance’s audit-log signing key. The restore tool refuses unverified backups.
- Quarterly restore drill against a non-production target is required. A failed drill is a P1 incident.
Short List. DPA-Bound.
Zero-Retention for LLM Providers.
Any new sub-processor carries a 30-day advance notice with a customer right to object.
| Category | Providers | Note |
|---|---|---|
| LLM Providers | Anthropic, Google | Zero-retention. Data not used for model training. |
| CRM | HubSpot | Advisor records. |
| Productivity | Slack, Gmail / Outlook | Your existing channels. |
| Archiving | Smarsh, Global Relay, Purview | Selected by you. |
| Enrichment | Discovery Data, BrokerCheck | Advisor reference sources. |
NYDFS AI Guidance (October 2024) compliance: DPAs with each LLM provider, context distillation reduces data sent to premium models by 70–95%, egress allowlist prevents exfiltration, and every untrusted-text boundary runs through sanitization before any LLM sees it.
Regulatory Alignment
Mapping, not a legal opinion. Full control-by-control mapping available under NDA.
| Regulatory Regime | How Alpheous Supports |
|---|---|
| SEC Reg S-P (2024) | Written IR program, encryption at rest and in transit, 48-hour customer notification, sub-processor DPAs. |
| Advisers Act 206(4)-7 | Versioned CCO-editable ruleset, rule-change audit trail, monthly and annual posture reports. |
| Advisers Act 206(4)-1 | Compliance gate on every outbound, ruleset versioning at time of review, human approval required. |
| Advisers Act 204-2 | Append-only audit log, 7-year retention, first-2-year accessibility, signed regulator export. |
| FINRA 17a-4 | WORM or audit-trail election, time-date stamping, serialization, designated-third-party-ready export. |
| FINRA 3110 & 2210 | Principal-review workflow, dual-review routing for BD-distributed products. |
| FTC Safeguards Rule | Written info-sec program, MFA, encryption, IR plan, service provider oversight. |
| NYDFS 23 NYCRR 500 | Encryption, MFA, 72-hour incident reporting, sub-processor security documentation. |
| NYDFS AI Guidance | Prompt-injection defense, MNPI protection via context distillation, AI vendor DPAs. |
| State Breach Laws | Affected-individual enumeration by state, audit log evidence, headroom against tightest 30-day clocks. |
Alpheous Is a Vendor,
Not Your Compliance Program.
Clear boundaries. Named points of contact on each side.
Alpheous Owns
Software security, code signing, audit log design, remote-admin access, update pipeline, sub-processor vetting, and incident response on our side of the boundary.
Customer Owns
Physical security of the appliance, your network, your IdP, governance rule content, staff training, and incident cooperation on your side.
Joint Duties
Incident coordination, change management for material updates, periodic access reviews, annual program review — with named contacts on each side.
The full shared-responsibility matrix is exhibit-grade and attached as a schedule to the MSA. It enumerates roughly one hundred control duties.
What We Don’t Claim
We do not claim immunity to a zero-day in macOS, Tailscale, or a pinned dependency. We claim layered defense so a single failure does not produce full data disclosure, plus a tested patch path with documented SLAs.
We do not claim to defend against an attacker who has both root and the master key on a running appliance. We claim getting both requires defeating multiple independent controls, and the audit log makes the attempt visible.
We do not claim to prevent a customer-side IdP compromise. Detection is on the audit-log side; prevention is the customer’s IdP posture.
Full Security Program Available Under NDA
Written security program, regulatory mapping, exhibit-grade shared-responsibility matrix, and twelve control-area documents covering device hardening through incident response.
Questions From CCOs and CISOs
On a hardened Mac appliance sitting on your network, behind your firewall, in your facility. Alpheous does not operate cloud infrastructure that holds your data at rest. The only outbound traffic is narrowly scoped, audited calls to DPA-bound sub-processors. Each appliance is its own blast radius.
Every outbound communication runs through a versioned ruleset your CCO edits and controls. The gate checks SEC Marketing Rule constraints, principal-review requirements, jurisdictional carve-outs, required disclaimers, and any firm-specific language. Nothing goes out without a human approver. Where BD principal review is required, both reviews are routed and logged. The audit log captures the ruleset version, model output, human approver, and rationale.
No. LLM providers (Anthropic, Google) operate under zero-retention agreements. Customer data is not used for model training. Context distillation reduces data sent to premium models by 70–95%. The egress allowlist prevents exfiltration to any destination not on the approved sub-processor list.
The append-only audit log retains every action for seven years, exceeding the five-year minimum under Advisers Act Rule 204-2. Active logs are indexed and queryable on-appliance for the first two years. Signed regulator exports are available within one business day, structured for either the WORM standard or audit-trail election under 17a-4.
The IR program is written, tabletop-drilled quarterly, and operates against a 48-hour Alpheous-to-customer notification SLA. That gives your team roughly four weeks against the Reg S-P 30-day clock and beats the NYDFS 72-hour floor. Containment within 15 minutes, eradication within 4 hours, evidence preservation continuous, post-incident review within 5 business days.
Two distinct signing keys: Apple Developer ID (HSM-backed) signs the artifact, a separate Ed25519 release key (hardware token) signs the manifest. The appliance refuses any artifact without both valid signatures. Updates roll out staged: Canary (24h) to Pilot (72h) to Stable. Material changes require customer admin acknowledgement before install. Rollback is one command via APFS snapshot.
No. Authorization is role-based with permissions set at deployment and enforced at the call site. No agent can expand its own access or grant permissions to another. Separation of duties is hard-coded: a drafter cannot self-approve, a rule editor cannot be the sole approver. Violations are blocked and logged.
You do. The appliance encrypts backups to a customer-supplied public key (RSA-4096 or X25519). The matching private key lives in your KMS, hardware token, or password manager. A breach of any Alpheous-side system does not give an attacker access to the backup tail.
0
Inbound Ports
Invisible to the internet
0-bit
AES Encryption
Dual-layer at rest
0 yr
Audit Retention
Exceeds Rule 204-2
0 hr
Incident Notification
Alpheous to customer
See the Security Architecture Live.
We show you the live system: approval flows, compliance gates, audit logs, encryption layers, and incident response. Every claim on this page is verifiable.
Customer CCOs and CISOs receive the full documentation set under NDA.