┼ Doc 02 · Security

How your data
is protected.

Per-tenant isolation enforced at the database row, encryption in transit and at rest, append-only audit logging, and an AI redaction layer that never lets account numbers, NIDs, or phone numbers reach an external model. The mechanisms below are live in production today and verifiable on request.

Tenancy: Postgres RLS · per-org
Residency: ap-southeast-1
In transit: TLS 1.3
At rest: AES-256

┼ 01 · Tenancy

Each bank is its own tenant.

Every per-tenant table — accounts, transactions, STR reports, alerts, cases, disseminations, customers, screening logs, audit records — is row-level-security isolated with a policy of the shape (org_id = auth_org_id()) OR is_regulator(). A bank user's session can only ever read the rows tagged with its own org. Cross- tenant reads are impossible by construction; service-layer guards add a second line of defence on the regulator-only mutation paths. The audit log carries the same isolation with no regulator escape hatch.

The cross-bank intelligence layer is the single deliberate exception: shared tables hold canonical entity tokens (account number, NID, phone, wallet) and the list of orgs that have reported each one. They hold no transactional context. A bank user querying them sees peer institutions rendered as “Peer institution N” and match keys redacted to the trailing four characters; only BFIU sees the real labels. Persona transformations are applied before data leaves the engine.

┼ 02 · Data residency

ap-southeast-1 by default. On-prem on request.

Hosted Kestrel runs on Supabase Postgres in Singapore (ap-southeast-1) with the engine on Render in the same region. No data is replicated outside the region. The contractual guarantee is one region, full stop — no cross-region failover, no analytics warehouse, no third-party data lake.

Enterprise tier customers can deploy the entire Kestrel stack inside their own data centre. The same engine image, the same web image, with Postgres + Redis + Caddy on a single Docker compose. Air-gapped AI routing skips OpenAI and Anthropic entirely; sovereign LLM serving happens against a vLLM endpoint running locally. Watchlist refresh runs from operator-supplied source archives instead of live HTTP. The on-prem path is ready for a first signed customer to drive.

┼ 03 · Audit log

Append-only. Per-org. No regulator override.

Every mutation across the platform writes a row carrying user_id, org_id, action, resource_type, resource_id, IP, and a request ID that threads through the structured JSON logs. AI invocations log provider, model, redaction mode, and digests of the input and output for compliance review without storing the content itself. Default retention is 365 days with optional archive to encrypted object storage.

┼ 04 · AI safety

Redaction before any model. Red-team on every commit.

Account numbers, NIDs, phone numbers, wallet addresses, email addresses, and IP addresses are masked before any payload reaches an external model. The redaction layer sits between the prompt builder and every provider adapter — there is no path that bypasses it. A continuous red-team harness exercises prompt-injection and PII-leak regressions on every commit through CI; canary checks fail the build if a model echoes an injected instruction or surfaces a raw account number in its output.

The platform is built to migrate off external AI entirely. A confidence-routing layer is already in place that prefers a sovereign model and falls back to Claude when the sovereign confidence is below a per-task threshold. Once a Bangladesh-trained adapter clears the promotion harness, traffic flips a percentage at a time with automatic rollback if accuracy degrades against the baseline.

┼ 05 · Compliance alignment

The frameworks Kestrel was built against.

BB Circular 26/2024— Bangladesh Bank's digital banking AML requirements. Kestrel's real-time scoring, sanctions screening, KYC re-screening, and audit-log retention are designed to the circular's pipeline expectations.
Money Laundering Prevention Act, 2012 — STR and CTR pipelines, BFIU dissemination workflow, audit retention.
Anti-Terrorism Act, 2009 — sanctions enforcement and reporting paths.
FATF Recommendations 9 and 21 — tipping-off prohibitions and reporting-entity confidentiality, enforced by the cross-bank persona anonymisation layer.
Egmont Group intelligence exchange — Information Exchange Request workflow with counterparty FIU + Egmont reference + deadline, supporting peer-FIU handoff in goAML XML.

┼ 06 · Verification

Available under NDA on request.

Procurement, audit, and compliance reviewers can request the following under NDA, on a two-business-day turnaround:

Full pg_policies dump from the production database, with each policy USING clause verbatim.
Tenant-isolation simulation transcript — a production run impersonating a bank CAMLCO session and showing what they can and cannot see across every per-tenant table.
AI red-team corpus and the most recent CI run results (canary echo + PII leak scenarios across all six AI tasks).
The SOC 2 readiness checklist and current gap log.
Audit-log schema and retention configuration for your tenant.

┼ Next step

Get the verification pack and brief your CTO.

Run a pilot →Schedule a briefing →

How your datais protected.