Kamba — Symphony Deployment Architecture

Symphony AWS VPC · Single-container deployment

Kamba — Symphony
Deployment Architecture

Kamba operates exclusively within Symphony's approved infrastructure perimeter — isolated from Symphony's own internal systems, and isolated from the outside world. Nothing enters. Only user-initiated, allowlisted data queries leave.

Fully contained within Symphony's approved VPC Isolated from Symphony's internal systems No access to anything outside Symphony's perimeter Zero inbound connections Ephemeral — no data persistence CloudWatch · CloudTrail full audit

Deployment model

Single container · ECS / EC2

Perimeter

Fully within Symphony's approved VPC

Internal isolation

No access to Symphony core systems

Inbound connections

Zero — none accepted

Data persistence

None — ephemeral only

🔐 Dual Isolation

Fully contained within Symphony's approved perimeter — isolated on both sides

Kamba operates exclusively inside Symphony's AWS VPC — the same infrastructure Scotiabank has already reviewed, approved, and deployed. It is isolated in two directions simultaneously: inward, with no lateral access to Symphony's own databases, services, or core infrastructure; and outward, with no access to any system outside Symphony's VPC except user-initiated, explicitly allowlisted data provider endpoints. Kamba cannot reach Scotiabank's internal network, the public internet, or any other environment independently. It accepts zero inbound connections. All egress is user-initiated, governed by Symphony's own network controls, and fully logged.

01 · System Architecture

Single-container deployment inside
Symphony's AWS VPC.

Symphony Platform

Symphony Messaging

Chat interface & bot framework. Kamba connects here to receive and respond to user queries.

WebSocket connection

↑

Kamba-initiated
WSS:// · outbound

☁ Symphony AWS VPC Region: us-east-1 (configurable)

Private Subnet — Kamba Dedicated

Docker Host (ECS / EC2)

Container: kamba:latest

Kamba Engine

AI-powered financial analysis platform

Symphony WS Client

LLM Orchestration Layer

Query Parser & Router

Data Provider Connectors

Response Synthesizer

ⓘ LLM-agnostic — works with any approved model. The LLM interprets queries only. No data is ever shared with the LLM.

⚠ Container Local Filesystem

Ephemeral Storage

Transient scratch space for intermediate processing during each request.

No data persists beyond a single request lifecycle. All scratch files, query data, and intermediate results are wiped automatically. No external volumes or persistent storage attached.

Request → Process → Wipe

Data Connectors

Internal Sources

Data Lakes & Warehouses

Snowflake · Redshift · BigQuery · S3

OutboundRead-onlyAdmin-provisioned

Documents & Files

PDFs · Excel · CSV · Research docs

OutboundRead-onlyAdmin-provisioned

Internal Systems

Portfolio systems · Emails · Feeds

OutboundRead-onlyAdmin-provisioned

External Sources

ⓘUser-connected: external providers are selected and activated only by the user. No external endpoint is reachable without explicit user-initiated configuration.

Outbound only · TLS 1.2+

Licensed Data Providers

FactSet · Bloomberg · Refinitiv

HTTPSOutboundUser-connected

Public APIs

SEC EDGAR · regulatory filings

HTTPSOutboundUser-connected

Web Search

configurable provider

HTTPSOutboundUser-connected

02 · Security Controls

Four layers of network enforcement —
by design, not by configuration.

🔒

Security Groups

No inbound rules
Outbound: port 443 allowlist only

👱

Network ACLs

Allowlisted provider
endpoints only

🚫

Subnet Isolation

No lateral access to
Symphony core infrastructure

📋

CloudWatch / CloudTrail

Full audit logging
of all network traffic

03 · Data Flow & Security Posture

Isolated inward. Isolated outward.
Contained entirely within Symphony's perimeter.

Data Flow

Kamba-initiated WebSocket — within Symphony

Kamba Engine opens an outbound WebSocket (WSS) to Symphony Messaging to receive and respond to user queries. This connection stays entirely within Symphony's VPC. No inbound connections are accepted by the container.

All external data calls are user-initiated and allowlisted

The only traffic that leaves Symphony's VPC is outbound HTTPS to data providers explicitly selected and connected by the user. No external endpoint is reachable without user-initiated configuration. Every connection is governed by Symphony's Security Group and Network ACL controls.

Zero data persistence

Transient storage is scoped to individual request lifecycles. No PII, query data, or results survive beyond a single message. Nothing is written to external storage.

Key Security Properties

Dual isolation — the complete picture

Kamba is isolated from Symphony's own internal systems (no lateral access to Symphony databases, services, or core infrastructure) and from everything outside Symphony's VPC. The container exists in its own sealed subnet with no path in or out except what is explicitly defined and user-initiated.

Internal connectors are read-only and admin-provisioned

Access to internal data sources — data lakes, warehouses, portfolio systems, files — is read-only and must be provisioned by a Scotiabank administrator before any user can query it. No user can self-connect to internal infrastructure.

LLM-agnostic — data never shared with the model

Kamba works with any institutionally approved LLM. The model receives only the user's query — never the underlying data. Data retrieval, validation, and synthesis happen entirely within Kamba's engine. The LLM interprets intent; it never sees or processes client data.

04 · Why data is safe inside Symphony's environment

Symphony is the financial industry's most
trusted secure messaging infrastructure.

Symphony Communications is purpose-built for regulated financial institutions — banks, asset managers, broker-dealers — where data confidentiality is non-negotiable. Scotiabank has already completed its vendor due diligence and approved Symphony as a vendor. Kamba runs entirely within that approved perimeter, inheriting its security architecture by design.

🏦

Built for regulated finance

Symphony was architected from day one for banks, not adapted for them. Every security property — encryption, isolation, access controls, audit logging — was designed with financial regulatory requirements as the baseline, not an afterthought.

✅

Already an approved vendor at Scotiabank

Scotiabank has assessed and approved Symphony as a vendor. Kamba runs inside that same approved infrastructure — within the same perimeter, subject to the same controls. The trust chain is already established.

🔒

Bank-grade encryption everywhere

Symphony enforces end-to-end encryption with customer-managed keys. The institution controls its own encryption keys — Symphony itself cannot access message or data content. This is the gold standard for financial data confidentiality.

Symphony's security architecture — property by property

🗝️

Customer-Managed Encryption Keys (CMEK)

Each institution holds its own encryption keys. Data encrypted with Scotiabank's keys cannot be decrypted by Symphony, by Kamba, or by any other party — including in the event of a Symphony-side breach. The bank retains cryptographic control at all times.

Zero-knowledge architectureBank controls keys

🏗️

Dedicated tenant isolation

Scotiabank's Symphony environment is fully isolated from other institutions. No shared infrastructure, no shared databases, no co-tenancy. Kamba's container runs in a private subnet dedicated exclusively to Scotiabank's deployment.

Single-tenant per institutionNo co-tenancy

🛡️

SOC 2 Type II certified

Symphony holds SOC 2 Type II certification — an independent, third-party audit of security, availability, processing integrity, confidentiality, and privacy controls sustained over time. The standard Scotiabank's vendor management requires for cloud-hosted financial infrastructure.

Third-party auditedAnnual recertification

📋

Immutable audit trails

Every action within Symphony generates an immutable, tamper-evident audit log. For Kamba, every query, data access, and model invocation is logged with full user attribution, timestamps, and outcomes. Logs are exportable and retained to the institution's required schedule.

User-attributed per actionExportable & immutable

🌎

DLP & content controls

Symphony includes Data Loss Prevention controls configurable by the institution's compliance team. Administrators can define policies that flag or block sharing of content matching sensitive patterns — account numbers, trade identifiers, client data — before it reaches any downstream system including Kamba.

Configurable by ScotiabankPolicy-enforced

👤

Role-based access & eDiscovery

Access to Kamba within Symphony is governed by Symphony's role-based access controls. Scotiabank's administrators control who can interact with Kamba and which channels it has access to. Symphony's eDiscovery tools allow compliance teams to search, retrieve, and preserve any Kamba interaction for regulatory purposes.

Admin-controlled accesseDiscovery-ready

🏚

Regulatory compliance certifications

Symphony is deployed at over 1,000 financial institutions globally and maintains compliance with MiFID II, FINRA, SEC Rule 17a-4, GDPR, and Canadian OSFI guidelines. Its communication archiving meets record-keeping standards for regulated financial institutions.

MiFID II · FINRA · SEC 17a-4OSFI-aligned

⚡

Kamba's ephemeral layer on top

On top of Symphony's institutional security, Kamba adds its own zero-persistence guarantee: no query data, no results, no intermediate files survive a completed request. Even in the unlikely event of a container compromise, there is no data to exfiltrate — the attack surface is bounded by a single request lifecycle.

Request-scoped onlyNo persistent state

1,000+

Financial institutions on Symphony globally

500,000+

Financial professionals using Symphony daily

Tier 1

Banks — including Scotiabank — approved & deployed

SOC 2 T2

Independently audited security certification

Kamba — SymphonyDeployment Architecture

Kamba — Symphony
Deployment Architecture