Security & data handling
Gamut holds sensitive governance data, so security is a core design property rather than an add-on. This page describes Gamut’s security posture at a product level.
Tenant isolation
Section titled “Tenant isolation”Each organisation operates in its own tenant, and isolation is enforced at the data layer: each tenant’s records live in their own database schema, not merely filtered by an application query. One organisation’s AI systems, assessments, evidence and users are kept strictly separate from every other, and access is always scoped to the tenant a user belongs to.
Encryption of secrets
Section titled “Encryption of secrets”Sensitive secrets and credentials, such as stored API keys and connection secrets, are encrypted at the application layer with AES-256-GCM, an authenticated cipher. Each value is encrypted with its own initialisation vector and carries an authentication tag in a versioned envelope, so tampering is detectable and ciphertext cannot be silently altered.
The encryption key is mandatory where it matters:
- The server refuses to start in production without
DATA_ENCRYPTION_KEY, and refuses to run against a database without it (so secrets are never written to Postgres in plaintext). - On startup it runs an encrypt/decrypt round-trip self-test and aborts if the key cannot round-trip, failing safe rather than running with a broken key.
- The agentic enforcement signing secret is held separately from the data-encryption key, key separation is enforced at startup so one secret never doubles as another.
Passwords are stored as salted scrypt hashes, never in recoverable form.
Server-side AI
Section titled “Server-side AI”All AI analysis is proxied server-side. Model provider keys are never exposed to the browser, and prompts and responses are handled by Gamut rather than sent directly from a user’s device to a model provider. This keeps model usage governed and credentials protected.
For agentic AI the principle is enforced more strictly still: agents never hold credentials and never call tools directly. Every action passes through Gamut Gateway, where keys live and policy is enforced, and Claw redacts output (emails, tokens, keys, card numbers and more) before it leaves the execution layer. See the agentic stack overview.
Fail-closed enforcement
Section titled “Fail-closed enforcement”Agentic enforcement fails closed by design. If Gateway cannot reach a dependency, cannot verify a signature, or hits an error mid-decision, the action does not proceed. Allow decisions carry short-lived HMAC-signed tokens, and service-to-service calls between Gamut, Gateway and Claw are signed and nonce-protected against replay. Claw tasks run under leases and bounded step budgets, so a stalled or compromised execution fails safe rather than running unbounded.
Access control
Section titled “Access control”Access is governed by role-based access control and entitlements. A sensitive capability requires both the role permission and the plan entitlement, enforced server-side on every action, so gating is a genuine security boundary, not a hidden button. Tenant administrators are deliberately not exempt from entitlement checks. Suspending a user or tenant revokes access immediately and ends active sessions.
Authentication
Section titled “Authentication”People sign in with a password or via single sign-on using OpenID Connect,
so organisations can apply their own MFA and conditional-access policies. SSO uses the
authorization-code flow with cryptographic ID-token verification and a state cookie for CSRF
protection. Browser sessions are protected with a per-session CSRF token on state-changing
requests, and responses carry hardening headers (including X-Frame-Options,
X-Content-Type-Options: nosniff and a content-security policy). Programmatic access uses named,
revocable bearer tokens, stored as hashes with optional expiry; sensitive
and AI-assisted operations are rate-limited and quota-bound.
Accountability by default
Section titled “Accountability by default”State-changing actions are written to the audit log before the action returns, and a defined set of high-sensitivity actions mandate an audit record. Every agent action generates runtime evidence, backed by Claw’s hash-chained, tamper-evident journal. Together these give a complete, reviewable account of both human and agent activity.
Reporting a concern
Section titled “Reporting a concern”If you believe you have found a security issue, please contact the Gamut team so it can be handled responsibly.
- Agentic stack overview: zero-trust governance of agents.
- Workspaces & tenancy: isolation between organisations.
- Audit log: the accountable record of actions.