Security

Built with Enterprise Security in Mind

Deployments

How Genesis Deploys Across Environments

Genesis runs natively inside your existing infrastructure. The platform operates entirely within the cloud environment you control.
learn more

Snowflake Native App

Runs inside your Snowflake account via Snowpark Container Services. The app does not share your data, conversations, or metadata with Genesis.

Data stays in your Snowflake account
Explore Snowflake

Databricks

Deploys within your Databricks workspace using your infrastructure. The app does not share your data, conversations, or metadata with Genesis.

Data stays in your Databricks environment
Explore Databricks

Docker

Containerized deployment, on-premise or any cloud. No external dependencies required.

Data stays in your infrastructure
Explore Docker

Kubernetes

Kubernetes (AWS / Azure)Deploy to an existing EKS or AKS cluster you manage. Full control over ingress, egress, and encryption keys.

Data stays in your VPC
Explore AWS
Explore Azure
Data Access

What Genesis Can Access

Genesis the platform accesses exactly what it needs to do its work — under your permissions and your governance rules. Genesis the company has no access to your data.
Exactly what you allow
Your data
Metadata
Agent configurations
Business logic or queries
Opt-in only
High-level usage statistics
Optional telemetry for product improvement. Disabled by default. No conversation data is ever included.
Installation only
Snowflake account name
Installer email address
None
Agent conversations
Security Controls

Built-in Security Capabilities

Encryption at rest
Full encryption for all secrets and stored data. Bring your own keys (BYOK) — Genesis has no access to encryption keys.
Proxy authentication
Supports deployment behind enterprise auth proxies with header-based auth and JWT verification.
Human-in-the-loop
Critical actions can require explicit human approval before execution. Configurable per workflow.
Role-based access control
Granular RBAC for all operations. Controls which tools each role can use and which users can invoke which agents.
Tool policy isolation
Potentially sensitive actions are gated behind explicit policy controls before execution.
Container isolation
Each agent runs in an isolated container. Scope cannot exceed container boundaries.
Identity (SSO / OAuth / OIDC)
Federated identity support integrates with your existing identity provider.
Encryption in transit
All communications are encrypted end-to-end across all deployment environments.
Audit logging
Comprehensive logs capture every action, query, and decision made by an agent.
Compliance

Compliance Posture

Snowflake Native App

As a Snowflake Native App, Genesis runs under the same controls as your Snowflake environment. Your existing certifications apply to the app as they would to any native application running in your account.
  • Runs under the same SOC 2 controls as your Snowflake environment
  • HIPAA-compatible when your Snowflake account is HIPAA-ready
  • GDPR-compatible data residency supported
  • All existing Snowflake RBAC and masking policies apply

Kubernetes / Docker

All compliance obligations remain within your own infrastructure. Genesis does not introduce external compliance dependencies.
  • Full VPC isolation — no external data egress required
  • Customer-managed encryption keys
  • Air-gapped deployment supported
  • Local LLM support (Cortex, Bedrock) — no external model calls required

Common Security Questions

Where does data go during agent execution?

It depends on your deployment. In all cases, data stays within the environment you control.

Snowflake Native App: Agents run inside your Snowflake account using Snowpark Container Services. The app does not share your data, conversations, or metadata with Genesis.

Databricks: Agents run inside your Databricks workspace. Data does not leave your Databricks environment.

Kubernetes / Docker: Agents run inside your VPC or on-premise infrastructure. Data flow is determined entirely by your network policies.

Does Genesis send any data back to Genesis Computing?

Genesis does not share conversation data, agent activity, or your data with Genesis Computing under any circumstances.

There is an optional, opt-in feature that sends high-level usage statistics (such as feature usage counts) to Genesis for product improvement purposes. This is disabled by default. It contains no conversation data, no query content, and no information about your data or business logic. You can confirm or change this setting in your deployment configuration.

Is Genesis SOC 2 certified?

Genesis does not host your data, so Genesis itself is not the entity that holds SOC 2 certification. When deployed as a Snowflake Native App, Genesis runs under the same SOC 2 controls as your Snowflake environment — as any native app in your account would. For Kubernetes and Docker deployments, all compliance obligations remain within your own infrastructure.

Can Genesis be deployed without external LLM calls?

Genesis does not ship with an LLM — it connects to whichever LLM you configure. What counts as "external" depends on your deployment and your organization's network policies.

Snowflake Native App: Uses Snowflake Cortex models by default. LLM calls stay within the Snowflake platform and do not leave your Snowflake environment.

Kubernetes / Docker on AWS: Supports Amazon Bedrock. LLM calls stay within the AWS boundary. Whether this satisfies your policy depends on your specific network configuration and compliance requirements.

Air-gapped or fully self-hosted: For environments where no external LLM calls are acceptable under any definition, Genesis can be configured to use a locally hosted model. Contact us to discuss your requirements.

In all cases, Genesis does not make LLM calls outside the boundaries defined by your network policies and deployment configuration.

What does the security review process look like?

Architecture diagrams are available on this page. For deeper reviews, we provide security questionnaire responses and direct access to our engineering team. We have completed security reviews with regulated enterprises in banking, financial services, and healthcare.

What if our requirements fall outside the standard deployment options?

For organizations with specific network, encryption, or data residency requirements, contact our engineering team directly. We support a range of custom configurations across Snowflake, Databricks, Kubernetes, and Docker deployments.