Black Flag × Trabian
The applied AI layer on top of Mesh
Technical Briefing · April 2026

Security
& Privacy Posture.

A plain-language walkthrough of how the AI applications we build on top of Mesh handle your data, your end-users, and the AI layer behind every workflow — designed for review by Trabian InfoSec, Compliance, and bank/credit-union procurement.

ScopeBlack Flag × Trabian AI Application Stack
AudienceTrabian Leadership · Bank & CU Procurement
Prepared byBlack Flag Design
Confidential · For stakeholder review only
01 / 07
Black Flag × Trabian
Mesh AI Application Stack
Security & Privacy Posture
01 · Data Location

Every byte lives in the United States.

Application data is hosted by four managed US-based services — all SOC 2 Type 2 compliant. No on-premises component, no data stored in Trabian or partner FI infrastructure, and no replication to third-party regions. Mesh integrations sit alongside this boundary, not inside it — Mesh handles the core/banking layer, this layer handles the AI application data.

Database · Logic
Convex
Managed cloud database and serverless logic. Holds workflow state, user profiles, document annotations, AI-cached insights, and event logs from Mesh integrations.
🇺🇸 AWS us-east-1
Document Storage
Cloudflare R2
Stores generated reports, member-facing PDFs, and document uploads. Encrypted at rest, in transit, and in use (AES). Region-locked via Cloudflare's Data Localization Suite.
🇺🇸 US-Restricted Bucket
Application Delivery
Cloudflare Pages
Hosts the app's public interface code — no user data, no PII. Delivered over Cloudflare's global CDN for fast load times.
🇺🇸 US Origin · Global CDN
Authentication
Clerk
Password-free email login plus enterprise SSO (OIDC / SAML) for FI staff. Holds credentials and session tokens only — never workflow content or member data.
🇺🇸 GCP us-central
Prepared by Black Flag Design · April 2026
02 / 07
Black Flag × Trabian
Mesh AI Application Stack
Data Architecture
How it connects

Data Architecture Overview

Convex is the application backend — not “serverless glue.” It runs on dedicated AWS infrastructure (EC2 + RDS Postgres) in us-east-1, hosting our schema, queries, mutations, HTTP actions, and scheduled jobs. Mesh sits beside it as the governed core/banking integration layer; every other service talks to Convex, and the US boundary contains them all.

ALL DATA WITHIN UNITED STATES
User's Browser Vite + React SPA
Cloudflare Pages Ships the SPA shell
Public code only
Convex Hosted app backend on AWS us-east-1
EC2 runtime + RDS Postgres + S3 object store
Real-time queries HTTP actions SOC 2 Type 2 + HIPAA
Schema · Queries · Mutations · HTTP actions · Crons — all in one deployment
Clerk Auth & JWT to Convex GCP us-central
AWS Bedrock Claude · us-east-1 Anonymized inputs only
Cloudflare R2 Reports & document bucket
Served via Convex signed URLs
PostHog Route + workflow events
No member content
Prepared by Black Flag Design · April 2026
03 / 07
Black Flag × Trabian
Mesh AI Application Stack
Security & Privacy Posture
02 · AI Handling

AI is used in scoped, named ways — and only anonymized data reaches it.

Each AI feature ships with a documented purpose, a documented payload, and a documented region. The pattern is the same every time: structured, de-identified inputs → one model call → one cached result. No general-purpose chat over your bank's data, no model fine-tuning on your bank's data.

Claude by Anthropic
Haiku, Sonnet, and Opus class models, accessed via AWS Bedrock.
us-east-1
AWS region that serves the request. Data never leaves the US.
Zero PII
No names, emails, or identifiers are ever sent to the AI.

What the model sees: aggregate transaction categorizations, normalized account-type labels, workflow step identifiers, anonymized free-text the user has typed into the application, and the structured outputs of Mesh integrations after PII has been stripped. AWS Bedrock does not use customer prompts or responses to train or improve its underlying models.

Prepared by Black Flag Design · April 2026
04 / 07
Black Flag × Trabian
Mesh AI Application Stack
AI Data Flow
What crosses the boundary

What goes to AI · what never leaves Convex.

Sent to AI

Anonymized, structured workflow data only.

Normalized category codese.g. account-type, transaction class
Numeric aggregatesCounts, ratios, periods — never raw amounts tied to a person
Workflow step identifiersApplication/feature flow markers
User-typed free textAfter in-line PII detection & redaction

Stays in Convex

Protected data — never sent to any AI model.

Member PIINames, emails, SSN/EIN, account numbers
Raw transaction recordsUntokenized core/banking events from Mesh
Document contentUploaded statements, IDs, signed forms
FI configurationInstitution records, billing, audit trails
AWS Bedrock does not use customer data to train its models. Prompts and responses are never used to train or improve underlying AI models. All inference runs in us-east-1; data never leaves the United States.
Prepared by Black Flag Design · April 2026
05 / 07
Black Flag × Trabian
Mesh AI Application Stack
Retention & Open-Records
03 · 04 · Retention & Compliance

FIs control their data. We're ready for procurement, audit, or DPA.

Retention

Application data is retained for the term of the FI engagement. FIs can purge member-level data at any time, on demand, end-to-end.

AI-generated outputs (insights, summaries, drafts) are cleared whenever the underlying member record is cleared. Bedrock retains nothing — there is no model-side cache to flush.

If your FI has a specific retention schedule (BSA/AML, NCUA, FFIEC), we will configure to it.

Compliance Posture

Application data is structured and retrievable for audit and exam responses. No member data is sold, licensed, or shared with outside parties — ever.

Analytics events (PostHog) are behavioral and never include member content. All vendor sub-processors are SOC 2 Type 2 audited and US-resident.

DPA, GLBA / Reg P alignment, BSA/AML guardrails, FFIEC IT examination support — happy to walk any of it with your team.

Prepared by Black Flag Design · April 2026
06 / 07
Black Flag × Trabian
Mesh AI Application Stack
Key Commitments
In summary

Four commitments we make to Trabian and your FIs.

The short version — the promises behind everything above.

US-only data residency

Convex, Cloudflare R2, Cloudflare Pages, Clerk, and AWS Bedrock all hold data within US data centers. Every sub-processor is SOC 2 Type 2 audited.

Bounded, privacy-safe AI

AI receives only anonymized, structured workflow data. No member PII, account numbers, or untokenized core/banking records are ever sent to the model. AWS Bedrock does not use your data for training.

FI-controlled retention

Member records can be purged on demand, end-to-end. We will conform to your FI's BSA/AML, NCUA, or FFIEC retention schedules.

Ready for formal compliance

We provide DPAs, complete vendor questionnaires, support FFIEC IT exams, and align to GLBA / Reg P. Mesh's existing SOC 2 and FI-grade posture extend cleanly to this layer.

Prepared by Black Flag Design · April 2026 · Confidential
07 / 07