GaugeMeridian Trades Group
Demo · synthetic data

How your data stays protected

the posture your IT and CPA reviews will actually test
🔑

Read-only, least privilege

Gauge requests read-only scopes at every source that offers them — HubSpot, Ramp, Monday, NetSuite (read-only role), ServiceTitan. Where a vendor has no read-only scope (QuickBooks), Gauge enforces it with a GET-only endpoint allowlist verified in CI, so a connector cannot write, even by accident.

🗄️

Credentials in a per-tenant vault

OAuth tokens are envelope-encrypted with a per-tenant key under a KMS root. They are decrypted only in memory inside a sync worker, at sync time — never in the app tier, never in a log, never shared across companies.

🧱

One company can’t see another

Every row carries a tenant_id. Isolation is enforced twice — in the app and again by Postgres row-level security— with per-tenant sync queues, so one company’s data or a failed sync can never bleed into another’s.

🔎

Every number drills to source

No figure is re-keyed. Each metric carries lineage and an “as of”stamp and deep-links to the originating record. A failed sync shows as “data from Tuesday” — loudly stale, never silently wrong.

🚪

Your data, your call

Disconnect any source in one click; access is revoked and the vaulted token destroyed. Churn triggers a hard delete, raw copies included. Your financials are never sold, pooled, or used to train anything.

📋

Built for the audit

Append-only audit log of every auth event, connection change and export. Controls run from day one — access reviews, change management, subprocessor inventory — on a path to SOC 2. Direct APIs are favored over third-party proxies to keep the subprocessor list short.

⚠︎

Why not just connect everything over MCP?Routing customer financials through a multi-tenant MCP proxy adds attack surface an engineer should refuse — token pass-through, confused-deputy OAuth flaws, and prompt-injection / tool-poisoning that simply don’t exist in a deterministic read-only API sync. So MCP is used in exactly one place: Gauge exposing its own already-governed data outbound, so your AI assistant can query it. Credentials to your systems never touch an MCP layer.