Architecture

The three differentiators from the home page, with the technical substance behind each.

1. Silo + BYOC by default

Every tenant receives a dedicated GCP project containing a dedicated Cloud Run service set, Cloud SQL instance, GCS buckets, and Secret Manager namespace. There is no shared database, no shared application process, no row-level security policy. Tenant separation is achieved by separate deployments, not by runtime filters inside shared infrastructure. Optional Bring-Your-Own-Cloud puts the entire tenant project in your GCP organisation, with the vendor holding limited-scope deployment access only.

The alternative — pool tenancy with row-level security — is operationally cheaper at low customer count and is the default choice for consumer SaaS. It is the wrong choice here: hedge fund security teams reject multi-tenant SaaS for production-grade workloads, and LP questionnaires increasingly ask about data residency and tenancy isolation. We pay for a control plane so that silo stays operationally credible at scale.

2. Open-source-first stack

Polars (data frames), Postgres with extensions (PGMQ, Apache AGE, TimescaleDB, pg_cron), APScheduler (scheduling), MLflow (model registry), FastAPI + Pydantic (API), Vite + React + Tailwind + shadcn (UI), uv (Python packaging), Cloud Run (runtime). Every load-bearing component is open-source with permissive licensing.

This means you can, in principle, pull your stack out of our managed offering and run it yourself on equivalent infrastructure. A fund that wants to bring infrastructure in-house in three years can do so without a re-platforming exercise. We give up the lock-in revenue that proprietary competitors enjoy and win on land/expand mechanics instead.

3. Quant-native, not generic MLOps

Specific platform properties, not add-ons:

PBO / DSR on every backtest. Bailey & López de Prado's Probability of Backtest Overfitting and Deflated Sharpe Ratio are computed automatically; results are surfaced in the run-detail UI.
Walk-forward as a promotion gate. Models without walk-forward evidence cannot be promoted. Not a warning; a block.
CPCV instead of vanilla k-fold. Combinatorial Purged Cross-Validation with embargo, so training data doesn't leak into test via temporally-adjacent samples.
Bi-temporal data discipline. Every silver and gold row carries _knowable_at (system time — when the datum became visible to the platform), _valid_from, and _valid_to. Training-data queries without a _knowable_at filter fail pipeline validation before they ever run.
Factor decomposition built in. Carhart four-factor by default; Hou-Mo-Xue-Zhang q-factor as alternative; reports generated with the model, not as a bolt-on.
MLflow pyfunc parity. The Python callable used at training time is the same callable used at serving time, packaged into the artefact. Train-serve skew ceases to exist as a class of bug.
Cryptographic audit chain. The audit log is hash-chained and exportable to WORM GCS for regulated tenants.

These are the properties that separate a generic MLOps tool from a quant-native platform.