Agent Isolation
Your agents work for you and only you. Per-session isolation, constrained inputs, and no cross-user data sharing.
Your Desk. Your Agents. No One Else.
Every PerpDesk desk is an isolated environment. Your agents operate exclusively within your session — they don't communicate with other users' agents, they don't share context across desks, and they don't accept instructions from anyone but you.
This isn't a permissions layer on top of a shared system. Each desk is architecturally separate. Your agents see your data, your positions, your risk parameters, and your coordination pipeline. Nothing else.
Constrained Inputs
Prompt injection is a real threat when AI agents browse the open web, process untrusted emails, or interact with external systems they don't control. PerpDesk's agents have a much narrower input surface.
Inputs are structured and constrained. Your agents consume market data from connected exchanges, signals from the coordination pipeline, and instructions from you. They don't browse websites, read emails, or process arbitrary external content where injected prompts could hide.
Communication between agents is structured. Agents talk to each other through PerpDesk's coordination protocol — a typed message format. There's no free-text channel where an external actor could slip instructions into the pipeline.
Instructions come from one source: you. When you set autonomy levels, configure strategies, or send commands through chat, that's the only instruction channel your agents listen to. No third party can issue commands to your desk.
Agents do communicate with specific external services needed for analysis (such as LLM providers for reasoning). However, they don't access arbitrary external resources — no web browsing, no email reading, no processing of untrusted content.
Isolated Data, Isolated Context
Your agents learn from your trading history, your risk preferences, and your performance data. None of this context is shared with other desks or used to train models for other users.
Your data stays on your desk. When Lucid analyzes your trading patterns or Riven adapts strategies to your preferred regimes, that learning stays on your desk. Another trader's desk has no visibility into your context, and yours has no visibility into theirs.
What Agents Cannot Do
Beyond the fund restrictions covered in Custody & Funds, agents have additional hard boundaries:
No arbitrary network access. Agents cannot reach out to arbitrary URLs, APIs, or services. They communicate with the specific services required for their function (exchanges, analysis providers) but nothing else.
No data export. Agents cannot send your trading data, positions, strategies, or performance history to any external destination.
No cross-desk communication. Even in Team Trading setups, desks maintain clear boundaries. Shared visibility is explicit and configured by you — agents don't autonomously share information across team members' desks.
No self-modification of security boundaries. An agent cannot raise its own autonomy level, expand its own risk limits, or grant itself permissions you haven't given it. These boundaries are enforced at the platform level, outside the agent's control.