Documentation

Architecture & Infrastructure

How Colby is built, deployed, and secured — from the Chrome extension on your browser to Google Cloud Platform.

Product Overview

Colby is an AI-powered Chrome extension that connects to Salesforce to automate data entry, report generation, meeting note processing, and research for asset management distribution teams. It lives as a sidebar in your browser, giving you conversational access to your CRM data without leaving your workflow.

System Architecture

Colby follows a client-server architecture with encrypted communication between the Chrome extension and a cloud-hosted backend.

Chrome Extension Manifest V3 TLS + E2E Cloud Backend Google Cloud Run Salesforce OAuth 2.0 AI Engine Research Tools Web + BrokerCheck CRM Read/Write Multi-Agent AI External Data

Network Architecture

The following diagram shows Colby's network topology, including zone boundaries, security controls, data flows, physical regions, and redundancy mechanisms.

PUBLIC INTERNET End Users · Chrome Extension Manifest V3 · ECDH + AES-256-GCM End-to-End Encryption HTTPS / TLS 1.3 EDGE / DMZ GCP us-central1 Cloud Run Ingress Built-in Load Balancing Security Middleware Headers · Log Sanitization CORS + Rate Limiting Abuse Prevention IAM Auth · Cloud Run PRIVATE APPLICATION ZONE · GCP MANAGED CLOUD RUN SERVICES us-central1 Primary Region Scaling Config min: 0 · max: 20 Auto-Scaling Health Checks · Request-based Scaling Internal / Private OAuth 2.0 / HTTPS PRIVATE DATA ZONE GCP Managed Services Cloud KMS Key Management Secret Manager Credentials Store Firestore Audit & Action Logs EXTERNAL SERVICES Outbound via Egress Rules Salesforce API OAuth 2.0 Google Gemini AI Engine Research APIs Web + FINRA

Network Zones

  • Public Internet — untrusted zone where end users interact via the Chrome extension. All traffic is encrypted with TLS 1.3 and per-session E2E encryption (ECDH + AES-256-GCM).
  • Edge / DMZ — Cloud Run's built-in ingress handles TLS termination and load balancing. Application-level security middleware enforces HSTS, X-Frame-Options, X-Content-Type-Options, and log sanitization. CORS restrictions and rate limiting prevent abuse.
  • Private Application Zone — GCP-managed network containing Cloud Run services deployed in us-central1 with request-based auto-scaling (0–20 instances).
  • Private Data Zone — GCP managed services including Cloud KMS (envelope encryption, automatic key rotation), Secret Manager (credential storage, no secrets in code), and Firestore (audit logs, action logs, and user records).
  • External Services — outbound connections governed by egress rules. Includes Salesforce API (OAuth 2.0), Google Gemini (AI engine), and research APIs (web search, FINRA BrokerCheck).

Data Flow Summary

  • Public → Edge — user requests travel over HTTPS/TLS 1.3 with an additional E2E encrypted channel to Cloud Run ingress
  • Edge → Application — after security middleware processing, CORS validation, and rate limiting, authenticated traffic is routed to Cloud Run services
  • Application → Data — internal private network calls to KMS for encryption, Secret Manager for credentials, and Firestore for audit and action logging
  • Application → External — outbound OAuth 2.0/HTTPS calls to Salesforce, Google Gemini, and research APIs via controlled egress rules

Key Components

Chrome Extension Manifest V3

A sidebar UI for conversational interaction with Salesforce data. Built on Chrome's Manifest V3 platform with minimal permissions — only accesses Salesforce domains, Google OAuth, and the Colby backend.

Cloud Backend Google Cloud Run

Hosted on Google Cloud Run, the backend processes requests and orchestrates AI agents in a fully managed, auto-scaling serverless environment.

AI Engine Multi-Agent

A multi-agent system powered by Google Gemini for intelligent task routing. Different agents handle data entry, data retrieval, research, and multi-step workflows.

Salesforce Integration

Native OAuth 2.0-based connection to read and write CRM data. Supports standard and custom Salesforce objects while respecting your organization's role hierarchy and field-level security.

Research Tools

Web search and financial data lookup (including FINRA BrokerCheck) for enriched workflows. Enables contact research, meeting note processing, and investment due diligence.

How It Works

1

User Interaction

User interacts via the Chrome extension sidebar while on Salesforce. Requests can be typed, spoken, or triggered by pasting meeting notes.

2

Encrypted Transmission

Requests are sent over encrypted channels (TLS + end-to-end encryption) to the cloud backend. No data is stored on the client.

3

AI Agent Routing

AI agents analyze the request and determine the right tools and actions — whether it's querying Salesforce, generating a report, or performing web research.

4

Execution with Guardrails

Actions are executed against Salesforce with bulk operations available for preview before execution. Colby respects your existing Salesforce permissions at all times.

5

Real-Time Results

Results stream back to the Chrome extension in real-time, providing immediate feedback and actionable outputs.

Permissions Model

Colby operates within your existing Salesforce permissions. Bulk operations support preview before execution.

Colby is designed with a conservative permissions model to ensure data safety:

  • Salesforce permissions enforced — Colby can only perform operations your Salesforce profile allows, including respecting role hierarchy and field-level security
  • Bulk operation preview — Large bulk operations can be previewed before execution
  • Human approval for deletes — Record deletions require explicit user confirmation before being committed
  • Minimal browser permissions — The Chrome extension only accesses Salesforce domains, Google OAuth, and the Colby backend

Cloud Platform

Colby is built on Google Cloud Platform (GCP), leveraging Google's enterprise-grade security and reliability infrastructure. GCP provides the foundation for our compute, storage, secrets management, and key management services.

Compute

Colby runs on Google Cloud Run — fully managed, auto-scaling serverless containers deployed in us-central1 for low latency.

Auto-Scaling Serverless

Automatic scaling from zero to handle demand spikes. Resources are provisioned on-demand and released when not in use.

Optimized Containers

Container images are optimized for fast startup. Min-instances are configurable for latency-sensitive workloads to reduce cold start impact.

US Regional Deployment

Deployed in us-central1 to minimize latency for North American users and comply with data residency requirements.

Secrets & Key Management

  • Google Cloud Secret Manager — all sensitive credentials are stored in Secret Manager. No secrets are stored in code or environment files.
  • Google Cloud KMS — encryption key lifecycle management including automatic key rotation, with keys used for envelope encryption of session data.

Availability & Scaling

Auto-Scaling

Request-based auto-scaling handles traffic spikes automatically without manual intervention.

Health Checks

Continuous health check endpoints are monitored to detect and respond to degradation immediately.

Status Page

Public status page at status.getcolby.com with real-time uptime data.

Notifications

RSS feed and subscription options available for incident and maintenance notifications.

Security Infrastructure

Security Headers

All responses include HSTS, X-Frame-Options, X-Content-Type-Options, and other security headers to prevent common web vulnerabilities.

Rate Limiting

Rate limiting on all sensitive endpoints protects against abuse and ensures fair resource allocation.

CORS Restrictions

Cross-origin resource sharing is restricted to Salesforce domains and the Colby extension only — no third-party access.

SSL/TLS Enforced

All connections require SSL/TLS — plaintext HTTP is never accepted for any endpoint.

Deployment Pipeline

1

Code Review

All changes require peer code review before merge. Git-based version control with branch protection rules.

2

CI/CD Pipeline

Automated testing and build via GitHub Actions and Google Cloud Build. Every change runs through the full test suite.

3

Containerized Deployment

Every deployment is containerized with Docker for consistency across environments. No configuration drift between staging and production.

4

Post-Deployment Health Checks

Automated health checks run after each deployment to verify service health before routing traffic.

Monitoring & Observability

  • LLM call tracing — performance monitoring for all AI model interactions to ensure response quality and latency targets
  • Structured logging — with automatic sensitive data redaction before log persistence
  • Action-level audit logging — all Salesforce operations (reads, writes, updates) are logged with full context
  • Real-time health monitoring — service health dashboards with alerting for anomalies

Incident Response

Public Status Page

Incident history and maintenance windows are published at status.getcolby.com.

Uptime Tracking

Uptime tracked across 24h, 7d, 30d, and 90d windows with real-time visibility.

Subscribe to the RSS feed or status page notifications to receive alerts about incidents and planned maintenance windows.

SOC 2 Compliance

Colby maintains an active SOC 2 compliance program tracked via Vanta.

Our compliance posture is continuously monitored. For detailed compliance information, including evidence of controls and policies, visit our Vanta Trust Center.

Learn More

Data Privacy & Policies

How we handle encryption, session data, and protect your information.

Terms of Use

Service agreement, acceptable use, and user responsibilities.