AES-256
Encryption at rest
TLS 1.3
Encryption in transit
72h
Breach notification SLA
SOC 2
In progress · Q3 2026
1Overview
Security is a core part of Mnemexa's architecture, not an afterthought. As a platform that stores sensitive business context for AI agents, we take a defence-in-depth approach — layering technical controls, operational procedures, and personnel policies to protect your data at every level.
This page describes our current security posture. We update it as our programme evolves.
Status: All Mnemexa systems are operational. Report a vulnerability:
security@mnemexa.com
2Infrastructure Security
Mnemexa is hosted on enterprise-grade cloud infrastructure with the following properties:
- Isolated environments: Production, staging, and development are strictly separated with no cross-environment data access.
- PostgreSQL with pgvector: Primary database with row-level isolation per workspace. No customer data crosses workspace boundaries at any layer.
- Redis: Used exclusively for rate limiting tokens — no customer memory data is stored in Redis.
- Redundancy: Database backups with point-in-time recovery. Infrastructure redundancy to minimise downtime.
- Patch management: OS and dependency updates applied on a regular schedule with critical patches applied within 48 hours.
3Encryption
3.1 In Transit
All API communications are encrypted using TLS 1.3. We do not support TLS 1.0 or 1.1. HTTP requests are automatically redirected to HTTPS.
3.2 At Rest
All data stored on Mnemexa infrastructure is encrypted at rest using AES-256, including memory vectors, metadata, and account information.
3.3 API Keys
API keys are hashed using SHA-256 before storage. The plaintext key is shown once at creation and never stored or retrievable again. Even Mnemexa staff cannot view your API keys.
4Access Controls
- API authentication: All endpoints require a valid Bearer token. Tokens are workspace-scoped — a key from one workspace cannot access another's data.
- Rate limiting: Token bucket rate limiting enforced per workspace and per API key via Redis. Prevents abuse and ensures fair usage.
- Least privilege: Internal staff access to production systems follows least-privilege principles. Access is reviewed quarterly.
- Multi-factor authentication: Required for all internal systems with production access.
- Audit logging: All API operations are logged with timestamps, endpoint, response code, and usage metrics. Logs are append-only.
5PII Detection and Prevention
Mnemexa implements automated PII detection as a first-stage filter on every memory write operation. Before any data is stored, the system scans for:
- Passwords and authentication credentials
- API keys and secret tokens
- Credit card numbers (PAN detection)
- Social Security Numbers (SSN) and equivalent national identifiers
- Private key material (RSA, PEM patterns)
- And 10+ additional sensitive data patterns
Design intent: AI agents may inadvertently capture sensitive data from conversations. Mnemexa blocks this class of data before it can enter the memory store, reducing your compliance surface area automatically.
6Network Security
- Firewall: Network-level firewall restricting inbound access to required ports only.
- DDoS protection: Rate limiting and traffic analysis at the application layer.
- Private networking: Internal services communicate over private networks not exposed to the public internet.
- No direct database access: Database servers are not publicly accessible. All access is via the application layer with authenticated connections.
7Secure Development Lifecycle
- Code review: All code changes require peer review before deployment to production.
- Dependency scanning: Automated scanning of third-party dependencies for known vulnerabilities.
- Environment separation: Production credentials never used in development or staging environments.
- Input validation: All API inputs validated and sanitised before processing.
- SQL injection prevention: Parameterised queries used throughout; no string concatenation for SQL.
8Monitoring and Alerting
- Application monitoring: Request latency, error rates, and availability monitored continuously with automated alerting.
- Security monitoring: Anomalous access patterns, failed authentication spikes, and unusual usage volumes trigger alerts.
- Uptime monitoring: External uptime checks with on-call escalation for outages.
- Log retention: Security and access logs retained for 12 months.
9Incident Response
Mnemexa maintains a documented incident response procedure covering detection, containment, eradication, recovery, and post-incident review. In the event of a confirmed security incident affecting customer data:
- Affected customers are notified within 72 hours of confirmation.
- Notification includes nature of incident, data affected, and remediation steps.
- A post-incident report is made available upon request.
To report a suspected incident: security@mnemexa.com
10Personnel Security
- Background checks conducted for all employees with access to production systems.
- Security awareness training completed by all staff handling customer data.
- Confidentiality and data handling obligations included in all employment agreements.
- Access revoked immediately upon employee departure.
11Compliance Roadmap
| Standard | Status | Timeline |
|---|
| GDPR compliance | In place | Current |
| UK GDPR compliance | In place | Current |
| Data Processing Agreement | Available | Current |
| AES-256 + TLS 1.3 | Implemented | Current |
| SOC 2 Type I | In progress | Q3 2026 |
| SOC 2 Type II | Planned | 2027 |
| ISO 27001 | Evaluating | TBD |
12Responsible Disclosure
We welcome security researchers who responsibly disclose vulnerabilities in Mnemexa systems. If you discover a potential vulnerability:
- Email security@mnemexa.com with a detailed description.
- Do not access, modify, or delete customer data during research.
- Allow us reasonable time (30 days) to investigate and remediate before public disclosure.
- We will acknowledge receipt within 48 hours and keep you informed of our progress.
We do not currently operate a bug bounty programme, but we acknowledge all valid reports and work collaboratively with researchers.