Security

Last Updated: January 16, 2026

            Security is Non-Negotiable: MemoryGate stores your AI's memory—the most sensitive data in your stack. We've built every layer with security as the default, not an afterthought.
        

1. Data Encryption

Encryption at Rest AES-256

All data stored in PostgreSQL is encrypted using AES-256-GCM. This includes:

Memory observations
Knowledge graphs
Embeddings
Metadata and audit logs

Encryption in Transit TLS 1.3

All API traffic uses TLS 1.3 with perfect forward secrecy:

HTTPS enforced (no downgrade)
HSTS headers enabled
Certificate pinning recommended

2. Authentication & Access Control

OAuth 2.0 with PKCE RFC 7636

MemoryGate uses industry-standard OAuth 2.0 with Proof Key for Code Exchange (PKCE) to prevent authorization code interception attacks.

No passwords stored on our servers
Tokens expire after configurable TTL
Refresh tokens rotated on use
Tokens hashed with Argon2id before storage

API Key Security

For programmatic access, API keys are:

Generated using cryptographically secure randomness (256-bit entropy)
Hashed with Argon2id before storage (keys are never stored in plaintext)
Scoped to specific memory stores and permissions
Revocable instantly via the dashboard

Role-Based Access Control (RBAC)

Every user has a role with specific permissions:

Owner: Full control (billing, users, data)
Admin: Manage data and users (no billing access)
Member: Read/write memory data
Viewer: Read-only access

3. Multi-Tenant Isolation

Database-Level Isolation RLS

Every table uses PostgreSQL Row-Level Security (RLS) policies to enforce strict tenant isolation:

All queries automatically filtered by tenant_id
No cross-tenant data leakage possible by design
Enforced at the database layer (not application layer)

Schema Design

Our schema includes:

Foreign keys on all user-facing tables
Check constraints preventing null tenant_id
Unique indexes scoped to tenant_id

4. Infrastructure Security

Hosting & Network

MemoryGate runs on Fly.io infrastructure:

Private networking: Database isolated from public internet
DDoS protection: Cloudflare-grade mitigation
Geographic distribution: Deployments in US/EU regions
SOC 2 Type II compliance: Fly.io certified

Database Security

PostgreSQL configuration follows CIS benchmarks:

SSL-only connections required
Strong password policies enforced
Automated security patches
Daily backups with 30-day retention

5. Application Security

Input Validation

All API inputs are validated:

Type checking (string, number, enum)
Length limits enforced
SQL injection prevention (parameterized queries)
XSS prevention (content escaping)

Rate Limiting

API endpoints are rate-limited by:

API key (per-user limits)
IP address (global limits)
Endpoint (different limits per operation)

Security Headers

All HTTP responses include:

Content-Security-Policy
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Strict-Transport-Security

6. Monitoring & Audit

Audit Logs

All significant actions are logged:

Authentication events (login, logout, token refresh)
Data access (read, write, delete)
Permission changes (role assignments)
Billing events (plan changes, payments)

Audit logs are:

Tamper-evident (append-only)
Retained for 1 year
Accessible via dashboard

Real-Time Monitoring

We monitor for:

Unusual authentication patterns
Excessive API usage
Database anomalies
Infrastructure health

7. Backups & Disaster Recovery

Point-in-Time Recovery (PITR)

Continuous WAL archiving
30-day recovery window
Encrypted backup storage
Tested restore procedures

High Availability

Multi-region database replication
Automatic failover
Load balancing across instances

8. Vulnerability Management

Security Updates

We apply security patches:

Critical: Within 24 hours
High: Within 7 days
Medium: Within 30 days

Dependency Scanning

All dependencies are scanned for known vulnerabilities:

Automated daily scans
CVE monitoring
Automated dependency updates

9. Responsible Disclosure

Security Bug Bounty

Found a security issue? We want to hear about it.

Email: pstryder@gmail.com
Response time: Within 48 hours

What We'll Do

Acknowledge your report within 48 hours
Investigate and confirm the issue
Develop and test a fix
Deploy the fix (coordinated disclosure)
Credit you in our security acknowledgments (if you want)

What Not to Do

Don't publicly disclose before we've patched
Don't exploit the vulnerability
Don't access other users' data
Don't perform DoS attacks

10. Compliance & Certifications

Current Status

GDPR: Compliant (EU data protection)
CCPA: Compliant (California privacy)

Data Residency

All data is currently stored in Virginia, USA (via Fly.io infrastructure). Additional regions planned for future deployment.

11. Open Source Transparency

MemoryGate Core is fully open source (Apache 2.0). You can:

Inspect every line of code at github.com/PStryder/MemoryGate
Audit our security claims independently
Submit security patches via pull request
Self-host if you prefer complete control

12. Contact Security Team

Questions, concerns, or reports? Reach out:

Email: pstryder@gmail.com
GitHub: Private security advisories