01 The trust boundary
A diagram and a promise: code, prompts, and decisions stay inside your perimeter unless you explicitly cross it.
02 Encryption
Industry-standard, no clever inventions.
In transit
TLS 1.3 only. mTLS available on Enterprise. HSTS enforced. No fallback to HTTP.
At rest
AES-256-GCM on application-managed envelopes. KMS-rooted on hosted; BYO-KMS on Enterprise (AWS, GCP, Azure KMS).
Backups
Encrypted with separate KMS key set. Restore drill quarterly; integrity verified by hash chain.
Embedding vectors
Stored alongside payloads, encrypted at rest. Embeddings of redacted text are themselves derived after redaction.
03 Isolation
A workspace is a hard boundary. No accidental cross-talk.
- Per-workspace encryption keys. A workspace can be re-keyed independently. A leaked key for one workspace doesn't compromise another.
- Per-workspace embedding namespaces. Even if vectors collided across workspaces, the namespace filter would prevent retrieval.
- Per-workspace Postgres schema (Enterprise). No shared tables, no shared connection pool.
- Network policy. On VPC/Enterprise, namespace-level NetworkPolicies prevent cross-pod traffic.
04 Access control
RBAC, scoped tokens, SSO, SCIM. Authentication is boring; authorization should be sharp.
Roles
owner · admin · maintainer · contributor · read-only. Custom roles on Enterprise.Token scope
Workspace, branch glob, memory layer (episodic / semantic / procedural). Combine for "agent X can read semantic on feat/* in workspace Y" precision.
SSO / SAML
Okta, Azure AD, Google Workspace, JumpCloud, Ping, OneLogin, generic SAML 2.0. SCIM 2.0 provisioning.
Just-in-time access
Optional. Maintainer role for the duration of a PR, revoked on merge. Auditable.
Memory visibility
Mark memories private to a sub-team. Cross-team retrieval requires explicit grant. Grants are revocable; revocation is immediate.
05 Audit log
Every read, every write, every grant. To your SIEM, in real time.
- Immutable, append-only chain. Each entry signed; tampering is detectable.
- Streams to Splunk, Datadog, Sumo, syslog, or generic webhook (Enterprise).
- Retention: 90 days in-app on Pro; up to 7 years configurable on Enterprise.
- Filterable by actor, workspace, scope, time, action, result. Exportable as CSV/JSON.
- Includes citation chain: when an agent uses a memory, the audit links the prompt → retrieval → cited source.
06 DLP & redaction
Strip the things that shouldn't be remembered before they're stored — not after retrieval.
Built-in
Email, phone, IP, credit-card, SSN, common token formats (Stripe, AWS, GitHub, etc.).
Custom regex
Per-workspace patterns. Tested in a dry-run sandbox before activation.
Code-secret detection
Uses a hybrid scanner (entropy + ruleset) on ingest. Detected secrets are never stored, even in raw archives.
PII tags
Detected fields get tagged. Retrieval can be configured to refuse to return tagged memories to specific agent identities.
07 Right to forget
Delete means delete.
- Hard delete propagates across primary store, vector index, graph, hot cache, and cold archive within 24 hours.
- The deleted item is gone; an audit entry "an item with this hash was deleted" remains for compliance.
- Workspace deletion takes the workspace's encryption key with it. Cryptographic shredding closes the loop on cold backups.
- Self-hosted operators can run
statefulai forgetfor explicit, scriptable removal.
08 Models & data
Your code is not training data.
- We do not use your data to train or fine-tune any shared model. Ever.
- Per-workspace rerankers are trained on your accept/reject signals; their weights stay in your workspace.
- On Enterprise, you can bring your own embedding provider — Voyage, Cohere, OpenAI, or a self-hosted model.
- Embedding requests to third parties are content-redacted before they go out (when you opt in to a hosted embedder).
09 Vulnerability disclosure
Found something? Tell us, get paid, and we'll thank you publicly.
Contact
security@statefulai.tech — PGP key on file.Bounty
$500 – $25 000 depending on severity. Hall of fame for first reporters.
Response
Acknowledged within 24 h. Triage within 72 h. CVE coordination via MITRE.
Scope
Hosted product, MCP server, SDKs, Helm chart, Terraform module.