Statefulai/Use cases/Enterprise

Context as infrastructure — on your terms.

Same memory model, same retrieval quality, same agent integrations. Deployed inside your VPC, behind your SSO, with the audit log your auditors actually want.

SOC 2 path VPC / self-hosted SSO / SAML · SCIM Memory visibility controls
Deployment shapes

Three ways to run it. Same SDK either way.

cloud · multi-tenant

Hosted

Our cloud. Best for teams who want to move now. Tenant isolation at the workspace level.

  • US + EU regions
  • Encrypted at rest + in transit
  • 99.9% SLA
vpc · dedicated

Dedicated cloud

Your VPC, our control plane. The data plane runs in your AWS / GCP / Azure account. Most enterprise teams start here.

  • Single-tenant infrastructure
  • BYO embedding provider
  • Private link to your CI / SCM
  • 99.95% SLA
on-prem · air-gapped

Self-hosted

Helm chart + Terraform module. Runs entirely inside your perimeter. We deliver releases; you operate.

  • Air-gap-friendly
  • Local embedding models
  • Quarterly release cadence
Reference architecture · VPC

Inside your perimeter. Quiet at the boundary.

YOUR VPC · region eu-west-1 control plane api · auth · audit data plane pg · qdrant · neo4j · redis workers kafka · temporal your idp · okta / azure ad SSO · SAML · SCIM github enterprise · gitlab private link · ip-allow audit sink · siem syslog · splunk · datadog DEVELOPER WORKSTATIONS Claude Code Codex CLI Cursor mTLS · per-user key no data leaves vpc
Controls

The knobs your security team will ask about.

Per-project isolation

Every workspace is a hard boundary. Memory never crosses workspaces, even when an agent has access to both.

workspace::billing-prod ⟂ workspace::storefront-prod

RBAC + scoped tokens

Roles for owner, maintainer, contributor, read-only. Tokens scoped by workspace, branch, or memory layer.

scope: billing-prod · branch: feat/* · layer: episodic

SSO / SAML / SCIM

Plug into Okta, Azure AD, Google. SCIM provisioning, just-in-time access, group-mapped roles.

idp · okta · group: eng → role: maintainer

Memory visibility

Mark memories private to a sub-team. Cross-team retrieval requires explicit grant. Auditable, revocable.

visibility: team::billing · grant: team::platform read-only

DLP & redaction

Per-workspace redaction policies. Emails, names, secrets, custom regex patterns. Applied at write time; survives every retrieval.

redact: pii.email, secret.token, custom::ssn

Audit log

Every read, every write, every grant — to your SIEM. Tamper-evident, queryable, exportable.

sink: splunk · syslog · datadog
A real audit slice

What an auditor actually wants to see.

tsactoractionscoperesult
2026-05-25 09:14:01@renaretrieve · billing.tsbilling-prod / feat/usage-meter200 · 6 hits
2026-05-25 09:14:01claude-code/v1.2retrieve · samebilling-prod / feat/usage-meter200 · 6 hits
2026-05-25 09:14:02systemcompress · summary-v2billing-prod412 → 86 tok
2026-05-25 09:14:03@renagrant · workspace::storefrontread-only · 7 daysaudit-tag #884
2026-05-25 09:14:09claude-code/v1.2retrieve · auth/*storefront / mainredacted · pii.email
2026-05-25 09:14:11systemflag · stale-docdocs/wiki/auth.mdqueued · @rena
2026-05-25 09:14:15@new-hirememory.cite · ADR-007billing-prod / main200 · cite chain ok
deploy time
~4 hrs
to ready-for-traffic
SLA
99.95%
dedicated cloud
audit retention
7 yrs
configurable
support
24×7
dedicated SE
Deep dive →Security & privacy: encryption, isolation, right to forget. All cases →Back to the use cases overview.
Enterprise · ready

Memory infrastructure that passes review.

Talk to salesRead the security brief