Security at MemoryRouter

Every MemoryRouter customer, and every one of their end users, gets their own isolated memory vault. Vaults are scoped at the retrieval layer — there is no shared index where a bad query could surface another tenant's memory.

• One API key = one vault. No cross-tenant retrieval paths.
• Programmatic key provisioning lets enterprises mint a fresh vault for every end user.
• Deletion is hard-delete at the vault level — not a soft flag.

Memory data is encrypted in transit and at rest.

• In transit: TLS 1.2+ on every endpoint. HSTS enforced.
• At rest: AES-256 encryption on vault storage and backups.
• Secrets: API keys are hashed before storage; we never store plaintext keys.

• Scoped API keys — rotate or revoke any key without touching the rest.
• Admin keys (for programmatic provisioning) are separate from per-customer keys.
• Internal access to production is limited to a small engineering team. Least-privilege by default.
• 2FA required on all administrative accounts.
• Audit logs on key mutations (create / rotate / revoke / delete).

We're being honest about where we are versus where we're going. No fake badges.

We monitor production 24/7 via automated alerting. In the event of a security incident affecting customer data:

• Affected enterprise customers are notified within 72 hours (or sooner when required by contract).
• Post-mortem published to impacted accounts with root cause and remediation.
• Security issues can be reported privately to [email protected].