Security & compliance

Your strategic memory contains your most sensitive thinking — decisions in progress, competitive context, team dynamics. We treat it accordingly. This page explains exactly what we do to protect it, why each measure matters, and what we expect from you in return.

We only store what you explicitly give us

Mnemo has no access to your email, calendar, Slack, GitHub, or any other application. The safest data is data we never collected in the first place. OAuth integrations are used for login and identity verification only — we never request calendar read, contact sync, or message access. Everything Mnemo stores is something you deliberately logged through the MCP tools or portal. There is no background ingestion, no silent sync, no ambient data collection.

What we store and why

  • Your decisions and memory: Only what you explicitly enter — decisions, threads, context, and metadata you choose to store. This is the product; it never leaves your profile without your action.
  • Account credentials: Your name, email, and organization for identity. Passwords are hashed with a one-way function — we cannot recover or read your password, only verify it. MFA seeds and passkey IDs are stored so you can authenticate securely.
  • Usage data: API calls, feature interactions, login events, and performance metrics. We use this to fix bugs and improve the product — it is not linked to your content.
  • Audit logs: A record of authentication events, admin actions, and sensitive operations. This protects you — if someone accesses your account without authorization, the evidence is there. Personal details in audit logs are automatically purged 30 days after account deletion.
  • Session state: Temporary tokens and preferences that keep you logged in. These expire automatically and are cleared completely on logout.

What we will never do: sell your data, train AI models on your decisions, share your content with third parties, or use your strategic memory for any purpose beyond delivering the service to you.

Your data is encrypted everywhere it travels and rests

  • In transit: Every byte between your device and our servers is encrypted with TLS — the same standard used by banks and governments. Eavesdropping on a connection tells an attacker nothing readable.
  • At rest: Your decisions and sensitive data are encrypted with AES-256-GCM, individually keyed per profile. Even if someone obtained a raw database backup, they would see ciphertext, not your content. On Free, Pro, and Business plans, Mnemo manages the keys. On Enterprise, you can bring your own (CMEK) or encrypt client-side so Mnemo never holds the key at all (Privacy Mode).
  • API tokens: Shown to you once at creation, then stored only as a secure hash. If our database were ever compromised, stolen token hashes cannot be used to authenticate. You can revoke any token instantly — compromised device, lost laptop, departing employee — access is cut off within seconds.

A stolen password is not enough to get in

  • Multi-factor authentication: Even if your password is exposed in a breach somewhere, an attacker still needs your second factor — a TOTP code from your authenticator app or an SMS code. MFA can be enforced org-wide so no team member can disable it.
  • Passkeys (passwordless): Passkeys use the cryptographic chip in your device — they cannot be phished, guessed, or stolen remotely. Supported on all tiers and synced securely across your devices.
  • Scoped, short-lived tokens: API tokens are limited to specific capabilities and can carry IP or expiration restrictions. A token leaked from one context cannot be used to reach everything. Each token is independently revocable.
  • Session expiration and audit: Sessions time out automatically. Every login, token use, and permission change is logged. You can review your own activity log and spot anything unexpected.

Defense against attacks — including AI-specific threats

Most security pages list generic protections. Mnemo handles sensitive AI agent context, which introduces risks that traditional products don't face. Here is what we defend against and how.

  • Brute-force and credential stuffing: Repeated failed login attempts trigger rate limiting and account lockout. Automated attacks exhaust their budget and stop before any account is reached.
  • Injection attacks: All user input is validated and sanitized before it touches the database or gets returned to a browser. SQL injection and XSS are structurally prevented, not just filtered.
  • Prompt injection: A sophisticated attacker might try to hide instructions inside a stored decision — hoping an AI agent will later act on them instead of your real intent. Mnemo detects and quarantines suspicious writes, excludes them from AI context assembly, and escalates write restrictions on repeated attempts. Your AI agent acts on your decisions, not an attacker's.
  • Compromised third-party libraries: The software libraries we depend on can themselves carry hidden vulnerabilities. We run automated dependency scanning (pip-audit) on every build. Critical and high CVEs are a blocking gate — code with a known vulnerable dependency cannot ship.
  • Browser-based attacks: Security headers prevent clickjacking, MIME sniffing, and cross-site attacks. Content Security Policy blocks unauthorized script execution.

Independent MCP security verification

We run the Mnemo MCP server through the CoSAI/OASIS MCP Security Framework — the emerging industry standard for AI agent interface security. The framework defines 12 threat categories (T1–T12) covering authentication, access control, data protection, input validation, resource limits, and supply chain integrity. Here are the results of our most recent scan.

0
Critical findings
0
High findings
16
Categories passed

What the framework verifies:

  • Authentication (T1): Every tool call requires a valid bearer token. Unauthenticated requests are rejected at the transport layer before any handler code runs.
  • Access control (T2): Tool permissions are bound to the authenticated session identity. No tool argument can redirect a call to a different user's data — the profile is always derived from the token, never from what the caller claims.
  • Input validation (T3): Shell injection, path traversal, and command substitution attempts are structurally blocked. Mnemo tools have no shell-accessible parameters.
  • Data protection (T5): API keys, bearer tokens, and secrets are never echoed in tool responses, regardless of what arguments are supplied.
  • Integrity verification (T6): The tool manifest is stable across calls. Runtime shadowing or tool-list substitution is not possible.
  • Network binding (T8): No Mnemo tool accepts a URL parameter, eliminating the server-side request forgery (SSRF) attack surface entirely.
  • Resource management (T10): Per-session call budgets, loop detection, and token cost caps are enforced at runtime — a runaway agent cannot exhaust the service or your quota.
  • Supply chain (T11): Unknown or unlisted tool names are rejected with the correct JSON-RPC −32601 error code, not silently accepted or partially executed.

On "inconclusive" results: 17 of the scan's probes are marked inconclusive — not failing. These probes inject malicious arguments (shell commands, path traversal strings, SSRF URLs) that cannot reach the security layer in Mnemo because our tool schemas have no cmd, path, or url parameters. The scanner correctly marks itself inconclusive when schema validation blocks the probe before any security check is reached. Tight schema design is intentional — it eliminates attack surface at the definition layer, before runtime defenses are even needed. We publish this detail because we believe AI security should be verifiable, not just claimed.

Most recent scan: April 2026. Framework: CoSAI/OASIS MCP Security Framework T1–T12.

Enterprise security controls

Below is the full control inventory for enterprise evaluations. Each row explains what the control does and why it matters for your organization.

Encryption in transit ✓ All traffic encrypted with TLS 1.2+. Data is unreadable to anyone observing the network.
Encryption at rest ✓ AES-256-GCM per-profile envelope encryption. A database breach exposes ciphertext, not your content.
Multi-factor authentication ✓ TOTP + SMS; org-wide MFA enforcement available. A compromised password alone cannot unlock an account.
MFA recovery & break-glass ✓ Tiered admin recovery protocol with super-admin escalation. You can recover access without losing the security guarantee.
Passkey login (WebAuthn) ✓ Device-bound cryptographic keys; all tiers. Phishing-resistant by design — there is no password to steal.
Role-based access control ✓ 11 granular roles with 25+ permissions; org admin management. Team members see only what their role permits — accidental or deliberate over-access is prevented by default.
SSO & identity federation ✓ OIDC + SAML 2.0 SP. Connect Mnemo to your existing identity provider — Okta, Azure AD, Google Workspace. Employees authenticate with the same credentials they use everywhere else, and deprovisioning in your IdP immediately revokes Mnemo access.
Automated user provisioning ✓ SCIM RFC 7644 (Okta-validated). When you add or remove a user in your IdP, Mnemo updates automatically. No manual off-boarding gaps.
Customer-managed encryption (CMEK) ✓ Enterprise only: bring your own KMS key (GCP, AWS, Azure). You control the encryption key that protects your data. Revoke it and Mnemo cannot decrypt anything — within minutes, your data is inaccessible even to us.
Privacy Mode (zero-knowledge encryption) ✓ Enterprise only: client-side encryption derived from your passkey via Argon2id. Mnemo never holds a key that can decrypt your content. Even a full server compromise exposes only ciphertext.
Audit logging ✓ Tamper-evident, INSERT-only logs for all authentication, admin, and org actions. If anything happens to your account, there is a verifiable record of exactly what occurred and when. Logs include PII scrubbing (no email addresses or API keys stored), hash-chain integrity validation (detect tampering immediately), and background worker health monitoring (audit logs flushed every 2 seconds).
Destructive operation confirmation tokens ✓ Two-stage confirm pattern for irreversible operations (deletion, import, policy changes). Preview phase shows impact; execution requires a cryptographically-signed, single-use token (5-minute validity). Replays are structurally prevented via atomic token consumption. Supports compliance with SOC 2 non-repudiation requirements.
AI tool-call attestation You should be able to verify that what your AI agent did was what you authorized. Every MCP tool call is written to a cryptographic chain — each event is HMAC-signed and linked to the previous, so any deletion or alteration breaks the chain and is detected automatically. At the end of each session, the complete log is sealed with a Cloud KMS asymmetric key (EC P-256), producing a tamper-evident signature stored permanently in the database. Sessions left open are sealed automatically by a background job, closing the window between an action and its signed proof. This implementation aligns with the CoSAI/OASIS MCP Security Framework for AI agent accountability.
Supply chain security ✓ Automated CVE scanning (pip-audit) on every CI build; critical and high findings block the release. The libraries we depend on are a part of our attack surface — we treat them as such.
MCP protocol security scanning ✓ The Mnemo MCP server is tested against the CoSAI/OASIS MCP Security Framework (T1–T12 threat categories). Most recent scan: 0 critical, 0 high findings; 16 threat categories verified clean (April 2026).
Token management ✓ Time-limited, scoped, individually revocable API tokens. A token lost or shared by accident can be killed instantly without affecting other sessions.
Brute-force protection ✓ Rate limiting with progressive account lockout. Automated credential attacks are cut off before they reach a real account.
Data isolation ✓ Row-level security at the database layer; org-level isolation enforced in every query. One tenant cannot access another's data — even in the event of an application bug.
Data deletion & compliance ✓ User-initiated deletion with complete purge; GDPR right-to-be-forgotten; 30-day disaster-recovery retention window before permanent erasure. Your data is gone when you say it is.

Taking control of your own encryption keys

Every Mnemo account includes AES-256-GCM encryption by default. Enterprise customers can go further — either by bringing their own key so they hold the kill switch, or by encrypting client-side so the key never leaves their devices.

Privacy Mode — zero-knowledge encryption

In Privacy Mode, your data is encrypted on your device before it leaves. Mnemo stores only ciphertext — we have no ability to read your decisions regardless of what happens on our infrastructure. This is the strongest privacy guarantee available.

  • Who it's for: Enterprise plan. Activate in Settings → Encryption → Enable Privacy Mode.
  • Setup: Create a strong passphrase. It is never sent to Mnemo — it is stored securely in your device keychain and used locally to derive your encryption key.
  • Cross-device: Your passphrase syncs via iCloud Keychain (Apple) or your browser's password manager. One-time entry on each new device.
  • Trade-off: Because Mnemo cannot decrypt your content server-side, scheduled features (morning brief, weekly review) run on-demand, and server-side search is metadata-only.

Customer-Managed Encryption Keys (CMEK)

With CMEK, Mnemo encrypts your data using a key that lives in your cloud account — not ours. You hold the kill switch: disable the key in your KMS and we cannot decrypt anything within minutes.

  • Who it's for: Enterprise plan. Activate in Settings → Encryption → Configure CMEK.
  • Setup: Connect your GCP Cloud KMS, AWS KMS, or Azure Key Vault. Mnemo will use your key for all encryption and decryption operations.
  • Control: Every decryption event is logged in your cloud account, not just ours. You can audit who accessed what independently of Mnemo.
  • Trade-off: None. All features work identically. Your key stays in your cloud account; Mnemo never stores it.

Your data belongs to you

  • Export anytime: Download all your decisions, threads, and metadata in standard formats whenever you want. You are never locked in.
  • Delete completely: Delete your account and all associated data instantly. Deletion is irreversible — we do not keep a shadow copy.
  • 30-day disaster-recovery window: For platform-level recovery (not individual user recovery), deleted data is retained for 30 days in encrypted backups before permanent erasure.
  • Your data is not our product: We do not sell, license, or share your data. We do not train AI models on your decisions. Revenue comes from subscriptions — not from your content.

Security roadmap — our track record and what's next

Security is not a launch checklist — it is an ongoing practice. Here is what we have shipped and what is coming.

  • 2026 Q2 (Shipped): Multi-factor authentication (TOTP + SMS) with secure break-glass recovery; 11-role RBAC with org admin management; INSERT-only tamper-evident audit logging with PII scrubbing and hash-chain integrity validation; confirmation tokens for destructive operations (single-use, replay-protected, atomic); customer-managed encryption (CMEK); OIDC + SAML 2.0 enterprise SSO; SCIM automated provisioning; passkey cross-device support; zero-knowledge Privacy Mode; Cloud KMS asymmetric AI session sealing with persisted signatures; fail-closed chain integrity verification; automated stale-session sealing; velocity-based tool-call rate limiting; prompt injection quarantine and scope drift detection; automated CVE scanning (pip-audit) in CI.
  • 2026 Q2–Q3 (In progress): SOC 2 Type II compliance audit, GDPR Data Processing Agreement, third-party penetration test.
  • Coming next: Full behavioral anomaly baseline with automated response (advisory-mode detection shipped now); automated key rotation policies; team-level encryption scoping; zero-trust architecture hardening.

What we each protect

No vendor can fully secure a system without the customer's participation. We handle everything on our side; a few important things are in your hands. This table shows the split clearly so there are no surprises.

Responsibility Mnemo You
Infrastructure & Availability
Database infrastructure, availability, failover
Platform uptime SLA (99.9% monthly target)
Server patching and OS security
Network security, DDoS mitigation
Data Security
Encryption in transit (TLS 1.2+) and at rest (AES-256-GCM)
Database access controls (row-level security, least privilege)
Security hardening (CSP, CSRF, XSS headers)
Audit logging of authentication and admin events
Access Management
MCP token generation, rotation, and revocation tooling
Multi-slot token management UI
Keeping MCP tokens private and unshared
Revoking tokens when a device is lost or an employee leaves
Choosing strong passwords and enabling MFA for portal access
Who you grant access to your profile or team
Data Content & Quality
What sessions, decisions, and threads you log
Accuracy of the data you store
Not ingesting data you do not have rights to store
Continuity & Recovery
Platform-level disaster recovery and operational backups
Data export tooling (one-click archive)✅ (tooling)✅ (initiate)
Periodic personal exports as your own continuity measure
Recovery from user-initiated data deletion

Platform backups are for operational recovery (e.g., database corruption) — they are not accessible to individual users for personal data recovery. For user-controlled backup and restore, see the Backup add-on on paid plans.

Compliance and regulatory frameworks

If your organization operates under GDPR, CCPA, SOC 2, or HIPAA, here is how Mnemo fits into your compliance posture.

Regulation What Mnemo provides What you are responsible for
GDPR We act as a data processor. We provide export (Art. 20), deletion (Art. 17), and breach notification within 72 hours (Art. 33/34). You are the data controller for what you choose to store. You are responsible for your own lawful basis for processing.
CCPA We support data access and deletion requests on your behalf. If you use Mnemo to process California resident data, you are responsible for your own CCPA obligations.
SOC 2 Controls documentation available on request (enterprise). Type II audit in progress. You are responsible for your own SOC 2 scope and controls.
HIPAA Mnemo is not a covered entity by default. A Business Associate Agreement (BAA) is available on Enterprise. Do not store protected health information (PHI) without a signed BAA in place.

Do not store in Mnemo without a signed enterprise agreement: protected health information (PHI), payment card data (PCI scope), government-issued ID numbers, or data subject to export controls (ITAR/EAR).

If something goes wrong

If Mnemo detects a breach affecting your data

We will not sit on a breach notice. Our commitments:

  • Notify you within 72 hours of discovery — meeting the GDPR Article 33/34 timeline
  • Tell you specifically what data was affected, when it happened, how, and what we are doing about it
  • Revoke all compromised tokens automatically on confirmation so an attacker cannot continue using them
  • Publish a full post-incident report within 30 days

If you suspect your account is compromised

Act immediately — every minute a compromised token is live is a minute of exposure:

  1. Revoke all MCP tokens — Portal → Security → Revoke All Tokens
  2. Change your portal password
  3. Review your activity log for anything unexpected — Portal → Activity
  4. Contact support@mnemo.app — we can help investigate and lock down the account

Security questionnaire or enterprise audit?

We are happy to complete security questionnaires, share controls documentation, or walk through our architecture with your security team. Email support@mnemo.app with your requirements and timeline.