Security ​
Tenant Isolation ​
Every API key is bound to a unique organization_id. All database queries are scoped to your organization. There is no way to access another tenant's data.
text
Your API key → organization_id → all queries filtered by org_idAtoms, Hebbian edges, consolidation runs, and usage metrics are all isolated per tenant.
API Key Security ​
- API keys are hashed (SHA-256) before storage. We never store plaintext keys.
- Key comparison uses constant-time comparison (
secrets.compare_digest) to prevent timing attacks. - Keys are shown exactly once at creation. If lost, revoke and create a new one.
- Key prefix (
mk_live_...) is stored for identification without exposing the full key.
Data Privacy ​
- We do not train on your data. Your memories are used solely to serve your queries.
- No cross-tenant learning. Hebbian associations and valence updates are per-tenant.
Transport Security ​
All API traffic uses HTTPS.
Rate Limiting ​
Per-tenant rate limiting prevents abuse:
| Plan | Requests/min | Daily queries | Stored atoms |
|---|---|---|---|
| Free | 60 | 1,000 | 10,000 |
| Pro | 600 | 50,000 | 500,000 |
| Team | 3,000 | 500,000 | 5,000,000 |
Exceeding limits returns HTTP 429 with Retry-After header.
Infrastructure ​
- Database: PostgreSQL 17 with pgvector extension
- Hosting: Railway (US region)
Reporting Security Issues ​
Report vulnerabilities to [email protected].