Security

How OraMemory protects your AI memory data.

Local-first option

The Free tier never touches our servers. Memories live in a SQLite file on your machine. We can't see them, leak them, or be subpoenaed for them.

Transport & at-rest encryption

• TLS 1.3 for every managed-API request.
• AES-256 at rest for managed databases (Postgres + object storage).
• BYOK (bring your own key) on Pro and Enterprise via AWS KMS — OraMemory servers never see your plaintext data at rest.

API keys

Stored as SHA-256 hashes. The plaintext is displayed exactly once, at creation. Lost keys can only be rotated, never recovered.

Every key carries an environment tag (om_live_ or om_test_) and a per-project rate limit. Revoke any key from the dashboard — takes effect within seconds.

Audit trail

Every add, update, and delete is appended to memory_ops with:

• API key ID (hashed)
• Timestamp
• Agent / user / session context
• HTTP status + duration
• (Optional) content hash

Available via the dashboard Recent activity tab and via GET /v1/log (coming soon).

Data isolation

Every query is scoped to a project_id. Cross-project access is impossible without a valid API key for the target project.

Versioning

Every content change snapshots a new row in memory_versions. Your memories are never silently rewritten. Use GET /v1/memory/<id>/history to inspect.

Backups

Managed Postgres snapshotted nightly with 7 daily / 4 weekly / 3 monthly retention. Object storage is encrypted server-side.

Compliance roadmap

• SOC 2 Type II — in progress, target end of 2026.
• HIPAA BAA — available on Enterprise.
• GDPR — yes. Data-residency on Enterprise.

Reporting a vulnerability

Email security@oramemory.com. We respond within 48 hours and credit responsible researchers.