Security
Engrams stores your most sensitive AI context — decisions, project state, learnings, session history. Here is how we protect it.
Encryption
In transit Yes
All traffic uses TLS 1.2+ (HTTPS). HSTS enforced with 2-year max-age, includeSubDomains, and preload.
At rest Yes
All data stored in Supabase (PostgreSQL) with AES-256 encryption at rest. Backups encrypted. Managed by Supabase on AWS infrastructure.
Access control
Authentication
API key (SHA-256 hashed, never stored in plain text) or OAuth 2.1 via MCP connectors. Magic link email login — no passwords stored.
Authorization
Every API call is scoped to the authenticated account. You can only access your own projects and memories. Shared projects require explicit invite and acceptance.
API key security
Keys are generated with cryptographically secure randomness (256-bit). Only the SHA-256 hash is stored — the raw key is shown once at account creation and never again.
Data isolation
Account isolation
All database queries filter by account_id. There is no path to access another account's data through the API. Shared projects are opt-in per project, per person.
Project isolation
Memories are scoped to projects. Projects are scoped to accounts. Cross-project recall is limited to your own account.
Infrastructure
| Component | Provider | Location |
|---|
| Application | Vercel (serverless) | AWS, auto-routed |
| Database | Supabase (PostgreSQL) | AWS (eu-west-1) |
| Embeddings | OpenAI (text-embedding-3-small) | OpenAI API |
| Email | Resend | AWS SES |
| Payments | Stripe | Stripe infrastructure |
HTTP security headers
| Header | Value |
|---|
| Strict-Transport-Security | max-age=63072000; includeSubDomains; preload |
| X-Content-Type-Options | nosniff |
| X-Frame-Options | DENY |
| Referrer-Policy | strict-origin-when-cross-origin |
What we do NOT store
Telemetry
Usage telemetry logs event types and counts only. We never log memory content, project names, API key fragments, or query text.
Passwords
We use magic link authentication. No passwords are ever stored or transmitted.
Data ownership
Your data is yours
You can export all your data at any time. Deleting your account removes all memories, projects, and usage history permanently. We do not sell, share, or use your data to train models.
Questions about security? Write to
hello@engrams.app. If you need a DPA or have enterprise compliance requirements, let us know.