Security

Last updated April 15, 2026

OraMemory was built on a single principle: your AI's memory is your data. Here is how we protect it.

Local-first architecture

The Free tier never connects to our servers. Memories live in a SQLite file on your machine. We can't see them, leak them, or be subpoenaed for them.

Encryption

• TLS 1.3 for every API request.
• AES-256 at rest for managed databases.
• Pro tier supports BYOK (bring your own key) via AWS KMS.

Authentication

API keys are SHA-256 hashed at rest. The plaintext key is shown exactly once, at creation. Lost keys can only be rotated, never recovered.

Audit trail

Every add, update, and delete is recorded to an append-only log with the API key, timestamp, and content hash. Available via the dashboard or API.

Data isolation

Every query is scoped to your project ID. Cross-project access requires explicit configuration and is logged.

Backups

Managed Postgres is snapshotted nightly with 7 daily / 4 weekly / 3 monthly retention. Object storage is encrypted server-side.

Compliance roadmap

• SOC 2 Type II — in progress, target end of 2026.
• HIPAA BAA — available on Enterprise.
• GDPR — yes; data residency on Enterprise.

Reporting a vulnerability

Email security@oramemory.com. We respond within 48 hours and credit researchers in our hall of fame.