Documentation Index
Fetch the complete documentation index at: https://docs.maximem.ai/llms.txt
Use this file to discover all available pages before exploring further.
This page covers everything an enterprise security review will ask about. If your specific question isn’t answered here, email [email protected].
Encryption
| Layer | Mechanism |
|---|
| In transit | TLS 1.3 on every connection (HTTPS for REST, mTLS-optional for gRPC) |
| At rest — application data | AES-256 on disk for vector store, graph store, and PostgreSQL |
| At rest — credentials | API keys are hashed with SHA-256 before storage. Plaintext keys are never persisted on the server side. |
| Backups | Encrypted with separate KMS-managed keys; backup-restore is audited |
Isolation model
Synap enforces isolation at three boundaries:
- Instance isolation — each Instance has its own logical storage namespace across vector, graph, and relational stores. Memories from one Instance are never queryable from another, even by accident, because every query is scoped to an Instance ID resolved server-side from your API key.
- Scope isolation — within an Instance, every memory is tagged with USER / CUSTOMER / CLIENT scope. A user-scoped retrieval never returns memories from a different user, regardless of similarity. See Memory Scopes.
- Network isolation — Synap Cloud runs in dedicated VPCs per region. Customer data never crosses regions.
Data residency
| Region | Location | Status |
|---|
| US East | Virginia (us-east-1) | Available |
| EU West | Frankfurt (eu-central-1) | Available |
| Other regions | — | On request — contact [email protected] |
Deletion guarantees
Synap supports per-memory, per-conversation, per-user, per-customer, and per-instance deletion.
- Soft delete (default) — the memory is removed from retrieval results immediately and purged from active stores within 24 hours. The deletion is logged to the audit trail.
- Hard delete (on request) — removes the memory from backups as well, within 30 days. Use this for GDPR Right-to-be-Forgotten and CCPA Right-to-Delete requests. Contact [email protected] to initiate.
Deletion cascades through the entity graph: when a user is deleted, any entities exclusively referenced by their memories are also removed. Entities co-referenced by other users (e.g., a shared product entity) are retained.
Compliance posture
| Framework | Status |
|---|
| SOC 2 Type II | In progress — target audit completion Q3 2026 |
| GDPR | Compliant. DPA available on request from [email protected]. |
| CCPA | Compliant. |
| HIPAA | Not currently certified. Do not send PHI to Synap. |
| ISO 27001 | On roadmap (2026). |
Sub-processors
| Vendor | Purpose | Region |
|---|
| AWS | Compute, storage, KMS | US East / EU West |
| OpenAI | LLM-backed extraction (entity resolution, summarization) for ingestion mode long-range | Customer’s region |
| Cloudflare | DNS, DDoS protection, TLS termination at the edge | Global |
Audit logs
Every dashboard and API action is logged with correlation_id, principal (user / API key), timestamp, action, and resource. Audit logs are retained for 90 days by default and can be exported via the Dashboard or GET /v1/audit-logs (on Enterprise plans).
Reporting a vulnerability
Email [email protected] with reproduction steps. We acknowledge within 24 hours and aim to issue a patch within 7 days for critical vulnerabilities. We do not currently run a public bug bounty but will reward responsibly-disclosed issues.
What we do NOT do
Stated explicitly so there are no surprises in your security review:
- We do not train models on customer data. Embeddings are generated per-request and not retained beyond their use in the extraction pipeline.
- We do not share customer data with sub-processors beyond what is listed above.
- We do not allow Synap engineers to query customer data without a documented support ticket from the customer. All such access is logged.
- We do not retain deleted memories. Once a hard delete completes, the data is gone — including from backups within the 30-day window.
