Security
Internally reviewed — June 2026
Data access
- All data is scoped to your account — no cross-user access is possible by design
- Row-level security enforced at the database layer on every table
- All API routes require authentication — no public endpoints expose user data
AI pipeline
- Captured page content is treated as untrusted data throughout the AI pipeline
- Raw page content is not stored after processing — only evidence-dense summaries are retained
- User-authored fields are explicitly marked as data, never as instructions, in all AI prompts
Network
- URL fetching uses SSRF protection — private network and cloud metadata access is blocked by design
- DNS validation uses Cloudflare's privacy-first resolver (1.1.1.1)
- All redirect targets are re-validated against private IP ranges
Credentials & tokens
- Personal access tokens are hashed at rest and shown once at creation
- No API keys or secrets are stored in the codebase
Account deletion
- Account deletion is atomic — all data is permanently removed in a single database transaction
- Deletion covers all tables: sessions, captures, uploads, embeddings, queries, shifts, tokens, and profile
Privacy
- We do not sell or share your research data
- Mnemi products are ad-free