Security

Internally reviewed — June 2026

Data access

  • All data is scoped to your account — no cross-user access is possible by design
  • Row-level security enforced at the database layer on every table
  • All API routes require authentication — no public endpoints expose user data

AI pipeline

  • Captured page content is treated as untrusted data throughout the AI pipeline
  • Raw page content is not stored after processing — only evidence-dense summaries are retained
  • User-authored fields are explicitly marked as data, never as instructions, in all AI prompts

Network

  • URL fetching uses SSRF protection — private network and cloud metadata access is blocked by design
  • DNS validation uses Cloudflare's privacy-first resolver (1.1.1.1)
  • All redirect targets are re-validated against private IP ranges

Credentials & tokens

  • Personal access tokens are hashed at rest and shown once at creation
  • No API keys or secrets are stored in the codebase

Account deletion

  • Account deletion is atomic — all data is permanently removed in a single database transaction
  • Deletion covers all tables: sessions, captures, uploads, embeddings, queries, shifts, tokens, and profile

Privacy

  • We do not sell or share your research data
  • Mnemi products are ad-free