How is access controlled in Memraiq?

Memraiq uses JWT-based authentication with short-lived access tokens (15 minutes) and httpOnly refresh tokens (30 days). Role-based access control operates at the organisation level with owner, admin, and member roles.

How are API keys and passwords stored?

Passwords are stored as bcrypt hashes — never in plaintext. API keys for LLM providers are encrypted with Fernet symmetric encryption before being stored in the database. When developer API keys and automation APIs are introduced, we will extend the same encryption, scoping, and rotation practices to those credentials.

Memraiq

Security and trust by design

Security controls are built into the hosted platform — not bolted on afterward. Access is explicit, data handling is documented, and we use disciplined internal logging for safety and reliability.

Authentication

JWT + bcrypt

Data at rest

Fernet encrypted

Transport

HTTPS/TLS only

Access model

Role-based (RBAC)

Access and identity

—JWT access tokens with 15-minute expiry

—httpOnly refresh tokens, 30-day TTL

—Separate admin auth scope (platform-level)

—Organisation-level role boundaries

—Owner, admin, and member roles

—Email invite flow for member onboarding

—Session invalidation on password change

—Magic link support for passwordless login

Data handling and encryption

—Passwords hashed with bcrypt (never stored plaintext)

—LLM API keys encrypted with Fernet before storage

—Document content stored in Supabase (PostgreSQL + S3)

—Vectors stored in Qdrant Cloud (encrypted at rest)

—Graph data stored in Neo4j Aura (encrypted at rest)

—All traffic encrypted in transit (HTTPS/TLS)

—Conversation history scoped to organisation

—No cross-tenant data access at any layer

Logging and internal operations

We log activity to run the hosted service safely — not to sell analytics. Technical metadata may include model, provider, and token counts where needed for billing enforcement, abuse prevention, and support; that is an internal and contractual practice, not a customer-facing cost or health dashboard product.

—Structured logs for security events, debugging, and incident response

—Internal monitoring of dependencies to keep the service reliable

—Ingestion and indexing records for troubleshooting and customer support

—Retention aligned with billing reconciliation and legal obligations (see Privacy Policy)

—Platform operators use diagnostics; in-product surfaces focus on your workspace (e.g. uploads, answers)

—No cross-tenant log access for customer users

Incident readiness

—Diagnostics-first design for dependency failures

—Internal operational monitoring of service and dependency health

—Explicit error codes (not silent failures)

—Structured logging for audit and debugging

—Enterprise customers notified within 72h of breach

—Data deletion on org/account termination

Sub-processor transparency

Document content is processed by third-party LLM providers for indexing and chat. Here is the full list of services that handle your data:

Supabase

Database, file storage, authentication

Qdrant Cloud

Vector storage for semantic search

Neo4j Aura

Knowledge graph storage

Anthropic

LLM inference (Claude models)

OpenAI

Embeddings and LLM inference

Resend

Transactional email delivery

Paystack

Payment processing

Full DPA available at /legal/dpa. Enterprise customers may request a security questionnaire response.

Questions about security, compliance, or data handling? Contact us or review our Data Processing Addendum.