Engram
Log inGet started

Security

Engram is designed for enterprise environments where guidelines may contain sensitive company conventions, competitive intelligence, and proprietary patterns.

Data at Rest

  • All data stored in PostgreSQL with standard database-level encryption
  • Source connection credentials (OAuth tokens, API keys) encrypted at rest using AES-256
  • LLM API keys (for BYO configurations) encrypted at rest in workspace settings
  • Self-hosted deployments inherit your infrastructure's encryption policies

Data in Transit

  • All API communication over TLS 1.2+ (TLS 1.3 recommended)
  • SaaS: enforced HTTPS on all endpoints
  • Self-hosted: configure TLS termination via your reverse proxy (nginx, Caddy, Traefik)

Authentication

  • Email/password — passwords hashed with argon2id (memory-hard, timing-safe)
  • OAuth2 — GitHub and Google providers (standard OAuth2 authorization code flow)
  • JWT tokens — 24h access token expiry, 30d refresh tokens with single-use rotation
  • API keys — workspace-scoped, stored as SHA-256 hashes, revocable instantly
  • SAML SSO — available on Enterprise plan for centralized identity management

Authorization

Four-tier role model per workspace:

RolePermissions
OwnerFull control — billing, deletion, ownership transfer
AdminManage members, sources, repos, routing, API keys
EditorCreate and edit documents, domains, guidelines
ViewerRead-only access to documents and dashboard

Data Residency

SaaS: Data hosted in US by default. EU region available on Enterprise plan.

Self-hosted: Data stays entirely on your infrastructure. No external calls required if using Ollama/vLLM for LLM — fully air-gapped operation is possible.

What Engram Stores

  • Guidelines — company conventions, patterns, and rules (not source code or customer data)
  • Source metadata — page titles, summaries, and relevance mappings (not full source content after processing)
  • Source credentials — OAuth tokens for connected integrations (encrypted)
  • User accounts — email, name, hashed password, avatar URL
  • Audit trail — document version history with author attribution

What Engram Does NOT Store

  • Customer PII or end-user data
  • Source code from your repositories (only metadata: file structure, tech stack, existing rules files)
  • Full Notion/Confluence page content after processing (only extracted patterns)

Third-Party Data Sharing

  • SaaS with Engram-managed LLM: Guideline content is sent to Anthropic (Claude) and OpenAI (embeddings) for AI processing. Both providers operate under data processing agreements that prohibit training on customer data.
  • SaaS with BYO LLM: AI calls go to your provider — Engram does not see or route through them.
  • Self-hosted: You control all data flows. With Ollama/vLLM, zero external data transmission.

Compliance

  • SOC 2 Type II — planned for SaaS
  • GDPR — data deletion on workspace removal, no data retention beyond active use
  • HIPAA — achievable via self-hosted deployment with appropriate infrastructure controls

Vulnerability Reporting

If you discover a security vulnerability, please report it to security@getengram.io. We commit to acknowledging reports within 24 hours and providing an initial assessment within 72 hours.

Previous
Admin Guide
Next
CLI Reference