Security

Security is foundational to everything we build at memctl. As a platform that stores and serves context for AI coding agents, we understand the sensitivity of the data entrusted to us. We implement multiple layers of protection across our infrastructure, application, and operational processes.

This page describes our security practices and the measures we take to protect your data. If you have security concerns or questions, please contact us at [email protected].

In transit. All data transmitted between your devices and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS on all endpoints and use HSTS headers to prevent downgrade attacks.

At rest. All data stored in our databases and object storage is encrypted at rest using AES 256 encryption. Encryption keys are managed through our cloud provider’s key management service with automatic key rotation.

Backups. All backups are encrypted using the same standards as primary data storage.

User authentication. We use GitHub OAuth for user authentication, leveraging GitHub’s robust identity infrastructure. We do not store passwords.

Session management. Sessions are managed through secure, HTTP only cookies with appropriate expiration policies. Session tokens are cryptographically random and rotated regularly.

API access. API keys are generated with sufficient entropy and can be revoked at any time through your account settings. API requests are authenticated and rate limited.

Internal access. Employee access to production systems follows the principle of least privilege. All access is logged and reviewed. Multi factor authentication is required for all internal systems.

Our infrastructure is hosted on industry leading cloud platforms with strong physical and network security controls, including:

• Network isolation with private subnets, security groups, and firewalls.
• DDoS protection and web application firewalls on all public endpoints.
• Regular vulnerability scanning and penetration testing.
• Automated patching and updates for operating systems and dependencies.
• Container based deployment with minimal attack surface and no SSH access to production.
• Infrastructure as code with version control and peer review for all changes.

Tenant isolation. Each organisation’s data is logically isolated. Access controls ensure that users can only access data belonging to their own projects and teams.

Data minimisation. We collect and retain only the data necessary to provide the Service. We do not sell, share, or use customer data for advertising or training models.

Secure deletion. When you delete data or close your account, we ensure it is permanently removed from our production systems within 30 days and from backups within 90 days.

We maintain a documented incident response plan that covers detection, containment, investigation, remediation, and communication. Our incident response process includes:

• 24/7 monitoring and automated alerting for suspicious activity.
• Defined escalation procedures and an on call rotation.
• Post incident reviews with root cause analysis for all security events.
• Notification of affected users within 72 hours of a confirmed personal data breach, as required by UK GDPR.

We welcome reports from security researchers who discover vulnerabilities in our Service. If you believe you have found a security issue, please report it responsibly:

We ask that you:

• Give us reasonable time to investigate and address the issue before public disclosure.
• Do not access, modify, or delete data belonging to other users.
• Act in good faith and avoid actions that could harm the Service or its users.

We will acknowledge your report within 48 hours and work with you to understand and resolve the issue. We will not pursue legal action against researchers who follow this responsible disclosure process.

We maintain compliance with the following standards and regulations:

• UK GDPR and Data Protection Act 2018. We are registered with the Information Commissioner’s Office (ICO Registration: ZB958997) and comply with all applicable UK data protection legislation.
• PECR. We comply with the Privacy and Electronic Communications Regulations 2003. We use only strictly necessary cookies and do not engage in unsolicited marketing.

For compliance documentation, security questionnaires, or to discuss your organisation’s specific requirements, please contact [email protected].