Security

Last Updated: [DRAFT — Date TBD]

This security page is a structural draft. Details will be validated by the engineering and security teams before publication.

At Memosa, we take the security of your deal data seriously. This page describes the technical and organizational measures we implement to protect your information.

1. Infrastructure

Memosa is hosted on Railway, running on AWS infrastructure in the US. Our services are containerized and deployed with automated CI/CD pipelines. Infrastructure is managed as code with version-controlled configurations.

2. Encryption

Layer	Standard
Data in transit	TLS 1.2+ (HTTPS enforced on all endpoints)
Data at rest	AES-256 encryption (managed by infrastructure provider)
Database connections	SSL/TLS encrypted connections
Vector database	Encrypted at rest and in transit (Pinecone serverless)

3. Access Controls

We implement the principle of least privilege across our systems:

Role-based access control (RBAC) for all platform users — Owner, Editor, Commenter, and Viewer roles
Per-deal and per-organization permission boundaries
API authentication via JWT with short-lived tokens and revocation support
Administrative access restricted to authorized personnel with audit logging

4. Data Isolation

Your deal data is isolated from other organizations at multiple levels:

Namespace isolation for all vector database operations
Organization-scoped database queries
Deal-level access controls enforced at the API layer
No cross-tenant data leakage by design

5. AI Processing

When processing your documents with AI models:

Document content is sent to AI providers (OpenAI, Anthropic) for analysis via their API
We use API-tier access where providers commit to not training on customer data
Processed results are stored within your organization's namespace
We do not use your proprietary deal content to train general-purpose models

6. Authentication

We support multiple authentication methods:

Magic link email authentication (single-use, cryptographically random codes)
Password authentication (bcrypt-hashed, rate-limited)
Slack OAuth integration
JWT tokens with jti-based revocation via Redis

7. Monitoring & Logging

Self-hosted analytics (Matomo) — no third-party tracking
Structured application logging with sensitive data redaction
Error tracking and alerting for security events
Audit logging for administrative actions

8. Incident Response

We maintain an incident response process that includes:

Detection and classification of security events
Containment and remediation procedures
Notification of affected users within 72 hours of confirmed breach
Post-incident review and improvement

9. Compliance

We are committed to maintaining compliance with:

SOC 2 Type II (in progress)
GDPR requirements for EU users
CCPA requirements for California residents
CAN-SPAM compliance for all email communications

10. Responsible Disclosure

If you discover a security vulnerability, please report it to security@memosa.io. We ask that you:

Provide sufficient detail to reproduce the issue
Allow reasonable time for us to address the vulnerability before disclosure
Do not access or modify other users' data

11. Contact

For security inquiries:

Email: security@memosa.io
For urgent security issues, include "URGENT" in the subject line