Skip to content
MIMemory Index

Trust & security

Security built into every layer

Memory Index is designed from the ground up so that your data remains private, encrypted, and under your control at every stage.

Encryption architecture

Privacy is not a feature we bolt on. Every piece of content is encrypted with AES-256-GCM before it reaches storage, and access is scoped to the owning account.

AES-256-GCM encryption at rest

All files and sensitive metadata are encrypted with AES-256-GCM before storage. Data is encrypted on our servers and stored as ciphertext in the database and object storage.

Per-user encryption context

Every encryption operation includes authenticated additional data (AAD) scoped to the owning account, ensuring that encrypted content cannot be associated with or decrypted for a different user.

Field-level metadata encryption

Sensitive metadata fields such as titles, descriptions, and file names are individually encrypted server-side with unique initialisation vectors, preventing exposure in database logs.

Infrastructure & compliance

Enterprise-grade hosting, redundant storage, and compliance tooling that satisfy regulatory requirements by default.

EU-based infrastructure

Primary data storage and processing occur within EU regions (AWS eu-west-2), supporting GDPR residency requirements and data sovereignty expectations.

Dual-layer encrypted storage

Files are encrypted at the application layer with AES-256-GCM before being written to AWS S3 with server-side encryption (SSE-S3) enabled, providing two independent layers of encryption at rest.

Admin audit logging

Audit trails record administrative actions including account deletions, verification decisions, and access to audit logs. Export tools support regulatory reviews and data subject requests.

Security practices

A non-exhaustive list of the security controls and practices that protect every Memory Index account.

  • All API traffic encrypted in transit via HTTPS with strict transport security
  • Content Security Policy and strict transport security headers on every response
  • WebAuthn passkey support for phishing-resistant authentication
  • Recipient identity verification required before content release
  • Role-based access control with principle of least privilege
  • GDPR data deletion workflows with full account and file purge
  • No third-party analytics or tracking scripts on authenticated pages
  • Automated dependency audits via Dependabot with weekly review cadence

Have a security concern?

We take every report seriously. If you have discovered a vulnerability or have questions about our security posture, please reach out to our team directly.

Contact security teamPrivacy policy