Security Whitepaper

Section 1

Architecture Overview

REM Labs provides a memory infrastructure API that stores, indexes, retrieves, and consolidates memory data for AI agents and applications. The architecture is designed for security, simplicity, and self-hostability.

Production Architecture

Client Application (your code)

-- HTTPS / TLS 1.3 --

Vercel CDN (static assets + edge)

-- internal --

Railway API (Node.js runtime)

-- local disk --

SQLite (WAL mode, encrypted)

For self-hosted deployments, the architecture collapses to a single container: your application communicates directly with the REM API running on your infrastructure, with SQLite on local disk or mounted volume. No external dependencies are required.

Key architectural properties

No external database dependency. SQLite runs embedded, eliminating an entire class of network-based attack vectors.
Stateless API. The API server is stateless and horizontally scalable. All state lives in SQLite.
No outbound calls. In self-hosted mode, the API makes zero outbound network requests. All processing is local.
Minimal attack surface. The API exposes a focused set of REST endpoints. No GraphQL, no WebSockets, no server-side rendering.

Section 2

Encryption

REM Labs employs encryption at every layer of the data lifecycle.

At rest	AES-256 encryption for all stored data. Memory content, metadata, and indexes are encrypted on disk.
In transit	TLS 1.3 enforced for all API communications. HSTS headers prevent protocol downgrade attacks. Minimum TLS version is 1.2.
API keys	Hashed with SHA-256 before storage. Raw keys are never stored, logged, or transmitted after initial generation.
Customer-managed keys	Enterprise tier supports customer-managed encryption keys (CMEK), allowing customers to control the encryption keys used for their data.
Backup encryption	All automated S3 backups are encrypted using server-side encryption (SSE-S3 or SSE-KMS).

Section 3

Authentication

Authentication is handled via API keys for programmatic access and OAuth 2.0 / SAML for interactive access.

API key security

Keys are generated using cryptographically secure random number generation (256 bits of entropy).
Keys are displayed exactly once at creation time. They are immediately SHA-256 hashed before database storage.
Key lookup is performed by hashing the provided key and comparing against stored hashes. No plaintext comparison ever occurs.
Keys can be scoped to specific operations, namespaces, or time windows on Business and Enterprise tiers.
Key rotation is supported with zero-downtime overlap periods.

SSO / Enterprise authentication

SAML 2.0 supported on Business and Enterprise tiers. Compatible with Okta, Azure AD, OneLogin, and other SAML IdPs.
OpenID Connect (OIDC) supported for Google Workspace, Azure AD, and custom OIDC providers.
SCIM 2.0 provisioning on Enterprise tier for automated user lifecycle management.
MFA enforcement can be required at the organization level via SSO provider configuration.

Section 4

Authorization

REM Labs implements defense-in-depth authorization with multiple isolation boundaries.

Namespace isolation

Every memory operation is scoped to a namespace. Namespaces provide hard data boundaries -- a request authenticated with one namespace's credentials cannot read or write data in another namespace. This isolation is enforced at the database query level, not just the application layer.

Role-Based Access Control (RBAC)

Owner	Full access. Can manage billing, team members, API keys, and all data operations.
Admin	Can manage team members, API keys, and all data operations. Cannot modify billing.
Editor	Can create, read, update, and delete memories within assigned namespaces.
Viewer	Read-only access to memories within assigned namespaces. Cannot modify data.

Section 5

Data Handling

REM Labs follows strict data handling principles designed to give customers full control over their data.

We do not train on customer data. Customer memory data is never used for model training, product analytics, or any purpose beyond providing the contracted service. This commitment is contractual and applies to all tiers.

Data retention

Configurable retention. Customers can set per-namespace retention policies. Options include indefinite storage, TTL-based auto-expiry, or manual purge.
Right to erasure. Memory deletion via the API is immediate at the application layer. Deletion propagates to backups within the backup rotation window (6 hours).
Account termination. Upon account deletion or contract termination, all data is purged within 30 days, including backups. Certification of deletion is available upon request.

Data residency

US (default): Data processed and stored in the United States (Railway US region).
EU (Enterprise): Data processed and stored within the European Economic Area.
Self-hosted (any region): Customer controls all data location when self-hosting.

Section 6

Audit Logging

Every API call to REM Labs is logged with a comprehensive audit trail. Audit logs are immutable and designed to support compliance audits and security investigations.

What is logged

Timestamp	ISO 8601 UTC timestamp of the request.
User / API key	Hashed identifier of the authenticated entity (never the raw key).
Action	The API operation performed (store, recall, search, delete, etc.).
Resource	The namespace and memory ID affected by the operation.
IP address	Source IP of the request (on managed deployments).
Response code	HTTP status code returned.
Rate limit state	Remaining quota and limit tier at time of request.

Log export

Audit logs are exportable in JSON and CSV formats via the admin dashboard or API. Enterprise customers can configure log forwarding to external SIEM systems.

Section 7

Incident Response

REM Labs maintains a documented incident response process with defined SLAs for acknowledgment and resolution.

Acknowledgment	All security incidents are acknowledged within 24 hours of detection or report.
Resolution target	Critical and high-severity incidents: 72-hour resolution target. Medium/low: 7-day target.
Notification	Affected customers are notified within 72 hours of a confirmed data breach, per GDPR Article 33 requirements.
Post-incident	Root cause analysis and remediation report published within 14 days of incident resolution.

Reporting a vulnerability

Security researchers and customers can report vulnerabilities to dev@remlabs.ai. We commit to acknowledging all reports within 24 hours and providing a resolution timeline within 72 hours.

Section 8

Backup and Disaster Recovery

Backup method	SQLite WAL (Write-Ahead Logging) mode with automated snapshots to S3-compatible storage.
Backup frequency	Every 6 hours (automated). On-demand backups available via admin dashboard.
RPO	6 hours (maximum data loss in a disaster scenario).
RTO	30 minutes (target time to restore service).
Cross-region	Enterprise tier includes cross-region backup replication for geographic redundancy.
Backup encryption	All backups are encrypted at rest using the same AES-256 encryption as primary storage.
Recovery testing	Backup restoration is tested quarterly to verify integrity and recovery procedures.

Section 9

Network and Application Security

The API implements multiple layers of network and application-level protections.

SSRF protection: Server-Side Request Forgery protection with private IP and hostname blocking. All outbound requests (when applicable) are validated against an allowlist.
DNS rebinding protection: Request host headers are validated to prevent DNS rebinding attacks.
Rate limiting: Per-tier rate limits with standard HTTP headers (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset). Prevents abuse and ensures fair usage.
Request size limits: Maximum payload sizes enforced to prevent denial-of-service via oversized requests.
Timeout protection: Request timeouts prevent slow-loris and connection exhaustion attacks.
Prototype pollution protection: Input validation prevents JavaScript prototype pollution attacks on JSON payloads.
Security headers: All responses include HSTS, Content-Security-Policy, Cross-Origin-Resource-Policy, X-Content-Type-Options, and X-Frame-Options headers.
Dependency scanning: Automated dependency vulnerability scanning with alerts on critical CVEs.

Section 10

Penetration Testing

REM Labs conducts regular security assessments to identify and remediate vulnerabilities.

External penetration test: Scheduled for Q3 2026 with an independent third-party security firm. Results and remediation report will be available to Enterprise customers under NDA.
Continuous scanning: Automated vulnerability scanning runs on every deployment to catch regressions.
Bug bounty: Responsible disclosure process in place. Researchers can report vulnerabilities to dev@remlabs.ai.

Section 11

Compliance Roadmap

REM Labs is actively pursuing industry-standard compliance certifications.

Q3 2026

SOC 2 Type II

Audit in progress. Covers security, availability, and confidentiality trust service criteria. SOC 2 bridge letter available now for enterprise evaluations.

Q3 2026

Penetration Test

Third-party penetration test by an independent security firm. Results available under NDA to Enterprise customers.

Q4 2026

HIPAA

Business Associate Agreement (BAA) and technical controls for Protected Health Information. Available on Enterprise tier.

2027

ISO 27001

Information security management system certification. Planned for 2027 based on customer demand.

Section 12

Summary of Controls

The following table summarizes the key security controls implemented by REM Labs.

Encryption at rest	AES-256
Encryption in transit	TLS 1.3 (minimum 1.2)
API key storage	SHA-256 hashed, never plaintext
Authentication	API keys, OAuth 2.0, SAML 2.0, OIDC
Authorization	RBAC (4 roles) + namespace isolation
Audit logging	Every API call, immutable, exportable
Data residency	US, EU, or self-hosted (any region)
Backup RPO / RTO	6 hours / 30 minutes
Breach notification	72 hours (GDPR compliant)
Customer data usage	Never used for training
SOC 2 Type II	In progress (Q3 2026)
Self-hosted option	Full on-premise / air-gapped support