All posts
securityprivacy

Phase 6: Security, Privacy & Launch Readiness

A memory layer that stores personal knowledge needs serious security. We locked down the stack — rate limiting, encryption, GDPR compliance, and a full operational audit.

Phase 6: Security, Privacy & Launch Readiness

Trust Is the Product

memset stores some of the most personal data in a user's digital life: their preferences, decisions, knowledge, career trajectory, and communication style. If users don't trust the system with that data, nothing else matters. Features, UI, performance — all secondary to trust.

Phase 6 was a comprehensive security and privacy hardening pass. Not the most exciting work, but arguably the most important.

What We Locked Down

Rate Limiting

Every API endpoint got rate limits proportional to its computational cost. Semantic search (which involves embedding + vector similarity) is more expensive than a simple metadata query, so it gets tighter limits. Rate limiting uses Redis with sliding window counters — no token bucket approximations.

Tier-aware limits mean free users get reasonable but bounded access, while paid tiers have progressively higher ceilings. Rate limit headers (X-RateLimit-Remaining, Retry-After) are returned on every response so clients can adapt gracefully.

Authentication Hardening

  • Refresh token rotation — every time a refresh token is used, a new one is issued and the old one is invalidated. Stolen tokens have a single-use window.
  • HMAC-signed OAuth state — CSRF protection for the OAuth flow uses cryptographically signed state parameters, not random strings.
  • HTTP-only cookies — refresh tokens are never accessible to JavaScript. Secure and SameSite=None flags for cross-origin safety.
  • API key scoping — keys can be rotated, revoked, and have per-key rate limits.

Encryption

All memories are encrypted at rest using PostgreSQL's native encryption. The database connection uses TLS. API traffic is HTTPS-only with HSTS headers. Environment secrets are managed through Railway's encrypted variable system — never committed to the repo.

GDPR Compliance

Users can:

  • Export all their data in JSON format, anytime, from the dashboard or API
  • Delete their account and all associated data permanently
  • Review exactly what data is stored and how it's used

The privacy policy is explicit about our use of OpenAI's API for embeddings and analysis. Under OpenAI's API data usage policy, inputs and outputs sent via the API are not used to train models. We disclose this prominently.

Operational Readiness

Security isn't just about code — it's about operations. We set up:

  • Sentry — error tracking with full stack traces, release tagging, and alerts for new error types
  • Uptime monitoring — external health checks on all API endpoints via BetterStack, with alerts to Slack and email
  • Database backups — automated daily backups with point-in-time recovery capability. We tested the restore process to make sure it actually works.
  • Environment audit — every production environment variable documented, verified, and tested. No placeholder values, no defaults that work in dev but fail in production.

The Privacy Philosophy

Our approach to privacy is opinionated: memset should know as little as possible about the user's behavior, and as much as necessary about their preferences.

We don't track page views, session duration, or click patterns. We don't build advertising profiles. We don't share data with third parties beyond the infrastructure needed to run the service (database hosting, embedding API).

What we do store:

  • Memories the user explicitly saves
  • Style profile derived from user interactions
  • Account metadata (email, tier, settings)
  • API usage counts for billing

What we don't store:

  • Chat conversation content (Ghost Memory reads but doesn't persist conversations)
  • Browsing history
  • Clipboard content
  • File system data

This distinction matters. memset is a tool that processes data on behalf of the user, not a platform that harvests data about the user.

Launch Readiness

By the end of Phase 6, the system was operationally ready for real users:

  • All critical endpoints rate-limited and monitored
  • Authentication hardened with token rotation and CSRF protection
  • Data encrypted at rest and in transit
  • Full GDPR data export and deletion working
  • Error tracking and uptime monitoring active
  • Database backup and restore tested
  • Production environment fully configured and verified

Security is never "done" — it's an ongoing process. But the foundation is solid, the practices are established, and the monitoring is in place to catch issues early.

Previous
Phase 5: Going Multi-Platform
Next
Phase 7: The Rebrand — From Remember Everything to memset