XMemo Security Modes

Where is my data?

This page explains what XMemo stores for each security mode, where it is processed, who can decrypt it, what happens during export or deletion, and how you can verify the active boundary from your own account.

Quick comparison

Mode Where ciphertext lives Who can decrypt Best fit
Cloud-managed mode cloud XMemo managed data plane with access controls, tenant isolation, and audit trails. XMemo server can process memory content for recall, search, ranking, and supportable exports. Fast setup, full hosted recall, no device or recovery-key burden.
Keyguard mode keyguard XMemo managed Postgres, but envelope keys are bound to your tenant KMS / HSM. The server can decrypt only when your KMS grant allows unwrap operations. Enterprise teams that need hosted recall plus customer-managed key control.
Vault mode vault XMemo managed Postgres stores opaque ciphertext and envelope metadata. Only enrolled devices or your recovery kit can decrypt. XMemo cannot recover plaintext. Zero-knowledge custody where losing all devices and recovery material means permanent loss.

What XMemo stores

XMemo public pages never ask you to paste API keys. Agent and MCP configuration should reference environment variables or the official client configuration surface.

Cloud-managed mode

Storage

Memory data is stored in the XMemo managed data plane with access controls, tenant isolation, and audit trails.

Processing

The XMemo server can process memory content for server-side semantic recall, ranking, and exports. This is the most convenient mode, but it is not zero-knowledge.

Deletion and DSAR

Deletion removes memory rows and associated metadata. DSAR exports can include plaintext because the service can process memory content on your behalf.

Keyguard mode

Keyguard keeps XMemo's hosted recall experience while binding envelope operations to a key your organization controls in Azure Key Vault, AWS KMS, GCP KMS, KMIP, or a similar provider.

Vault mode

Vault is the zero-knowledge option. The browser/device encrypts before data leaves the device, and the server stores only ciphertext plus routing and envelope metadata.

Production data boundary

XMemo production is designed around operator-managed Postgres with TLS verification and runtime row-scoping controls. Supabase is treated as a development and compatibility backend only, not as the supported production substrate for these custody claims.

How to verify your active mode

  1. Open Memory Console -> Settings -> Security mode and confirm the mode shown there.
  2. Call GET /api/v1/me/setup/state; completed accounts should show setup_state = setup_completed and the expected selected_mode.
  3. Call GET /api/v1/me/security-mode; the posture should include verified_effective_mode, new_write_mode, pending_write_mode, legacy_read_mode, and migration_status.
  4. For Keyguard, compare the displayed key binding id with your KMS audit log. For Vault, confirm outbound writes contain opaque ciphertext with no recognizable plaintext substring.