Skip to content
Contexta
Quickstart
Security

Trust & Security

Memory infrastructure that ships with provenance, namespace isolation, and a non-destructive audit ledger by default. Below is exactly how we handle your data — what gets stored, what gets encrypted, what gets forgotten, and what gets logged.

Data Handling

Every fact in the Context Graph is provenance-stamped and scoped to a namespace.

  • Namespace isolationEvery query, ingest, and trigger is scoped by namespace. Tenant data never crosses boundaries; rate limits and KMS profiles hang off the namespace.
  • Sensitivity markingTag data nodes as sensitive. Agents refuse to expose them to external channels or must request explicit permission.
  • Field-level access controlPer-data policies apply to graph nodes — PII masking, redaction, and consent-gated access enforced natively via Reflex triggers.
  • Cascading enforcementPolicy violations on a parent node propagate to child nodes via graph traversal — no field is silently exempted.
  • Provenance on every edgeSource system, confidence, asserted_at, valid_from, valid_to, retracted_at, and verification_status travel with every fact.

Access Control

Fine-grained rules over tools, data, and rates — checked on every call.

  • Per-tool policiesRestrict which tools an agent can invoke based on context, user role, or data sensitivity classification.
  • Action rate limitingDeclarative limits like "max 5 emails per hour"; Synapta tracks action counts on the episodic memory layer and blocks on violation.
  • Plain-English policy configurationControls configurable in natural language or via policy scripts; the integrated graph enforces them natively via Reflex triggers.
  • AND-semantics entitlementsThe gateway resolves entitlements with AND-semantics across `requires` clauses and meters quota per namespace before dispatch.
  • Implicit enforcementThe graph's episodic memory naturally tracks action history — policy evaluation runs without external state stores.

GDPR & Right to Be Forgotten

Surgical forget with non-destructive audit. The act of forgetting is itself a recorded fact.

  • Retraction, not destructionThe first pass marks edges with `retracted_at = now`. The bi-temporal model preserves what was known when — audit and past-anchor recall keep working.
  • Cascade by provenanceEvery fact derived from the forgotten source is also retracted — not every fact connected to it. Narrower, more correct, reproducible.
  • Blob and URL revocationVault drops associated file records, deletes (or schedules) S3 blobs per retention policy, and rotates signing keys to revoke pre-signed URLs.
  • Non-destructive audit ledgerThe ledger records what was deleted, when, by whom — without retaining the underlying data the regulator asked to be removed.
  • Hard-purge for complianceA follow-up purge job (governed by retention policy) replaces retracted edges with tombstones — finally removing content while preserving the fact of deletion.
  • Re-ingestion safetyThe same fact arriving again lands as a new edge with a new `asserted_at` — never a resurrection of the retracted one.

Audit & Provenance

Every fire, every fact, every policy decision lives on the audit ledger.

  • Pre-delivery loggingReflex fires log to the audit ledger before webhooks deliver. Replay is trivial; the ledger captures both the delta and the fire.
  • Per-stage processing metadataRecall stamps each stage (retrieval, enrichment, assembly) with its own provenance so the full path of every fact is recoverable.
  • Compliance reportingExportable logs for regulatory review (GDPR, EU AI Act, SOC 2) with decision, context, and provenance chain on every evaluation.
  • Operator-attributed forgetsEvery forget operation records operator identity, scope, and timestamps — compliance evidence stays available after the data is gone.
  • Replay-readyBecause the audit ledger captures both the delta and the fire, any past event can be re-evaluated against an updated CX without replaying ingestion.

Encryption

Data Encryption Keys are per-namespace, batch-rotated, and BYOK-ready.

  • Per-namespace DEKsData Encryption Keys are managed by Vault per namespace and rotated in batches — data-at-rest encryption, BYOK, and compliance audits all bottom out here.
  • Trust boundary separationVault (secrets) runs on Postgres with ACID; Synapta (memory) runs on ArangoDB. The security trust boundary is not co-located with memory data.
  • In-transit encryptionAll API and webhook traffic over TLS 1.2+. Internal service-to-service traffic mTLS-secured.
  • Signing key rotationPre-signed URL signing keys rotate on every forget that touches their blobs — cached URLs cannot resurrect data.
  • BYOK on EnterpriseBring your own KMS for Enterprise deployments; per-tenant key material never leaves your cloud account.

Compliance roadmap

  • SOC 2 Type IIn flight — Q3 2026 target.
  • GDPRReady — surgical forget plus non-destructive audit ledger ship today.
  • HIPAAReady-architecture — BAA available on the Enterprise tier.
  • ISO 27001Scoping — kickoff after SOC 2 Type I attestation lands.

Contact security

Report a vulnerability, request a SOC 2 update, or ask for a custom DPA — email support@contexta.ai with subject line “Security”. Responsible disclosure is welcomed — we acknowledge within one business day.

Audit-ready by default.

Bring your hardest compliance question. We will show you the exact ledger entry that answers it.

Talk to securityRead the architecture