Trust & Compliance
Your data, protected by design
Engram is built on Cloudflare's global network with tenant isolation at every layer. We're in the process of formalizing our compliance program and welcome conversations with security-conscious buyers.
Last updated April 11, 2026
GDPR
CompliantWe honor data subject rights (access, correction, deletion, portability). Data Processing Agreement available at /dpa. EU data residency available on Enterprise.
CCPA / CPRA
CompliantWe do not sell personal information. California residents can exercise access and deletion rights via privacy@getengram.app.
Security by design
Security isn't a policy we bolted on — it's how the system works. For the full technical breakdown, see our security documentation.
Tenant isolation
Every database query filters on organization_id. Vectorize searches include organization metadata filters at the index level. There is no admin API, no superuser key, and no way to query across tenants.
Encryption in transit and at rest
All traffic is served over TLS 1.3. Cloudflare D1 and Vectorize encrypt data at rest with AES-256. The .app TLD enforces HSTS preload, so browsers never connect in plaintext.
API key hygiene
API keys are displayed exactly once at creation and stored as SHA-256 hashes. Keys support expiration and instant revocation. Last-used timestamps are maintained for audit.
Content stays inside Cloudflare
Embeddings are generated on Cloudflare Workers AI (bge-base-en-v1.5). Your conversation content is notsent to OpenAI, Anthropic, Cohere, or any third-party embedding provider. The entire storage and search path stays within Cloudflare's network.
No training on your data
We do not use your stored conversations to train models — ours or anyone else's. We do not share your data with other customers. This is a contractual commitment, not an opt-out.
Subprocessors
A minimal set of vendors that process your data on our behalf. Each vendor is bound by a data processing agreement and has been reviewed for security posture.
| Vendor | Purpose | Data | Location |
|---|---|---|---|
| Cloudflare | Compute (Workers), database (D1), vector index (Vectorize), embeddings (Workers AI) | Conversation content, embeddings, API keys (hashed) | Global / US |
| Stripe | Payment processing, subscription management | Billing contact, payment method (stored by Stripe directly) | US |
| Vercel | Marketing site and documentation hosting | None — the app API runs on Cloudflare, not Vercel | US |
We'll notify Enterprise customers at least 30 days before adding a new subprocessor that processes customer data.
Data residency
By default, Engram uses Cloudflare's global placement for storage. Enterprise customers can request region-pinned storage (US, EU) at contract time. We do not currently offer single-tenant deployments.
Incident response
If we become aware of a security incident affecting your data, we will notify affected customers without undue delay and within the timeframes required by applicable law. Enterprise customers receive a written post-incident report.
Suspected a vulnerability? Email security@getengram.app. Please do not disclose publicly until we've had a chance to respond and remediate.
Security review?
If you're working through a security questionnaire, vendor assessment, or need a DPA, BAA, or SOC 2 letter of engagement, we're happy to help. Most requests are answered within two business days.