E
Engrami
Security

Privacy & Data Protection

Learn how Engrami protects your data with enterprise-grade security and complete data sovereignty.

Data Sovereignty Architecture

Engrami's unique Control Plane + Data Plane architecture ensures your sensitive data never leaves your infrastructure.

Control Plane (Engrami Hosted)

  • ✓ Agent definitions (metadata only)
  • ✓ Workflow configurations
  • ✓ Billing & usage metrics
  • ✓ Dashboard & management UI
  • ✗ No customer data stored

Data Plane (Your VPC)

  • ✓ All conversation data
  • ✓ Agent memory stores
  • ✓ Vector embeddings
  • ✓ Knowledge base content
  • ✓ LLM API connections

Encryption

Data at Rest

  • Database Encryption - AES-256 encryption for all stored data
  • Key Management - AWS KMS or customer-managed keys (BYOK)
  • Vector Store - Encrypted embeddings in ChromaDB/Pinecone
  • Secrets - Vault-based secret storage with rotation

Data in Transit

  • TLS 1.3 - All API communications encrypted
  • mTLS - Mutual TLS between Control and Data Planes
  • Certificate Pinning - Prevents MITM attacks

Access Control

Authentication

  • JWT-based authentication with short-lived tokens
  • OAuth 2.0 / OIDC integration
  • SAML 2.0 for enterprise SSO
  • Multi-factor authentication (MFA)

Authorization

  • RBAC - Role-based access control with custom roles
  • Tenant Isolation - Complete data isolation between tenants
  • API Scopes - Fine-grained API key permissions
  • Resource Policies - Agent and workflow-level access controls

Data Handling

Data Collection

Engrami collects minimal data necessary for operation:

  • Account Data - Email, name, organization
  • Usage Metrics - API calls, token counts (no content)
  • Audit Logs - Actions performed (configurable retention)

Data Retention

# Configure retention policies
{
  "memory_retention": {
    "semantic": "indefinite",    // Until manually deleted
    "episodic": "90_days",       // Auto-expire after 90 days
    "procedural": "indefinite"
  },
  "audit_logs": "365_days",
  "conversation_history": "custom"  // User-defined
}

Data Deletion

  • Soft Delete - Data marked for deletion, recoverable for 30 days
  • Hard Delete - Permanent deletion with cryptographic erasure
  • Account Deletion - Complete data removal within 30 days
  • Right to Erasure - GDPR Article 17 compliant

Privacy Controls

PII Detection

Automatic detection and handling of personally identifiable information:

{
  "pii_detection": {
    "enabled": true,
    "types": ["email", "phone", "ssn", "credit_card", "address"],
    "action": "redact",  // or "mask", "flag", "block"
    "log_detections": true
  }
}

Data Masking

Mask sensitive data in logs and exports:

# Before masking
"Customer email is john.doe@company.com, SSN 123-45-6789"

# After masking
"Customer email is j***@c***.com, SSN ***-**-****"

LLM Privacy

Protect your data when using external LLM providers:

  • No Training - Data not used to train provider models (OpenAI, Anthropic enterprise tiers)
  • Local Models - Option to use self-hosted models (Llama, Mistral)
  • Prompt Filtering - Remove sensitive data before LLM calls
  • Response Filtering - Scan responses for leaked PII
Continue to Compliance