Security at Arc Labs.

Recall is open source. The reference implementation runs in three modes: embedded (in-process SQLite), self-hosted (you operate Postgres + pgvector), and managed cloud (we operate the infrastructure on your behalf). Most of this page applies to the managed cloud and to recommended self-hosting practices.

We design memory systems to handle data we'd be uncomfortable losing or leaking. The architecture below reflects that.

In transit. All API endpoints require TLS 1.3. HSTS preload enabled on production domains. mTLS available for enterprise customers.

At rest. Database storage uses AES-256-GCM at the volume layer. Backups encrypted with separate keys; encryption keys rotated quarterly.

Embeddings and metadata are treated identically — both are user-derived data and must be encrypted.

Multi-tenant deployments enforce isolation at the database row level (per-tenant row-level security policies in Postgres) and at the query layer (every memory query must include a scope; queries without scope are rejected at the API).

For higher-isolation workloads, dedicated-cluster deployment is available — one database per customer, one HNSW index per customer.

Production keys live in a managed key service (AWS KMS / GCP KMS depending on deployment region). Application code never sees raw key material; envelope encryption is used for tenant-scoped data keys.

For self-hosted deployments, we document key handling but do not manage keys on your behalf.

Deletion is hard-delete by default. When a user or tenant requests deletion, memories are removed from primary storage and all secondary indexes (vector, lexical, graph) within 24 hours. The audit ledger retains a tombstone (memory ID, deletion timestamp, requester) but not memory content.

PII minimization. The write pipeline includes a PII-detection stage that drops candidates containing detected sensitive identifiers (SSN, payment-card numbers) unless explicitly tagged as expected for the tenant's use case.

Data residency. Managed cloud customers may select US, EU, or India regions. Cross-region data movement is opt-in.

SOC 2 Type II: in progress — audit window opens Q3 2026, expected completion Q1 2027. We will share the report under NDA on request.

GDPR: our managed cloud is structured to support GDPR data subject rights (access, erasure, portability) via the Recall API. A standard DPA template is available.

HIPAA: not currently supported. Contact us if your deployment would require HIPAA compliance — we can scope a path forward.

ISO 27001: planned for 2027 once SOC 2 Type II completes.

The Rust core, TypeScript and Python SDKs are scanned weekly with cargo-audit, npm audit, and pip-audit. Critical and high CVEs are patched within 7 days; mediums within 30 days.

We pin all transitive dependencies and review every new direct dependency against a minimal list of allowed crates / packages.

We follow a responsible disclosure process. To report a vulnerability, email security@arc-labs.ai with details. We acknowledge within 24 hours and aim to ship a fix within 14 days for critical issues.

We do not currently run a paid bug bounty program. We do credit reporters in release notes (with permission).

Our incident response runbook covers detection, containment, eradication, recovery, and post-mortem. For managed cloud customers, we commit to:

• Initial customer notification within 24 hours of confirmed incident.
• Public post-mortem within 14 days for incidents affecting multiple customers.
• Annual tabletop exercises to test the runbook.

Security questions, vulnerability reports, or compliance requests:

• Email: security@arc-labs.ai (PGP key available on request)
• For SOC 2 / DPA / questionnaires: trust@arc-labs.ai