Security & Data Integrity

When you connect a database or API, your credentials are encrypted immediately using AES-256-GCM with a key derived from a server-side secret. Plaintext credentials are never stored, never logged, and never included in API responses.

Credentials are only decrypted at the moment a query is executed, and only in server memory. They are never transmitted to the frontend or to any third-party service.

Memnai uses AI to translate your natural-language questions into SQL queries or API requests. Before any generated query runs against your data source, it goes through multiple safety layers:

• SQL queries are validated as SELECT-only — INSERT, UPDATE, DELETE, DROP, and DDL statements are rejected
• API requests are constrained to endpoints defined in your OpenAPI spec — arbitrary URLs cannot be constructed
• SQL queries include EXPLAIN previews so you can see the execution plan before committing
• All queries use parameterized inputs — no string interpolation, no injection risk

Authentication is handled by AWS Cognito using the OAuth 2.0 PKCE flow. Memnai never sees or stores your password — it is managed entirely by Cognito's hosted authentication infrastructure.

Role-based access control (RBAC) ensures that users only see what their role permits. Every API request is verified against a JSON Web Key Set (JWKS) and scoped to the user's organization.

Memnai is hosted on AWS infrastructure with encryption in transit (TLS) for all connections — both between your browser and Memnai, and between Memnai and your data sources.

• All traffic encrypted via TLS 1.2+
• Internal database credentials encrypted at rest (AES-256-GCM)
• No sensitive data in application logs — passwords, tokens, API keys, PII, and query results are never logged
• Error messages are sanitized to prevent internal detail leakage

Memnai uses AI models (OpenAI, Anthropic) to translate your natural-language questions into SQL queries and API requests. Here is exactly what is and is not sent to these providers:

• Sent: your natural-language prompt and database schema metadata (table names, column names, types)
• Never sent: your raw data, query results, credentials, API keys, or personally identifiable information
• Retention: AI providers process requests in real time and do not retain your prompts or schema data beyond the API call
• Training: your data is never used to train AI models — we use API agreements that explicitly prohibit training on customer data
• You can preview every generated query before it executes — nothing runs without your explicit approval

Query results are ephemeral and not persisted beyond your session unless you explicitly save a dashboard. You can request full account and data deletion at any time.