Skip to content

Security

Tenant-scoped memory

Every memory and cache entry carries tenant_id and namespace. Requests can also use X-Zepto-Tenant-Id, with conflict rejection when JSON and header disagree.

No provider calls

ZeptoDB does not call embedding providers or LLM providers from the server. Applications control prompts, models, provider credentials, and embeddings.

Encryption

TLS 1.3 on every endpoint, including cluster RPC. Optional mTLS for service-to-service auth. Data encrypted at rest through deployment storage controls.

Authentication and RBAC

JWT / OIDC, API keys with rotation, mTLS client certificates, and RBAC with built-in admin, writer, reader, analyst, and monitor roles.


Agent Memory stores operationally sensitive context: summaries, retrieved facts, prompt cache entries, embeddings, replay metadata, and operational stats. The model keeps those boundaries explicit:

  • Memory and cache entries are scoped by tenant and namespace
  • Search/context requests can filter by user, session, agent, type, TTL, importance, pinned status, and metadata
  • Tenant quotas run before global capacity limits, and pinned records are protected from capacity eviction
  • TTL, tenant-quota, and capacity evictions emit tombstones for replay and replication paths
  • Aggregate stats omit memory content, prompts, responses, and metadata
  • Prometheus metrics expose counts, dimensions, evictions, capacity limits, snapshot health, ANN footprint, and sidecar byte gauges only
  • Embeddings are client-supplied; ZeptoDB validates dimensions and rejects NaN/Inf
  • Metadata is caller-provided JSON text, so applications can attach source and trust hints
  • Server-side LLM and embedding provider credentials are not part of the default path

In cluster mode, Agent Memory supports routed writes, point reads, fan-out search/context, semantic-cache fan-out, replica WAL durability policy, cluster-scoped stats, and owner-failover reporting. Shard migration dual-write/catch-up remains future work.


ZeptoDB exposes evidence primitives that can support security and compliance reviews across agentic operations, finance, industrial, automotive, and utilities:

StandardRelevanceStatus
SOC2 Type IIAudit logging, RBAC, encryption, change evidenceEvidence surface
MiFID IITrade audit trail, access controls, decision replayEvidence surface
GDPRNamespace isolation, deletion support, tenant scopingEvidence surface
PCI DSSTLS 1.3, access controls, audit loggingEvidence surface
IEC 62443Industrial control systems authN/authZ and auditEvidence surface
ISO / SAE 21434Automotive cybersecurity and replayable data handlingEvidence surface
NERC CIPElectric utility operational monitoringEvidence surface

Regulated deployments should review SSO, audit export, namespace isolation, and deployment controls against their own operating requirements.


  • TLS 1.3 on HTTP, Arrow Flight, and cluster RPC
  • mTLS for cluster-internal communication
  • Configurable cipher suites and certificate rotation
  • JWT / OIDC with automatic token validation and refresh
  • API key management with creation, rotation, and revocation
  • Multi-factor via OIDC provider delegation
  • Role-based access control with 5 built-in roles
  • Per-namespace permissions for multi-tenant deployments
  • Query-level access control for table and column restrictions
  • Tenant and namespace required on memory/cache records
  • Optional user, session, agent, and type filters
  • TTL and capacity eviction controls
  • Pinned memory protection for capacity eviction
  • Delete and eviction tombstones for replayable removals
  • Auth events, failed attempts, queries, and admin actions
  • Structured JSON compatible with Splunk, ELK, Datadog, and SIEM workflows
  • AgentOps telemetry tables for agent runs, retrieval events, cache events, LLM calls, and tool calls

Found a security issue? Please report it responsibly:

skswlsaks@gmail.com

We aim to acknowledge reports within 48 hours and provide a fix timeline within 5 business days.


For detailed configuration, see the Security Operations Guide and SSO Integration Guide.


AreaCurrent review stance
Agent MemoryTenant and namespace scoping, TTL/capacity controls, and replayable deletion tombstones should be tested against your application policy.
Prompt cacheApplications own prompt content, model calls, provider credentials, and cache reuse policy.
SSO / OIDCValidate identity-provider configuration, token lifetime, role mapping, and audit logging before production use.
Multi-node operationValidate routing, failover, metrics, rollback, and recovery behavior in a controlled environment.
Physical AI supervisor pathsTreat as shadow-only advisory surfaces unless a separate operator-controlled promotion gate approves a narrower runtime scope.

Use GitHub Discussions for deployment and security questions.