imem.ai

Security model

Encryption, AI access, and private vaults

imem is built around hosted AI-readable primary memory. That gives MCP, search, vectors, sync reconciliation, and active-loop agents access to the vault. It also means the current hosted vault is not true end-to-end encrypted.

What is protected today

In transit
Web, MCP, OAuth, and sync traffic use HTTPS/TLS in production.
Provider at rest
Postgres, Blob, and infrastructure storage rely on provider-managed encryption at rest.
Tokens
Magic-link tokens, MCP tokens, refresh tokens, and sync passwords are hashed before storage.
Obsidian sync replica
Generated Self-hosted LiveSync setup uses a server-readable CouchDB bridge so web, MCP, search, and Obsidian can reconcile the same markdown.

Why hosted AI is not E2EE

  • The hosted MCP server reads markdown so AI clients can list, search, read, and write notes.
  • The vector index stores derived chunks and embeddings so semantic search and the graph work.
  • Active-loop ingest and lint workers read note content to extract summaries, tags, entities, and review findings.
  • The web editor renders plaintext markdown from the server-readable canonical vault.

Current production claim

imem encrypts data in transit and uses encryption at rest. The hosted AI vault and Obsidian sync bridge are server-readable and are not zero-knowledge or end-to-end encrypted.

What true E2EE requires

The correct future fix is a separate private-vault mode, not a misleading checkbox. In that mode imem servers never receive plaintext, and hosted AI features are disabled or routed through a local key-holding bridge.

  • Client-side encryption/decryption in the web app and Obsidian before content reaches imem servers.
  • Encrypted canonical document bodies, revisions, chunks, metadata, lint findings, and attachments.
  • A local MCP bridge or browser-held key so AI access happens on a device that holds the vault key.
  • Server-side vector search replaced by local embeddings, client-side encrypted index search, or explicitly opt-in plaintext AI processing.
  • Clear feature gating so private vault users never accidentally enable hosted server-side AI reads.