Security · Updated 2026 Q2
We treat your memory the way you'd treat someone else's secrets.
Memory is the most intimate data we will ever ask you to trust us with. That means security is not a marketing surface here — it's the floor everything else stands on.
This page is a plain-language map : what we already do, what we know we still need to do, and how to reach us if you find something we missed.
Current posture
Six things that are already true today.
These are not aspirations. They are wired into the codebase and the production environment right now, and we will tell you on the changelog the day any of them change.
- 01
Encrypted tokens at rest
Auth tokens live in EncryptedTokenStore on-device. No plain-text credentials, ever. Certificate pinning enforced on every critical endpoint.
- 02
Zero-Data-Retention AI gateway
All AI traffic flows through our own gateway with Zero Data Retention enforced — opt-out training, no logging. No OpenAI. No Anthropic. No Google in the memory path.
- 03
Sensitive captures never leave the device
PII pre-filter wired to the intake gate. Health, finance, identity, and anything you mark private are excluded from every AI path — RAG, embeddings, intake, Mini AHA, Wisp cards. Even on Pro.
- 04
Local-first analytics
Onboarding analytics live in DataStore by default. Cloud send only when you explicitly consent. Google Consent Mode v2 enforced at page load with defaults DENIED.
- 05
Fail-closed rate limiting
The AI gateway fails CLOSED on rate limits, not open. A misconfigured client never silently bypasses quota. Anti-abuse cap is published in the changelog when it moves.
- 06
Plain-text export, always
Every account can export the full memory as plain text, free tier included. No lock-in, no premium export upsell, no obfuscation. You leave wamid with everything.
Threat model
What we worry about, and what we do about it.
Security is not the absence of threats — it's a clear-eyed view of which ones matter and what posture we hold against each. Here is ours.
| Threat | Mitigation |
|---|---|
| An attacker steals an unlocked device with wamid installed. | App data is encrypted at rest by the OS. Tokens are wrapped by EncryptedTokenStore (Android Keystore). Re-auth required after biometric timeout. Remote sign-out available. |
| A third-party AI vendor logs or trains on a user's capture. | All AI traffic routes through our own privacy-first AI gateway with ZDR enforced. The reasoning model is an open-weight reasoning model, never tied to any single major AI provider. Sensitive captures never reach the cloud at all. |
| Network attacker performs a man-in-the-middle on AI calls. | Certificate pinning on every critical endpoint (Vertex, Supabase, gateway). TLS 1.3 enforced. No HTTP fallback. Connection refused on cert mismatch. |
| A bug accidentally exposes a private note to the AI pipeline. | The private flag is enforced at the gate, not at the UI. Embedding invalidated on toggle to private. Adversarial review process before every release that touches the AI path. |
| Supabase auth credentials are leaked from the device. | Refresh tokens stored in EncryptedTokenStore with rotation. JWT lifetimes capped. Server-side revocation honored within minutes. Account-level sign-out everywhere. |
| A misconfigured rate limit allows abuse and inflates AI cost. | Gateway fail-closed on quota. Per-user and per-IP caps. Anti-abuse cap published in changelog. Anomalous spikes alert in observability before they hit the bill. |
| An employee at our infrastructure provider tries to read memory. | Memory content is encrypted at rest. Postgres row-level security per user. Access logs auditable. Long-term plan : end-to-end encryption for sync (Compass phase) so even we cannot read the synced corpus. |
| An export endpoint leaks more data than the requesting user owns. | Export is gated by row-level security at the database. Manual review of every endpoint that returns user-scoped data. Penetration test planned before public launch (Signal phase). |
01 · Threat
An attacker steals an unlocked device with wamid installed.
Mitigation
App data is encrypted at rest by the OS. Tokens are wrapped by EncryptedTokenStore (Android Keystore). Re-auth required after biometric timeout. Remote sign-out available.
02 · Threat
A third-party AI vendor logs or trains on a user's capture.
Mitigation
All AI traffic routes through our own privacy-first AI gateway with ZDR enforced. The reasoning model is an open-weight reasoning model, never tied to any single major AI provider. Sensitive captures never reach the cloud at all.
03 · Threat
Network attacker performs a man-in-the-middle on AI calls.
Mitigation
Certificate pinning on every critical endpoint (Vertex, Supabase, gateway). TLS 1.3 enforced. No HTTP fallback. Connection refused on cert mismatch.
04 · Threat
A bug accidentally exposes a private note to the AI pipeline.
Mitigation
The private flag is enforced at the gate, not at the UI. Embedding invalidated on toggle to private. Adversarial review process before every release that touches the AI path.
05 · Threat
Supabase auth credentials are leaked from the device.
Mitigation
Refresh tokens stored in EncryptedTokenStore with rotation. JWT lifetimes capped. Server-side revocation honored within minutes. Account-level sign-out everywhere.
06 · Threat
A misconfigured rate limit allows abuse and inflates AI cost.
Mitigation
Gateway fail-closed on quota. Per-user and per-IP caps. Anti-abuse cap published in changelog. Anomalous spikes alert in observability before they hit the bill.
07 · Threat
An employee at our infrastructure provider tries to read memory.
Mitigation
Memory content is encrypted at rest. Postgres row-level security per user. Access logs auditable. Long-term plan : end-to-end encryption for sync (Compass phase) so even we cannot read the synced corpus.
08 · Threat
An export endpoint leaks more data than the requesting user owns.
Mitigation
Export is gated by row-level security at the database. Manual review of every endpoint that returns user-scoped data. Penetration test planned before public launch (Signal phase).
Audit roadmap
The certifications and audits we are working toward.
We do not claim certifications we do not have. We do publish where we are on the road to each, with the date we expect to clear it.
- NowLivePrivacy-by-design architecture review, internal.
- 2026 · Q3LiveGDPR / ePrivacy compliance baseline (Consent Mode v2, DPA template draft).
- 2026 · Q4In progressIndependent penetration test before public Android launch.
- 2027 · Q1In progressPublic threat model and security white paper.
- 2027 · Q3PlannedSOC 2 Type I readiness assessment.
- 2028 · Q1PlannedSOC 2 Type II audit window opens.
- 2028 · Q2PlannedISO 27001 certification process begins.
- 2028 · Q4PlannedDPA-ready enterprise contracts, EU-only deployment option.
Responsible disclosure
Find something we missed? Tell us first, get credit, get paid.
If you discover a vulnerability in wamid, please report it to us privately before sharing it publicly. We commit to acknowledging within 48 hours, communicating throughout triage, and crediting you publicly when the fix ships — unless you prefer to stay anonymous.
Send a report to
security@wamid.appAcknowledgment within 48 hours. Triage update within 5 business days. Fix and credit publication coordinated with you.
In scope
- wamid.app and all subdomains (api, app, ai-call, etc.)
- Android application (production package com.wamid.app).
- AI gateway endpoints exposed to authenticated users.
- Authentication, session and token handling.
- Cross-account data leakage, RLS bypass, privilege escalation.
- Privacy violations : sensitive capture leaving the device, training opt-in bypass.
Out of scope
- Reports generated solely by automated scanners without proof of impact.
- Denial of service, rate-limit testing, brute force on production.
- Social engineering of wamid team or users.
- Physical attacks against devices or infrastructure.
- Issues in third-party services we do not control (Supabase, Vercel, upstream AI providers).
PGP
A PGP key for security@wamid.app will be published before the first public penetration test (2026 Q4). Until then, please email plainly — we will move to encrypted channels at our reply if the report is sensitive.
While we keep raising the floor