Security

Your data is yours.
We built it that way.

3ngram stores your memories, decisions, and commitments. That is sensitive data, and we treat it accordingly. This page describes the principles behind how we protect it. For technical details, see our privacy policy. For sub-processor and infrastructure specifics, contact us for our data processing agreement.

Storage

Data handling

  • Data residency: Your data is stored in a managed database hosted in the EU. Sub-processor details are available in our data processing agreement.
  • Encryption at rest: All data is encrypted at rest. Integration tokens (credentials for connected services) are additionally encrypted at the application layer before storage.
  • Encryption in transit: TLS is required on all connections between the application and the database. All API traffic is served over HTTPS.
Isolation

Access controls

  • Data isolation: Every table containing user data enforces row-level isolation at the database layer, not just in application code. Even if application logic has a bug, the database itself prevents cross-user data access.
  • Defense in depth: Data isolation is enforced at multiple layers: the database, the application, and the API. The application uses a least-privilege database account that cannot modify the database structure.
Authentication

Authentication and sessions

  • Passwords: Hashed using a modern, memory-hard algorithm. Passwords are never stored in plaintext, never logged, and never returned in API responses.
  • Sessions: Short-lived access tokens with separate refresh tokens. Each token can be individually revoked. Active sessions are tracked per device, and you can revoke individual devices or sign out everywhere.
  • Social login: Google and GitHub login with explicit consent before account creation.
  • MCP authentication: The MCP server uses OAuth with device flow support, plus CSRF protection on all state-changing requests.
Protection

Rate limiting and brute-force protection

  • API rate limits: Per-user rate limiting on all endpoints. Expensive operations have stricter limits.
  • Login protection: Progressive delays after failed login attempts. After repeated failures, the account is temporarily locked.
Audit

Audit trail

  • Append-only log: Security-relevant actions are written to an append-only audit log. The application cannot modify or delete log entries.
  • What is logged: Login attempts, session changes, memory operations, and administrative actions.
Validation

Input validation

  • Request validation: Strict input validation on every API request, with type checking, length constraints, and format validation.
  • SQL injection prevention: All database queries use parameterized statements. No string interpolation in SQL.
Infrastructure

Hosting and operations

  • Deployments: Automated deployments from protected branches. Database migrations run automatically before each deploy.
  • Error tracking: Crash reports are processed within the EU. Reports include request metadata for debugging, never your memory content.
  • Analytics: Consent-gated: no tracking scripts load until you accept. No third-party ad trackers.
  • Secret management: All credentials and signing keys are stored in encrypted environment variables, separate from the codebase, and rotated on a regular schedule.
Compliance

Compliance posture

What we can say today:

  • EU entity: B3dmar ApS is a Danish company. Your data controller is in the EU.
  • GDPR-aware: Data deletion on request, consent-gated analytics, EU-based data processing, minimal data collection.
  • Data portability: Your memories, documents, and metadata are exportable. No vendor lock-in on your data.

What we are honest about:

  • SOC 2: Not yet certified. We follow the practices, but have not completed a formal audit.
  • HIPAA: Not applicable. 3ngram is not designed for protected health information.

Questions about security?

Read our privacy policy for the full legal details, or email us with specific questions.

Get started free

We use analytics to improve the product. Cookie Policy