// security architecture

Security is the foundation.
Not a feature.

AES-256-GCM at rest. SSO + MFA. Five layers of access control. Sandboxed code execution. Prompt-injection defense. 110+ security audit rounds. Zero open critical or high findings. Patent-pending spatial council architecture.

Talk to Sales Architecture deep-dive

// access control

Five layers, independently enforced.

A perimeter is one wall. A workspace where teams meet AI needs defense at every depth. Five independent gates from user identity down to individual conversation. A misconfiguration in one is not an opening in the next.

L1

USER

Identity

Role-based access control with multiple admin tiers. Short-lived access tokens with secure refresh and server-side revocation. Multi-factor authentication enforced, with backup verification and rate-limited attempts. Token-reuse detection neutralizes common session-replay attacks at the protocol level.

L2

WORKSPACE

Workspace isolation

Personal and company workspaces are hard-isolated at every query path, not just the UI. Workspace-scoped LIST endpoints scope to the active workspace, not user-only. Company funding modes (Company-only, Owner-fallback with monthly caps, Owner-only) keep billing separated from access.

L3

LEVEL

Level classification

Each workspace can have multiple Levels (think floors in a building). Per-member READ/WRITE/ADMIN tiers per level. A confidential Level 2 can be invisible to people who see Level 1 every day. New levels unlock once L1 is on a paid hex pack, keeps spend tied to access expansion.

L4

ZONE

Zone topic ACL

Per-user READ/WRITE/ADMIN per zone. Memory propagation respects permissions, nothing leaks to neighbors you cannot see. Zone Charter (standing orders) and Zone Playbook (numbered behavior rules) shape how every member of the zone behaves.

L5

CONVERSATION

Thread-level guard

Cross-conversation reference validation prevents data leakage between threads. One thread cannot quietly pull data from another the user has not opened. Sandboxed code execution for inline code (network-isolated, ephemeral, validated before execution). Cross-conversation memory propagation respects the zone-level ACL.

// encryption

AES-256-GCM. Everywhere.

At rest

AES-256-GCM envelope encryption with a workspace-scoped master key. Production rejects default or all-zero key material at boot. OAuth tokens, API keys, refresh tokens are encrypted per-record.

In transit

TLS 1.2+ on every connection. End-to-end HTTPS with HSTS preload across all subdomains.

JWT signing

Industry-standard signing with a rotating server-side secret. Production rejects weak or default signing material at boot and refuses to start. Short-lived access tokens with longer-lived refresh.

Session-replay defense

Refresh tokens rotate on every use. Reuse of a stale token revokes the session lineage. Common session-replay attack class neutralized at the protocol level.

Webhook signatures

Inbound webhooks signature-verified before processing. Idempotent event handling, replays and retries are safe.

Bring your own KMS

Enterprise + on-prem deploys can bring their own KMS. Per-customer encryption keys. Field-level controls for the most sensitive deployments. Contact Sales.

// prompt-injection defense

Untrusted text gets sanitized.

Any content that didn't come from a trusted, authenticated user is treated as untrusted by default and validated before it reaches a model. The validation runs at every assembly point, not just on input.

MULTI-LAYER DEFENSE

Validated before it reaches a model

Every untrusted string passes through multi-layer validation before it can land in a model's context. We don't publish the specific patterns, by design, since publishing them just helps attackers route around them.

UNICODE NORMALIZATION

Lookalike-character attacks defeated

Untrusted text is normalized to defeat lookalike-character attacks. Naive string matching is not enough; we go further, and we don't catalog the techniques publicly.

MEMORY LAYER PROTECTED

Validated before propagation

AI-extracted memories are validated before storage. Content that fails validation never propagates through the knowledge graph.

CROSS-CONV VALIDATION

Reference-bound

One conversation cannot reference content the user does not have access to in another. Validation runs every time context is assembled, not just at conversation open.

// imported skills

Reviewed before they go live.

Skills are reusable instruction sets you can build yourself or import in the open Agent Skills (SKILL.md) format. Imported skills are reviewed before they go live, and bundled scripts are not run. You stay in control of what your agents can do. Skills overview →

// code execution sandbox

When AI runs code, we built the cage.

The runner that AI agents use to compute, render PDFs, generate charts, and parse data lives in an isolated, ephemeral sandbox with no network and no persistent filesystem.

  • Network isolated

    No outbound network. No name resolution. The sandbox cannot reach the internet or your internal services.

  • Ephemeral filesystem

    Writes are scoped to a scratch space and discarded between runs. Read-only root.

  • Validated before execution

    Submitted code is parsed and inspected. Dangerous operations are stripped or rejected before the sandbox starts.

  • Hard resource limits

    Strict wall-clock, memory, and process-count ceilings. Runaway code is terminated.

  • Output sanitized

    Returned artifacts are filtered. Executable file types and suspicious payloads cannot leave the sandbox.

// audit history

110+ rounds. Zero open critical or high.

In My Mind has run 110+ rounds of comprehensive security audits, each numbered, each scoped, each with findings recorded and remediated. Adversarial reviews precede substantive deploys. Findings are categorized by severity (CRITICAL / HIGH / MEDIUM / LOW) and remediated before release.

110+

SECURITY AUDIT ROUNDS

0

OPEN CRITICAL/HIGH

3

ADVERSARIAL AGENTS PER DEPLOY

100%

FINDINGS REMEDIATED OR ACCEPTED

Coverage spans the OWASP Top 10, authentication bypass, injection attacks, CSRF, SSRF, path traversal, billing accuracy, rate limiting, container security, prompt-injection defense, and access-control hierarchy enforcement. Every PR that touches auth or billing requires a security review tag.

// IP & patents

Patent-pending architecture.

In My Mind's spatial council architecture is patent-pending. Multiple US patent applications cover core platform IP.

FOR THE TIGHTEST DATA PROTECTION REQUIREMENTS

On-premises deployment.

Same architecture. Your VPC. Your KMS. Your AI provider keys. Optional air-gap with self-hosted OpenAI-compatible models. Same code we run in our own production, packaged with a Docker Compose blueprint for your runbook. Contact your In My Mind Sales team for details.

Many minds. Defended at every layer.

Talk to our security team.

Get in touch Enterprise overview

Where Humans and AI collaborate.