// security architecture
Security is the foundation.
Not a feature.
AES-256-GCM at rest. SSO + MFA. Five layers of access control. Sandboxed code execution. Prompt-injection defense. 110+ security audit rounds. Zero open critical or high findings. Patent-pending spatial council architecture.
// access control
Five layers, independently enforced.
A perimeter is one wall. A workspace where teams meet AI needs defense at every depth. Five independent gates from user identity down to individual conversation. A misconfiguration in one is not an opening in the next.
USER
Identity
Role-based access control with multiple admin tiers. Short-lived access tokens with secure refresh and server-side revocation. Multi-factor authentication enforced, with backup verification and rate-limited attempts. Token-reuse detection neutralizes common session-replay attacks at the protocol level.
WORKSPACE
Workspace isolation
Personal and company workspaces are hard-isolated at every query path, not just the UI. Workspace-scoped LIST endpoints scope to the active workspace, not user-only. Company funding modes (Company-only, Owner-fallback with monthly caps, Owner-only) keep billing separated from access.
LEVEL
Level classification
Each workspace can have multiple Levels (think floors in a building). Per-member READ/WRITE/ADMIN tiers per level. A confidential Level 2 can be invisible to people who see Level 1 every day. New levels unlock once L1 is on a paid hex pack, keeps spend tied to access expansion.
ZONE
Zone topic ACL
Per-user READ/WRITE/ADMIN per zone. Memory propagation respects permissions, nothing leaks to neighbors you cannot see. Zone Charter (standing orders) and Zone Playbook (numbered behavior rules) shape how every member of the zone behaves.
CONVERSATION
Thread-level guard
Cross-conversation reference validation prevents data leakage between threads. One thread cannot quietly pull data from another the user has not opened. Sandboxed code execution for inline code (network-isolated, ephemeral, validated before execution). Cross-conversation memory propagation respects the zone-level ACL.
// encryption
AES-256-GCM. Everywhere.
At rest
AES-256-GCM envelope encryption with a workspace-scoped master key. Production rejects default or all-zero key material at boot. OAuth tokens, API keys, refresh tokens are encrypted per-record.
In transit
TLS 1.2+ on every connection. End-to-end HTTPS with HSTS preload across all subdomains.
JWT signing
Industry-standard signing with a rotating server-side secret. Production rejects weak or default signing material at boot and refuses to start. Short-lived access tokens with longer-lived refresh.
Session-replay defense
Refresh tokens rotate on every use. Reuse of a stale token revokes the session lineage. Common session-replay attack class neutralized at the protocol level.
Webhook signatures
Inbound webhooks signature-verified before processing. Idempotent event handling, replays and retries are safe.
Bring your own KMS
Enterprise + on-prem deploys can bring their own KMS. Per-customer encryption keys. Field-level controls for the most sensitive deployments. Contact Sales.
// prompt-injection defense
Untrusted text gets sanitized.
Any content that didn't come from a trusted, authenticated user is treated as untrusted by default and validated before it reaches a model. The validation runs at every assembly point, not just on input.
MULTI-LAYER DEFENSE
Validated before it reaches a model
Every untrusted string passes through multi-layer validation before it can land in a model's context. We don't publish the specific patterns, by design, since publishing them just helps attackers route around them.
UNICODE NORMALIZATION
Lookalike-character attacks defeated
Untrusted text is normalized to defeat lookalike-character attacks. Naive string matching is not enough; we go further, and we don't catalog the techniques publicly.
MEMORY LAYER PROTECTED
Validated before propagation
AI-extracted memories are validated before storage. Content that fails validation never propagates through the knowledge graph.
CROSS-CONV VALIDATION
Reference-bound
One conversation cannot reference content the user does not have access to in another. Validation runs every time context is assembled, not just at conversation open.
// imported skills
Reviewed before they go live.
Skills are reusable instruction sets you can build yourself or import in the open Agent Skills (SKILL.md) format. Imported skills are reviewed before they go live, and bundled scripts are not run. You stay in control of what your agents can do. Skills overview →
// code execution sandbox
When AI runs code, we built the cage.
The runner that AI agents use to compute, render PDFs, generate charts, and parse data lives in an isolated, ephemeral sandbox with no network and no persistent filesystem.
- ✓
Network isolated
No outbound network. No name resolution. The sandbox cannot reach the internet or your internal services.
- ✓
Ephemeral filesystem
Writes are scoped to a scratch space and discarded between runs. Read-only root.
- ✓
Validated before execution
Submitted code is parsed and inspected. Dangerous operations are stripped or rejected before the sandbox starts.
- ✓
Hard resource limits
Strict wall-clock, memory, and process-count ceilings. Runaway code is terminated.
- ✓
Output sanitized
Returned artifacts are filtered. Executable file types and suspicious payloads cannot leave the sandbox.
// audit history
110+ rounds. Zero open critical or high.
In My Mind has run 110+ rounds of comprehensive security audits, each numbered, each scoped, each with findings recorded and remediated. Adversarial reviews precede substantive deploys. Findings are categorized by severity (CRITICAL / HIGH / MEDIUM / LOW) and remediated before release.
110+
SECURITY AUDIT ROUNDS
0
OPEN CRITICAL/HIGH
3
ADVERSARIAL AGENTS PER DEPLOY
100%
FINDINGS REMEDIATED OR ACCEPTED
Coverage spans the OWASP Top 10, authentication bypass, injection attacks, CSRF, SSRF, path traversal, billing accuracy, rate limiting, container security, prompt-injection defense, and access-control hierarchy enforcement. Every PR that touches auth or billing requires a security review tag.
// IP & patents
Patent-pending architecture.
In My Mind's spatial council architecture is patent-pending. Multiple US patent applications cover core platform IP.
FOR THE TIGHTEST DATA PROTECTION REQUIREMENTS
On-premises deployment.
Same architecture. Your VPC. Your KMS. Your AI provider keys. Optional air-gap with self-hosted OpenAI-compatible models. Same code we run in our own production, packaged with a Docker Compose blueprint for your runbook. Contact your In My Mind Sales team for details.
Where Humans and AI collaborate.