MnemosyneSecurity Overview
Mnemosyne is designed with security and privacy as first-class concerns.
Security Model
flowchart TD A[Agent] -->|Local API| M[Mnemosyne] M -->|Local| DB[(SQLite DB)] M -->|Local| E[fastembed Embeddings] DB -->|Backup| S3[Disaster Recovery] style M fill:#e0f2fe,stroke:#0284c7 style DB fill:#f0fdf4,stroke:#16a34a
Threat Model
| Threat | Mitigation |
|---|---|
| Data theft (local) | Filesystem permissions on SQLite DB |
| Data theft (network) | No network exposure by default |
| Prompt injection | Input validation, parameterized queries |
| Memory poisoning | Importance scoring, scope isolation |
| Data loss | Backup and recovery via disaster recovery module |
Security Features
- Local-first: All data stays in a local SQLite database by default
- Local embeddings: Uses BAAI/bge-small-en-v1.5 via fastembed (384 dims) — no external API calls
- No cloud required: All data stays local by default
- Input sanitization: All user inputs are parameterized
- Session isolation: Separate session IDs isolate memory contexts
- Disaster recovery: Backup and restore via
mnemosyne.dr.recovery
Embedding Model
Mnemosyne uses BAAI/bge-small-en-v1.5 via the fastembed library for all embedding generation. This runs entirely locally — no text is ever sent to an external API.
No External API Calls
By default, Mnemosyne does not send any data to external services. All embedding generation happens locally via fastembed. No OpenAI or other cloud embedding APIs are used.
Related Pages
Encryption
Configure encryption at rest in Mnemosyne: SQLCipher integration, key management, encryption perform...
Access Control
Implement access control in Mnemosyne: role-based permissions, API key management, scope restriction...
Data Privacy
Understand Mnemosyne's privacy model: data retention policies, PII handling, right-to-deletion suppo...