Skip to main content

Security FAQ

Trust controls for shared agent memory.

StremAI gives coding agents shared memory, so the trust model is simple: credentials must be revocable, project access must be scoped, and memory must be exportable, inspectable, and erasable by the right owner.

Tenant-scoped memory

Project memory, team memory, agent memory, and account data are authorized through the signed-in user, API key, OAuth grant, and project membership checks before they are returned.

Revocable agent access

API keys, OAuth grants, setup tokens, and agent registrations can be revoked. Revoked API keys stop validating, and deleted keys clear stored reveal material.

Encryption-aware storage

Traffic is encrypted in transit. Field-level encryption is supported for sensitive stored values when the deployment encryption key is configured, and governance endpoints expose encryption status.

Common review questions

Do you train models on customer memory?

No. StremAI does not train AI models on customer memory content by default. Memory content is processed to run the service: storing, searching, ranking, safety checks, exports, and requested deletion workflows.

What can an agent access?

An agent can access the projects, agent memory, and account scopes authorized by its API key or OAuth grant. Project routes check project membership and role before returning memory, files, tasks, audit logs, or governance data.

Are API keys stored in plaintext?

API key validation uses a one-way hash of the key. Some setup flows may keep reveal material long enough to help the owner connect an agent, and revocation clears that stored material. If you lose a key, create a new one and revoke the old one.

What happens when I revoke an agent?

Revoking a key or OAuth grant stops that credential from authenticating future requests. Deactivating an agent also prevents agent-linked keys from validating. Existing project memory remains owned by the project until the owner exports, archives, or erases it.

Can I export my data?

Yes. Account export queues a downloadable bundle for the signed-in user. Project knowledge export is available to authorized project members and can be requested with redaction.

Can I permanently delete project memory?

Yes. Project erasure supports soft archive and a two-step hard delete flow. Hard delete requires project owner access, explicit confirmation, a waiting window, and audit logging before execution.

How long are audit and recall logs kept?

Recall-event rows are pruned after 30 days by the retention job. Audit logs are pruned after 90 days, except retention-prune audit rows, and pruning writes an audit-trail row before deleting old audit rows.

Does StremAI automatically ingest my whole repository?

No. Connecting an agent does not automatically mirror your repository or local filesystem. Project files and GitHub imports are explicit product actions controlled by the user or authorized agent.

How do team permissions work?

Team and project access is role-based. Owners and admins can manage sensitive settings; contributors can write where permitted; viewers and auditors are read-oriented roles with narrower powers.

What should I ask for in an enterprise review?

Ask for a walkthrough of OAuth and API-key revocation, project scoping, memory export, erasure requests, audit logs, retention, agent setup durability, and the production-monitoring signals behind the service.