Security

1. Overview

Security is a core design principle at takizen, not an afterthought. We store memories that may contain sensitive context from AI agents — code, decisions, business logic — and we take that responsibility seriously.

This page documents the technical and organisational security controls in place. We aim for transparency: if you discover something we have missed, please tell us.

2. Infrastructure Security

Cloudflare Workers

The MCP API runs on Cloudflare Workers — a V8 isolate-based serverless platform that provides:

• No persistent server state between requests — each request runs in an isolated context.
• Automatic DDoS mitigation at the network edge.
• TLS 1.3 termination at the CDN edge with HSTS enforced.
• No raw filesystem or OS access — the runtime is constrained to Web APIs.

Supabase PostgreSQL

• Hosted in EU-West-1 (Dublin) for GDPR data residency.
• Direct database access is blocked from the public internet — all queries go through the Supabase API layer using the service_role key, held only in Cloudflare Worker secrets.
• The anon key is never used in the backend.
• Row-Level Security (RLS) is enabled on all tables with DENY ALL policies for anon and authenticated roles.
• Even if the RLS layer were bypassed, each query includes a mandatory namespace_id filter enforced in application code.

Secrets Management

All secrets (Supabase service key, OpenRouter API key, admin secret) are stored as Cloudflare Worker secrets — encrypted at rest and injected into the Worker environment at runtime. They are never committed to version control or exposed in logs.

3. Data Encryption

Layer	Encryption
Data in transit	TLS 1.3 enforced end-to-end (Cloudflare → client, Cloudflare → Supabase)
Data at rest (Supabase)	AES-256 via Supabase managed encryption
Data at rest (Cloudflare KV)	Encrypted at rest by Cloudflare
Vector embeddings	Stored as opaque float arrays; not reversible to original text

4. API Key Security

API keys are designed so that compromise of the database does not expose usable keys:

• One-time display — the full plaintext key is shown only once at creation in the browser. It is never stored on our servers.
• SHA-256 hashing — only the hash is stored. Validation compares the hash of the incoming key against stored hashes.
• Key prefix — the first 10 characters are stored in plaintext to allow identification in the dashboard without exposing the full key.
• Per-namespace scope — each key grants access only to its associated namespace. There is no cross-namespace access.
• Expiry support — keys can be created with an optional expiry date.
• Instant revocation — revoking a key in the dashboard takes effect immediately on the next request.

5. Namespace Isolation

Every data-access operation in the codebase enforces namespace isolation:

• The namespace_id is never taken from the request body — it is always derived from the validated API key.
• All database queries include WHERE namespace_id = $1 filters.
• Vector similarity searches (match_memories) are parameterised with p_namespace_id at the PostgreSQL function level.
• Forgetting, archiving, and decay operations are strictly scoped to a single namespace.

There is no multi-tenant shared query path where a malformed request could access another namespace's data.

6. Audit Logging

An append-only audit log records all write operations on sensitive tables:

• Operations: CREATE, UPDATE, DELETE on namespaces, memories, api_keys.
• Each entry records: namespace, table, operation type, row ID, old/new data snapshot, actor, timestamp, IP, user agent.
• The log is append-only — PostgreSQL rules prevent UPDATE and DELETE on the audit_log table, even for the service_role.
• Retained for 24 months.

7. Input Validation

• All MCP tool inputs are validated against strict schemas before processing.
• Memory content length is capped to prevent excessively large payloads.
• SQL queries use parameterised statements via the Supabase client — no string concatenation.
• No dynamic code execution or eval anywhere in the codebase.

8. Rate Limiting & Abuse Prevention

• Cloudflare provides edge-level rate limiting and bot detection.
• Per-namespace daily recall limits are enforced in application code.
• Cron jobs that perform bulk operations (decay, consolidation) are capped at 20 items per execution to prevent runaway processes.
• Admin endpoints require a separate ADMIN_SECRET header distinct from user API keys.

9. Dependency & Supply Chain Security

• Dependencies are pinned and regularly audited with bun audit / npm audit.
• The Workers runtime sandbox limits the blast radius of any compromised dependency.
• We use a minimal dependency footprint — the core Worker has fewer than 10 runtime dependencies.

10. Incident Response

In the event of a confirmed security incident:

• Detection: Cloudflare alerts and audit log anomaly detection.
• Containment: Affected API keys revoked, namespaces isolated within 1 hour of confirmed breach.
• Notification: Affected users notified by email within 72 hours of confirmed breach, as required by GDPR Art. 33–34.
• Post-mortem: Public disclosure of root cause and remediation within 30 days.

11. Vulnerability Disclosure

We operate a coordinated disclosure policy. If you discover a security vulnerability:

• Email security@takizen.xyz with a description and steps to reproduce.
• Do not exploit the vulnerability or access data beyond what is necessary to demonstrate the issue.
• Do not disclose publicly before we have had a reasonable time to fix it (we aim for 90 days).
• We will acknowledge within 48 hours and work with you on a fix timeline.
• We credit researchers who report valid vulnerabilities (with their permission).

We do not currently offer monetary bug bounties, but we do offer public recognition and, for critical vulnerabilities, complementary Pro plan access.

12. Compliance

Standard / Regulation	Status
GDPR (EU 2016/679)	Compliant — see GDPR page
Data residency (EU)	Primary database in EU-West-1
TLS encryption in transit	TLS 1.3, enforced
Encryption at rest	AES-256 via platform providers
Audit logging	Append-only, 24-month retention
Data minimisation	Only data necessary for service operation is collected

13. Contact

Security reports: security@takizen.xyz
General privacy: legal@takizen.xyz