Skip to main content

Enterprise trust pack

Security and governance notes for shared agent memory.

A shareable brief for security, platform, and engineering leaders reviewing StremAI as the memory layer for coding agents.

Control summary

Tenant-scoped access

Project routes authorize by user, credential, project membership, and role before returning memory, files, tasks, governance data, or audit logs.

Credential revocation

API keys, OAuth grants, setup tokens, and agent records can be revoked or deactivated. Revoked credentials stop validating on future requests.

Export and erasure

Account export, project knowledge export, soft deletion, and owner-confirmed project hard delete workflows are separate so teams can inspect before removal.

Encryption-aware governance

Traffic uses TLS. Field-level encryption is supported for sensitive stored values when the deployment encryption key is configured, and governance endpoints expose encryption status.

What agents do not automatically capture

  • Connecting an agent does not automatically mirror a repository, terminal, browser, clipboard, or local filesystem.
  • Project files and GitHub imports are explicit product actions controlled by a user or authorized agent.
  • StremAI does not train AI models on customer memory content by default.
  • Recall-event rows are pruned after 30 days by default; ordinary audit logs are pruned after 90 days with a retention audit row.
  • Account deletion uses a 7-day grace period, credential revocation, tombstoning, and separate project-content erasure controls.

Audit review areas

  • Agent inventory: Claude Code, Claude Desktop, Codex, Cursor, Windsurf, OpenClaw, custom MCP clients.
  • Credential inventory: API keys, OAuth clients, OAuth grants, setup tokens, refresh tokens, stale agents.
  • Memory scopes: user memory, agent memory, project memory, team memory, shared brains.
  • Data controls: export, redaction, soft delete, hard delete, retention, account tombstone behavior.
  • Operational signals: connected-agent health, production monitor, Sentry or incident intake, Inngest failures.
  • Rollout plan: first team, accepted use cases, prohibited data, owner, and review cadence.

Buyer-safe language

What StremAI is

A shared memory layer for coding agents, with project and team controls for recall, governance, export, and erasure.

What StremAI is not

It is not ambient employee surveillance, automatic repository mirroring, a model-training program, or a replacement for your identity provider.

What to pilot first

One engineering workflow where repeated context loss is costly and where credential revocation, export, and memory boundaries can be tested clearly.

Want this mapped to your environment?

The audit turns this trust pack into a concrete inventory and rollout plan for your agents, teams, and current tooling.