← Back to home

Security at Wisdom Recall

Last updated: May 27, 2026

Wisdom Recall, Inc.

Your PearlsTM are your knowledge, your memory, and often your unfair advantage. Protecting them is our first job. This page documents how we secure the Wisdom Recall service, what controls you have, and how to report a vulnerability.

1. Our Approach

We design Wisdom Recall around defense in depth, least privilege, and the principle of minimum data. We collect only what we need to run the Service, we segment trust boundaries between application, data, and edge layers, and we hold our vendors to the same standards we hold ourselves. Security work is continuous, not a one-time milestone.

2. Encryption

  • In transit. All customer-facing endpoints require TLS 1.2 or higher, with TLS 1.3 preferred. HTTPS is enforced via HSTS, and weak ciphers are disabled.
  • At rest. Database storage and object storage are encrypted with AES-256. Backups are encrypted with the same standard.

3. Infrastructure

  • Edge. Cloudflare provides our CDN, Web Application Firewall, DDoS protection, rate limiting, and bot management.
  • Application and database. Supabase runs our managed PostgreSQL database, with automated backups and point-in-time recovery.
  • MCP workers. Our MCP servers run on Cloudflare Workers (V8 isolates). There is no shared filesystem and no long-lived process state between requests.
  • Region. Primary data residency is in the United States (US-East). Edge caching is global.

4. Authentication and Access

  • Authentication is provided by Supabase Auth, supporting email and password sign-in and magic-link flows.
  • Multi-factor authentication using TOTP is on our near-term roadmap.
  • Session tokens are stored in HttpOnly, Secure, SameSite=Lax cookies.
  • Passwords are hashed with industry-standard algorithms; we never store passwords in plain text.
  • Internal staff access to production systems is gated by Single Sign-On with mandatory multi-factor authentication and scoped by role. Access is reviewed regularly and revoked on departure.

5. Database Security

  • Row-Level Security (RLS) is enforced on every customer table. A user's queries can only return that user's rows.
  • We do not use shared tables across tenants for customer content.
  • Sensitive fields, including MCP connection tokens, are encrypted at rest separately from the rest of the row.
  • Database access from the application uses scoped service roles, not broad superuser credentials.

6. MCP Token Security

  • Each AI assistant connection is issued a separate token, scoped to your account and to that provider.
  • Tokens are stored encrypted and are never displayed in logs.
  • You can revoke any MCP token at any time from your dashboard. Revocation is effective immediately.
  • Compromised or unused tokens can be rotated without affecting your other connections.

7. Application Security

  • All dependencies are tracked and scanned. We use automated tooling (npm audit, Renovate) and review advisories continuously.
  • Code review is required before changes are merged to production.
  • Static analysis runs in continuous integration.
  • Dependencies are updated on a regular cadence; security advisories are patched on a priority track.
  • Secrets are managed through environment-scoped stores; secrets are never committed to source control.

8. Logging, Monitoring, and Alerting

  • We keep audit logs for sensitive actions, including Pearl creation, sharing, deletion, and MCP token changes.
  • Edge and application logs are retained for 30 days.
  • Personally identifiable information is redacted from logs where feasible.
  • Anomalies and error spikes trigger alerts that we investigate promptly.

9. Sub-processors

We use a small set of trusted vendors to operate the Service. See the Privacy Policy for the complete sub-processor list and the purpose each one serves.

10. Backups and Disaster Recovery

  • Daily database backups, encrypted at rest.
  • Point-in-time recovery up to seven days.
  • Target Recovery Time Objective (RTO): 24 hours.
  • Target Recovery Point Objective (RPO): 24 hours.
  • Recovery procedures are documented and exercised.

11. Data Retention and Deletion

You can delete any Pearl, project, or your entire account at any time. We remove deleted data from active systems within 30 days. Backups containing residual copies are aged out on a rolling schedule. See the Privacy Policy for full retention details.

12. Compliance Posture

  • GDPR. We process personal data in accordance with the GDPR. We rely on Standard Contractual Clauses for international transfers, and a Data Processing Agreement is available on request to privacy@wisdomrecall.com.
  • CCPA and CPRA. We honor California residents' rights to know, delete, correct, and opt out of "sale" or "sharing". We do not sell personal information.
  • SOC 2 Type II. A SOC 2 Type II audit is on our roadmap. We are not currently SOC 2 certified, and we do not claim certifications we do not hold.
  • HIPAA. Wisdom Recall is not HIPAA-compliant. Do not store Protected Health Information (PHI) in the Service.

13. Vulnerability Disclosure

We welcome reports from security researchers and the broader community.

  • Email: security@wisdomrecall.com
  • PGP key fingerprint: [fingerprint pending]
  • We commit to acknowledging reports within five business days.
  • Safe harbor. We will not pursue legal action against researchers acting in good faith and in compliance with this policy. Good-faith research includes avoiding privacy violations, data destruction, service disruption, and access to data that is not your own beyond what is necessary to demonstrate the issue.

Out-of-scope: social-engineering attacks on staff or vendors, denial-of-service testing, and physical attacks.

14. Incident Response

We monitor the Service for security events and respond promptly when one is detected. If a material security incident affects your data, we will notify affected users without undue delay and within 72 hours of confirmation, in line with applicable law, and explain what happened and what to do.

15. User Security Controls

  • Change your password from your account settings.
  • Revoke active sessions on demand.
  • Revoke and rotate MCP tokens per provider.
  • Export your data in a structured format.
  • Delete individual Pearls, projects, or your entire account.

16. Contact

Security reports and questions: security@wisdomrecall.com.

Privacy questions: privacy@wisdomrecall.com. Legal questions: legal@wisdomrecall.com.

© 2026 Wisdom Recall, Inc. Home Privacy Terms Security