Security Built for Zero Trust

MnemoShare is designed from the ground up to eliminate credential-based risk, enforce least privilege, and produce evidence-grade audit trails.

Built for the threat model most breaches actually follow: credential compromise, standing access, and misuse of legacy file transfer infrastructure — not physical theft of storage media.

Request a DemoTalk to Security Team

Architecture & Trust Boundaries

MnemoShare is a self-hosted, cloud-native platform that runs entirely within customer-controlled infrastructure.

There is no shared SaaS control plane and no dependency on MnemoShare-operated services for day-to-day operation. Customers control deployment, storage, identity integration, and cryptographic material.

  • Runs in customer Kubernetes or Docker environments
  • Customer controls cloud accounts and networking
  • MnemoShare does not have default access to customer data
  • Deployments continue operating independently of vendor availability

Identity-First Architecture

Identity is the primary security boundary — not IP addresses, network location, or inherited trust.

Every access decision is tied to verified identity through ephemeral credentials and strong authentication.

Ephemeral Credentials

Short-lived JWTs replace permanent SSH keys and service account passwords. Credentials expire automatically — there's nothing to rotate, revoke, or forget about.

  • No permanent credentials to steal
  • Automatic expiration and renewal
  • No key sprawl or orphaned accounts

Hardware-Backed Identity

Optional mTLS with non-exportable private keys bound to hardware security modules. Supports TPM 2.0, Secure Enclave, and YubiKey PIV.

  • FIPS 140-3 ready
  • NIST 800-63B AAL3 compliant
  • Keys cannot be extracted or copied

SSO & MFA Enforcement

Integrate with your existing identity provider via OIDC or SAML. Enforce MFA for all users without exceptions.

  • Azure AD, Okta, Ping, Google
  • TOTP as fallback
  • Conditional access policies

Data Protection

Defense in depth with encryption at every layer.

Encryption

All data handled by MnemoShare is encrypted before storage using customer-controlled encryption keys. Cloud provider encryption is additive and not relied upon as a security control.

  • In transit: TLS 1.3 with strong cipher suites
  • At rest: AES-256-GCM with per-file keys
  • End-to-end: Optional client-side encryption mode
  • Integrity: SHA-256 checksums for all files

Key distinction: Data-at-rest encryption keys are customer-controlled at all license tiers. Hardware security modules (HSMs) are used for identity and authentication keys (mTLS), not bulk data encryption.

Content Scanning

  • Malware: Real-time ClamAV scanning via ICAP
  • PHI/PII: Sensitive data detection module
  • Quarantine: Automatic isolation of threats
  • Custom rules: YARA signatures supported

Auditable by Construction

Every security-relevant action produces a structured audit event designed for investigation, compliance, and evidence collection.

Operational Audit Logs

MnemoShare stores audit events operationally for visibility, monitoring, and troubleshooting. These logs are queryable via the administrative interface and integrated with standard logging systems.

  • Authentication attempts (success and failure)
  • File uploads, downloads, and access attempts
  • Administrative actions and policy changes
  • User and permission modifications
  • API calls with request/response metadata

Evidentiary Audit Export

For regulated environments, MnemoShare supports exporting audit events to customer-managed, WORM-capable storage systems (such as S3 Object Lock or equivalent). Retention is enforced outside the application and beyond administrative control.

  • Append-only audit export
  • Customer-managed immutable storage
  • Retention enforced externally
  • Tamper-evident sequencing
  • SIEM integration (Splunk, Datadog, etc.)

Important: MnemoShare cannot modify or delete audit records once exported to customer-managed immutable storage.

Compliance Support

MnemoShare is designed to help organizations meet requirements for major compliance frameworks.

HIPAA

Healthcare

HITRUST

Healthcare

SOC 2

Service Organizations

ISO 27001

Information Security

NIST

Cybersecurity Framework

MnemoShare does not claim certification under these frameworks. The platform is designed to support the technical and procedural controls commonly required by these standards.

Shared Responsibility Model

MnemoShare provides secure software and security controls, while customers retain responsibility for infrastructure configuration, identity provider policies, storage retention settings, and compliance validation.

This model ensures customers maintain control over data, keys, and audit evidence at all times.

MnemoShare Provides

  • Software security and updates
  • Audit event generation
  • Identity enforcement mechanisms
  • Encryption implementation

Customer Controls

  • Infrastructure and networking
  • Retention policies and storage
  • Access governance and IdP policies
  • Compliance attestation

Security Operations

How we build, test, and maintain MnemoShare to meet enterprise security expectations.

Secure Development

  • Code review required for all changes
  • Static analysis in CI/CD pipeline
  • Dependency scanning and SBOMs
  • Automated security testing

Vulnerability Management

  • Continuous dependency monitoring
  • Critical CVE patching within 48 hours
  • Regular third-party penetration testing
  • Responsible disclosure program

Incident Response

  • Documented incident response plan
  • Customer notification procedures
  • Post-incident analysis and reporting
  • Security advisories for affected releases

Secure Delivery

How updates and releases are delivered to customer environments.

Release Integrity

  • Signed container images and Helm charts
  • Verifiable checksums for all artifacts
  • Minimal base images with reduced attack surface
  • SBOM available for each release

Customer-Controlled Updates

  • No automatic updates without customer action
  • Full release notes with security impact
  • Upgrade path documentation and testing guidance
  • LTS releases with extended security support

Enterprise Readiness FAQ

Common questions from security and procurement teams.

Do you have SOC 2 or HITRUST certification?

MnemoShare is a self-hosted platform — certification applies to your deployment, not ours. The platform is designed to support the controls required by SOC 2, HITRUST, and similar frameworks. We provide documentation and control mappings to support your certification efforts.

Can you complete our vendor security questionnaire?

Yes. We complete SIG Lite, CAIQ, and custom questionnaires for Enterprise and Regulated customers. Contact us to request our standard security documentation package.

What is your vulnerability disclosure policy?

We maintain a responsible disclosure program. Security researchers can report vulnerabilities to security@mnemoshare.com. We respond within 48 hours and work with reporters through remediation. Critical vulnerabilities are patched within 48 hours of confirmation.

Do you conduct penetration testing?

Yes. We engage third-party security firms for annual penetration testing. Summary reports are available under NDA for Enterprise and Regulated customers.

What happens if MnemoShare (the company) becomes unavailable?

Deployments continue operating independently. There's no dependency on MnemoShare-operated infrastructure for day-to-day operations. License validation is the only external touchpoint, and deployments can operate offline for extended periods.

Can we conduct our own security assessment?

Yes. We support customer-initiated security assessments and penetration testing of your own deployment. We can provide source code access under NDA for security review by Enterprise and Regulated customers.

Ready to discuss your security requirements?

Talk to our team about your compliance needs, deployment architecture, and security controls.

Request a DemoTalk to Us