Back to Docs

Security & Privacy

How Awareness keeps your data secure, private, and under your control.

Your Data. Your Infrastructure. Your Control.

Awareness is self-hosted. We never see your data. Ever.

Everything runs on your infrastructure—your servers, your cloud account, your databases. You have complete control over where your data lives and who can access it.

Where Your Data Lives

Databases

Your databases run on your infrastructure. PostgreSQL, MongoDB, Neo4j—all under your control.

  • Data never leaves your network
  • You manage backups and replication
  • Standard database security applies (encryption at rest, access controls)
  • Connection credentials stored encrypted with AES-256

Files

Files stored in your S3 bucket, local filesystem, or Git repositories.

  • AWS S3, MinIO, or local storage—your choice
  • Files encrypted at rest via your storage provider
  • Access controlled by your storage policies
  • Git integration for version control and audit trails

Memory & Context

Your Awareness's memory (conversation history, learned preferences) stored in your vector database.

  • Stored in Qdrant running on your infrastructure
  • Embeddings never sent to third parties
  • Space-scoped isolation prevents cross-contamination
  • Can be cleared or deleted anytime

Credentials & Secrets

OAuth tokens, API keys, and database credentials encrypted and never exposed.

  • AES-256 encryption for all stored credentials
  • Secrets stored securely with AES-256 encryption
  • Tokens rotated automatically
  • Secrets never logged or transmitted unencrypted

Access Control & Permissions

Human-in-the-Loop Approvals

Your Awareness requests approval before executing dangerous operations:

  • Deleting databases or dropping tables
  • Removing files or bulk deletions
  • Modifying production workflows
  • Connecting to new external services

Role-Based Access (RBAC)

Team members have different permission levels:

Owner

  • • Full access to Space
  • • Can delete Space
  • • Manage team members
  • • Configure security settings

Admin

  • • Manage resources
  • • Create/modify workflows
  • • Cannot delete Space
  • • Cannot manage members

Member

  • • Read/write data
  • • Use workflows & dashboards
  • • Cannot modify structure
  • • Cannot invite others

Viewer

  • • Read-only access
  • • View dashboards
  • • Query databases
  • • Cannot modify anything

Space Isolation

Each Awareness Space is completely isolated. Data from one Space cannot leak into another.

Database Isolation

Separate PostgreSQL schemas per Space. Neo4j uses label-based namespacing. Cross-Space queries are impossible.

File Isolation

Separate S3 buckets or directories. Files from Space A cannot be accessed from Space B.

Memory Isolation

Your Awareness in Space A has zero knowledge of Space B. Memories and context are Space-specific.

Workflow Isolation

Workflows run in separate Temporal namespaces. No workflow in one Space can trigger another.

LLM Providers & Data Transmission

Important: LLM API Calls

When your Awareness uses an LLM (OpenAI, Anthropic, etc.), conversation context is sent to that provider's API.

What's sent: Your prompts, conversation history, tool outputs (database query results, file contents, etc.)

Options for Maximum Privacy:

  • Use local models via Ollama: Run LLMs entirely on your infrastructure with zero external API calls
  • Use providers with no-training agreements: Anthropic and OpenAI offer enterprise plans that don't train on your data
  • Deploy Azure OpenAI: Data stays in your Azure tenant

What's Never Sent to LLM Providers:

  • Database credentials or API keys
  • OAuth tokens
  • Internal system configuration
  • Data from other Awareness Spaces

Compliance & Regulations

Because you self-host Awareness, you control compliance. We provide the tools; you configure them to meet your requirements.

GDPR

You own all data. Right to erasure, data portability, and access are under your control. Delete a Space, and all data is gone.

HIPAA

Deploy on HIPAA-compliant infrastructure (AWS, GCP, Azure). Enable encryption at rest and in transit. Audit logs available.

SOC 2

Your deployment can meet SOC 2 requirements with proper infrastructure configuration. Audit trails built-in.

Data Residency

Deploy in any region. Keep EU data in EU, US data in US, etc. You choose where servers run.

Security Best Practices

Use Strong Authentication

  • Enable MFA for all users
  • Use SSO with your identity provider
  • Rotate passwords regularly
  • Review access logs

Network Security

  • Deploy behind VPN or private network
  • Use TLS/SSL for all connections
  • Enable firewall rules
  • Restrict database access to app servers only

Data Protection

  • Enable encryption at rest for databases
  • Backup data regularly
  • Test restore procedures
  • Use separate environments (dev/staging/prod)

Monitoring & Auditing

  • Enable audit logs for all operations
  • Monitor for unusual activity
  • Set up alerts for critical actions
  • Review team member permissions quarterly

Questions about security?

Check our FAQ or review the deployment documentation for detailed security configuration.

Read FAQBack to Docs

Your Awareness

Understand your AI collaborator

Awareness Spaces

Your collaborative workspace

Capabilities

Everything you can build

Framework

Architecture deep dive

Philosophy

Fluid software vision

Research

Academic foundations

FAQ

Common questions