Security & Compliance

DialogueDB is designed with security at its core. This page outlines our security practices, compliance standards, and data handling policies.

Encryption

Encryption at Rest

All data stored in DialogueDB is encrypted at rest:

Database: AES-256 encryption
Message content: Compressed and encrypted - content and metadata are never stored as plaintext
API keys: One-way hashed - we cannot retrieve or view your key after creation
Enterprise tier: Bring your own encryption keys

Encryption in Transit

All communication with DialogueDB is encrypted in transit:

TLS 1.2+ required for all API connections
HTTPS only - HTTP requests are rejected
Internal service-to-service communication is encrypted

Data Residency

All data is stored in US regions by default
Enterprise customers can request specific region deployment - contact us

Compliance

Standard	Status
GDPR (EU data privacy)	Compliant
CCPA (California data privacy)	Compliant
FERPA (student data privacy)	Supported - DPA available on request
SOC 2 Type I (security audit)	In progress
HIPAA (healthcare data)	Available on Enterprise tier - contact us

Customer Data Usage

DialogueDB does not use customer data - including conversation content, memories, or metadata - to train models or for any secondary purpose. Your data is yours. It is stored to provide the service, and for no other reason.

FERPA & Education

DialogueDB supports FERPA-covered workloads for ed-tech applications. Namespace isolation ensures student data stays separated per district, school, or student. Data can be deleted on request when a contract ends, and all deletion is permanent and irreversible.

We will sign the Student Data Privacy Consortium's national DPA or your organization's own Data Processing Agreement. Contact us to get a DPA in place before going live with student data.

User Isolation & Multi-Tenancy

DialogueDB enforces strict data isolation:

Project-level isolation: Each API key is scoped to a single project. Data cannot be accessed across projects.
Namespace isolation: Within a project, namespaces provide additional isolation (e.g., per-user or per-tenant). All queries are automatically scoped.
Data layer enforcement: Isolation is enforced at the database query level - not just the application layer.

API Key Security

API keys are one-way hashed — not stored, not recoverable
Keys are never logged in server-side logs
Keys are transmitted only over TLS-encrypted connections
Revoke keys instantly from your project dashboard

Audit Trails

DialogueDB publishes events for all entity operations:

Entity creation and modification events are emitted automatically
Events include entity type, namespace, item ID, and full item data
Subscribe to events for compliance logging, alerting, or custom workflows

Data Retention

Data retention varies by plan tier. When retention expires, data is automatically and permanently deleted.

Dialogue Retention

Plan	Retention
Free	30 days
Starter	90 days
Pro	90 days
Business	90 days

Memory Retention

Plan	Short-Term	Long-Term
Free	30 days	60 days
Starter	45 days	120 days
Pro	60 days	Unlimited
Business	60 days	Unlimited

TIP

Need longer retention? Upgrade your plan or contact us for custom retention policies.

Plan Limits & Overage Behavior

Each plan has defined limits for dialogues, messages, memories, and API requests. When you reach a limit:

New writes are blocked - you'll receive a PLAN_LIMIT_EXCEEDED error (HTTP 429)
Existing data remains accessible - reads, searches, and retrievals continue to work
No surprise charges - DialogueDB uses hard cutoffs, not overage billing
Upgrade instantly - plan upgrades take effect immediately, unblocking writes

The error response includes details about which limit was exceeded:

json

{
  "error": {
    "code": "PLAN_LIMIT_EXCEEDED",
    "message": "Dialogues monthly limit exceeded. Your plan allows 100 dialogues. Please upgrade your plan to continue.",
    "type": "rate_limit"
  }
}

See Error Handling for the full error reference.

Rate Limits

API requests are rate-limited per plan to ensure fair usage and system stability:

Plan	Requests per Second
Free	5 req/s
Starter	10 req/s
Pro	20 req/s
Business	100 req/s

When you exceed your plan's limits, the API returns 429 Too Many Requests with a RATE_LIMIT_EXCEEDED error code. Implement exponential backoff for retries. See the API Overview for more details.

Enterprise Security

Enterprise tier includes additional security features:

Customer-managed encryption keys
BAA availability for HIPAA-covered workloads
Custom data retention policies
Dedicated support with SLA guarantees
Custom region deployment options

Contact sales for Enterprise pricing and features.

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly:

Email: security@dialoguedb.com
Do not publicly disclose vulnerabilities before they are resolved

Authentication - API key management and authentication
Error Handling - Error codes including rate limit and plan limit errors
API Overview - Rate limits and API usage

Security & Compliance ​

Encryption ​

Encryption at Rest ​

Encryption in Transit ​

Data Residency ​

Compliance ​

Customer Data Usage ​

FERPA & Education ​

User Isolation & Multi-Tenancy ​

API Key Security ​

Audit Trails ​

Data Retention ​

Dialogue Retention ​

Memory Retention ​

Plan Limits & Overage Behavior ​

Rate Limits ​

Enterprise Security ​

Responsible Disclosure ​

Related ​