Appearance
Security & Compliance
DialogueDB is designed with security at its core. This page outlines our security practices, compliance standards, and data handling policies.
Encryption
Encryption at Rest
All data stored in DialogueDB is encrypted at rest:
- Database: AES-256 encryption
- Message content: Server-side encryption for all stored content
- API keys: Encrypted before storage — never stored in plaintext
- Enterprise tier: Bring your own encryption keys
Encryption in Transit
All communication with DialogueDB is encrypted in transit:
- TLS 1.2+ required for all API connections
- HTTPS only — HTTP requests are rejected
- Internal service-to-service communication is encrypted
Data Residency
- All data is stored in US regions by default
- Enterprise customers can request specific region deployment — contact us
Compliance
| Standard | Status |
|---|---|
| GDPR (EU data privacy) | Compliant |
| CCPA (California data privacy) | Compliant |
| SOC 2 Type I (security audit) | In progress |
| HIPAA (healthcare data) | Available on Enterprise tier — contact us |
User Isolation & Multi-Tenancy
DialogueDB enforces strict data isolation:
- Project-level isolation: Each API key is scoped to a single project. Data cannot be accessed across projects.
- Namespace isolation: Within a project, namespaces provide additional isolation (e.g., per-user or per-tenant). All queries are automatically scoped.
- Data layer enforcement: Isolation is enforced at the database query level — not just the application layer.
API Key Security
- API keys are encrypted at rest
- Keys are never logged in server-side logs
- Keys are transmitted only over TLS-encrypted connections
- Revoke keys instantly from your project dashboard
Audit Trails
DialogueDB publishes events for all entity operations:
- Entity creation and modification events are emitted automatically
- Events include entity type, namespace, item ID, and full item data
- Subscribe to events for compliance logging, alerting, or custom workflows
Data Retention
Data retention varies by plan tier. When retention expires, data is automatically and permanently deleted.
Dialogue Retention
| Plan | Retention |
|---|---|
| Free | 30 days |
| Starter | 90 days |
| Pro | 90 days |
| Business | 90 days |
Memory Retention
| Plan | Short-Term | Long-Term |
|---|---|---|
| Free | 30 days | 60 days |
| Starter | 45 days | 120 days |
| Pro | 60 days | Unlimited |
| Business | 60 days | Unlimited |
TIP
Need longer retention? Upgrade your plan or contact us for custom retention policies.
Plan Limits & Overage Behavior
Each plan has defined limits for dialogues, messages, memories, and API requests. When you reach a limit:
- New writes are blocked — you'll receive a
PLAN_LIMIT_EXCEEDEDerror (HTTP 429) - Existing data remains accessible — reads, searches, and retrievals continue to work
- No surprise charges — DialogueDB uses hard cutoffs, not overage billing
- Upgrade instantly — plan upgrades take effect immediately, unblocking writes
The error response includes details about which limit was exceeded:
json
{
"error": {
"code": "PLAN_LIMIT_EXCEEDED",
"message": "Dialogues monthly limit exceeded. Your plan allows 100 dialogues. Please upgrade your plan to continue.",
"type": "rate_limit"
}
}See Error Handling for the full error reference.
Rate Limits
API requests are rate-limited per plan to ensure fair usage and system stability:
| Plan | Requests per Second |
|---|---|
| Free | 5 req/s |
| Starter | 10 req/s |
| Pro | 20 req/s |
| Business | 100 req/s |
Rate limit headers are included in all API responses:
http
X-RateLimit-Limit: 50
X-RateLimit-Remaining: 45
X-RateLimit-Reset: 1640000000When rate limited, you'll receive a RATE_LIMIT_EXCEEDED error (HTTP 429). Implement exponential backoff for retries. See the API Overview for more details.
Enterprise Security
Enterprise tier includes additional security features:
- Customer-managed encryption keys
- BAA availability for HIPAA-covered workloads
- Custom data retention policies
- Dedicated support with SLA guarantees
- Custom region deployment options
Contact sales for Enterprise pricing and features.
Responsible Disclosure
If you discover a security vulnerability, please report it responsibly:
- Email: security@dialoguedb.com
- Do not publicly disclose vulnerabilities before they are resolved
Related
- Authentication — API key management and authentication
- Error Handling — Error codes including rate limit and plan limit errors
- API Overview — Rate limits and API usage