Security and privacy
How Palim protects content, where the trust boundary sits, and which controls you retain.
Encryption at rest
Supported content fields such as messages, summaries, and memories are encrypted on the server with AES-256-GCM before they are stored in the database. Palim derives a separate key for each user from a server-managed master key.
Not end-to-end or zero-knowledge encryption
The Palim server can decrypt content to provide search, retrieval, and export. The server runtime and master key are therefore part of the trust boundary.
Account isolation
Authentication and database policies associate stored data with one user. OAuth clients do not receive shared credentials. API keys are user-specific and should be rotated immediately if exposed.
Your controls
- You decide when a client stores content.
- Sessions and memories can be inspected, edited, and deleted.
- Individual sessions can be exported in open formats.
- The Brain view can be exported as a Markdown vault.
- Palim does not use your stored conversations to train models.
A single complete export covering every data class is not currently available. Contact privacy@usepalim.com for account deletion or privacy requests.
Work securely
- Prefer OAuth over API keys when your client supports it.
- Store API keys only in secret or connector configuration.
- Do not share connection URLs; their token is an access credential.
- Review exported files before sharing them.
- Delete or rotate credentials after a possible leak.
Last updated on