MemNexus is in gated preview — invite only. Learn more
← Back to Trust Center

MemNexus SIG Lite Self-Assessment

Document ID: LEGAL-004 Last updated: 2026-04-08 Status: Current Contact: [email protected]

Overview

This document is a self-assessment response to the Standardized Information Gathering (SIG) Lite questionnaire. It provides an honest summary of MemNexus's current security and compliance posture for vendor risk evaluation.

Where controls are not yet implemented, they are marked as Planned with context. MemNexus does not certify controls that are not yet operational.

A. Risk Management

| Control | Status | Evidence | Notes | |---|---|---|---| | Formal risk management program | Planned | -- | No formal risk register exists today. Risk is managed informally through engineering review and incident response. | | Risk assessments conducted periodically | Planned | -- | Planned as part of SOC 2 readiness. | | Risk acceptance criteria defined | Planned | -- | Will be formalized alongside the risk register. | | Third-party risk assessment | Partially Implemented | subprocessors.md | Subprocessor list is published and reviewed. Formal vendor risk scoring is not yet in place. |

B. Security Policy

| Control | Status | Evidence | Notes | |---|---|---|---| | Documented information security policy | Implemented | security-practices.md | Published and current. Covers encryption, authentication, authorization, audit logging, infrastructure, and development practices. | | Policy reviewed and updated regularly | Implemented | Document header tracks last update date | Reviewed at each enterprise iteration. | | Formal Information Security Management System (ISMS) | Planned | -- | No formal ISMS. Planned as part of ISO 27001 readiness (targeted 2027). | | Security policy communicated to all personnel | Implemented | security-practices.md is in the repository | Accessible to all team members via source control. |

C. Organizational Security

| Control | Status | Evidence | Notes | |---|---|---|---| | Security roles and responsibilities defined | Partially Implemented | -- | Small team with defined roles. Security responsibilities are understood but not formally documented in job descriptions. | | Segregation of duties | Planned | -- | Team size does not currently support full segregation. Compensating control: all code changes require PR review by a different team member. | | Contact with authorities and special interest groups | Implemented | [email protected] | Responsible disclosure contact published. No formal relationships with ISACs or CERTs. | | Independent review of information security | Planned | -- | External penetration testing and SOC 2 audit are planned but not yet engaged. |

D. Asset Management

| Control | Status | Evidence | Notes | |---|---|---|---| | Asset inventory maintained | Partially Implemented | Helm charts, GitHub Actions workflows | Infrastructure is managed as code (IaC). No formal Configuration Management Database (CMDB). | | Asset classification scheme | Planned | -- | Data classification is implicit (all customer memory content treated as sensitive) but not formally documented as a classification policy. | | Acceptable use of assets | Implemented | acceptable-use-policy.md (LEGAL-006) | Published acceptable use policy for the service. | | Media handling and disposal | N/A | -- | Fully cloud-hosted. No physical media. Azure handles disk disposal per their SOC 2 controls. |

E. Human Resources Security

| Control | Status | Evidence | Notes | |---|---|---|---| | Background checks for personnel | Planned | -- | Not yet formalized. Will be implemented as team scales. | | Security awareness training | Planned | -- | No formal training program. Security practices are communicated through documentation and code review. | | Disciplinary process for security violations | Planned | -- | Not yet formalized. | | Termination procedures (access revocation) | Partially Implemented | -- | Access revocation is performed manually on termination. No automated offboarding workflow. |

F. Physical Security

| Control | Status | Evidence | Notes | |---|---|---|---| | Physical access controls | N/A | -- | MemNexus is fully cloud-hosted on Microsoft Azure. No company-operated data centers or server rooms. | | Physical security of data centers | N/A | Azure SOC 2 Type II report | Physical security is managed by Microsoft Azure. Azure's SOC 2 Type II report covers physical data center controls for the US East 2 region. | | Equipment security and maintenance | N/A | -- | All infrastructure is managed by Azure. |

G. Operations Management

| Control | Status | Evidence | Notes | |---|---|---|---| | Documented change management process | Implemented | change-management-policy.md (OPS-007) | All changes go through PR review and automated CI/CD. | | Incident response plan | Implemented | incident-response-plan.md (OPS-003) | Published plan with severity classification and response procedures. | | Incident response drills | Planned | -- | Drills have not yet been conducted. Planned. | | Monitoring and alerting | Implemented | Application and infrastructure monitoring with configurable alerting | Monitoring deployed. Alert rules configured for critical metrics. | | Capacity management | Partially Implemented | -- | Azure AKS provides scaling capabilities. No formal capacity planning process. | | Backup and recovery | Planned | -- | Azure Disk Snapshots designed but deployment is in progress. Backup procedures are being formalized. | | Separation of development and production environments | Implemented | -- | Development, staging, and production environments are separated. CI/CD promotes through environments. |

H. Access Control

| Control | Status | Evidence | Notes | |---|---|---|---| | Access control policy | Implemented | security-practices.md | RBAC with 3 roles (Owner, Admin, Member). Documented. | | User registration and deprovisioning | Implemented | -- | WorkOS AuthKit handles registration. Account deletion with 7-day grace period (see data-retention-policy.md). | | Privileged access management | Partially Implemented | -- | Admin and Owner roles have elevated privileges. No Privileged Access Management (PAM) tool. | | Multi-factor authentication (MFA) | Planned | -- | MFA is not currently enforced. WorkOS supports MFA; enforcement is planned. | | Single Sign-On (SSO) | Implemented | WorkOS AuthKit | SAML 2.0 and OIDC via WorkOS. Configurable per organization. | | API key management | Implemented | security-practices.md | HMAC-SHA256 hashed storage. Creation, listing, revocation supported. | | Session management | Implemented | WorkOS AuthKit | Secure cookie-based sessions managed by WorkOS. | | Cross-tenant data isolation | Implemented | -- | All queries scoped by userId/organizationId at the repository layer. |

I. Application Security

| Control | Status | Evidence | Notes | |---|---|---|---| | Secure development lifecycle | Partially Implemented | -- | PR-based code review, automated CI/CD, input validation (Zod). No formal SDLC policy document. | | Input validation | Implemented | Zod schema validation | All API inputs validated against Zod schemas. | | Static Application Security Testing (SAST) | Planned | -- | No SAST tooling integrated. Planned. | | Dynamic Application Security Testing (DAST) | Planned | -- | No DAST tooling integrated. Planned. | | Penetration testing | Planned | -- | External penetration test planned but vendor not yet engaged. | | Code review | Implemented | GitHub PR workflow | All changes require pull request review before merge. | | Dependency vulnerability scanning | Planned | -- | No automated dependency scanning (e.g., Dependabot, Snyk) configured. Planned. |

J. Incident Response

| Control | Status | Evidence | Notes | |---|---|---|---| | Incident response plan documented | Implemented | incident-response-plan.md (OPS-003) | Covers severity levels, roles, communication, and post-incident review. | | Incident classification and severity levels | Implemented | OPS-003 | Severity levels defined (Critical, High, Medium, Low). | | Breach notification procedures | Implemented | OPS-003 | 72-hour notification target for personal data breaches (GDPR Article 33). | | Post-incident review process | Implemented | OPS-003 | Post-incident reviews documented in the plan. | | Incident response drills and tabletop exercises | Planned | -- | Not yet conducted. Planned. | | Evidence preservation procedures | Planned | -- | No formal forensic evidence handling procedures. |

K. Business Continuity

| Control | Status | Evidence | Notes | |---|---|---|---| | Business continuity plan (BCP) | Planned | -- | No formal BCP document. | | Disaster recovery plan (DRP) | Planned | -- | Azure Disk Snapshots designed but deployment in progress. No formal DRP with RTO/RPO targets. | | Business continuity testing | Planned | -- | Cannot test until BCP and DRP are formalized. | | Data backup and recovery | Planned | -- | Backup strategy designed. Implementation in progress. See data-retention-policy.md Section 7. |

L. Compliance

| Control | Status | Evidence | Notes | |---|---|---|---| | GDPR Article 17 (Right to Erasure) | Implemented | data-retention-policy.md | Self-service account deletion with complete data erasure. | | GDPR Article 20 (Right to Data Portability) | Implemented | data-retention-policy.md | Self-service data export in JSON format. | | CCPA compliance | Implemented | data-retention-policy.md | Right to Delete supported. | | SOC 2 Type I | Planned | -- | Auditor engagement not yet started. | | SOC 2 Type II | Planned | -- | Requires Type I first, then observation period. | | ISO 27001 | Planned | -- | Targeted for 2027. | | HIPAA | Not currently planned | -- | Under evaluation. No BAA offered. | | Regulatory compliance monitoring | Planned | -- | No formal process for tracking regulatory changes. |

M. Encryption

| Control | Status | Evidence | Notes | |---|---|---|---| | Encryption at rest | Implemented | security-practices.md | AES-256-GCM-SIV field-level encryption. 13 of 14 sensitive field types encrypted. | | Encryption in transit | Implemented | security-practices.md | TLS 1.2+ on all external connections. TLS 1.3 for third-party API calls (OpenAI, Stripe). HSTS enabled. | | Key management | Implemented | security-practices.md | Per-user DEKs with envelope encryption. Azure Key Vault for KEK in production. | | Key rotation | Planned | -- | No automated key rotation. Planned. | | Bring Your Own Key (BYOK) | Planned | -- | Designed but not yet implemented. |

N. Data Privacy

| Control | Status | Evidence | Notes | |---|---|---|---| | Data retention policy | Implemented | data-retention-policy.md | Plan-based retention with configurable organization-level policies. | | Account deletion | Implemented | data-retention-policy.md | Self-service with 7-day grace period. Immediate deletion available for regulatory requests. | | Data Processing Agreement (DPA) | Implemented (Draft) | data-processing-agreement-template.md (LEGAL-002) | DPA template available. Pending final legal review. | | Subprocessor list | Implemented | subprocessors.md | Published with 30-day advance notice for changes. | | Data minimization | Implemented | -- | Stripe receives minimum required data. Audit logs contain metadata only, no user content. | | Privacy impact assessment | Planned | -- | No formal PIA process. | | Data subject access requests (DSAR) | Implemented | Self-service export via API and portal | Users can export all data at any time. |

Summary

| Category | Implemented | Partially Implemented | Planned | N/A | |---|---|---|---|---| | A. Risk Management | 1 | 0 | 3 | 0 | | B. Security Policy | 3 | 0 | 1 | 0 | | C. Organizational Security | 1 | 1 | 2 | 0 | | D. Asset Management | 1 | 1 | 1 | 1 | | E. Human Resources Security | 0 | 1 | 3 | 0 | | F. Physical Security | 0 | 0 | 0 | 3 | | G. Operations Management | 4 | 1 | 2 | 0 | | H. Access Control | 6 | 1 | 1 | 0 | | I. Application Security | 2 | 1 | 4 | 0 | | J. Incident Response | 4 | 0 | 2 | 0 | | K. Business Continuity | 0 | 0 | 4 | 0 | | L. Compliance | 3 | 0 | 5 | 0 | | M. Encryption | 3 | 0 | 2 | 0 | | N. Data Privacy | 5 | 0 | 1 | 0 | | Total | 33 | 6 | 31 | 4 |

Questions

For questions about this self-assessment, contact [email protected].