Security
Lore DB is designed for teams that store internal documentation — API specs, runbooks, architecture decisions. Security is built into every layer, not bolted on.
Authentication
Google OAuth only. There are no passwords in Lore DB. Every user signs in with their Google account, which means:
- No credential storage, no password databases, no brute-force risk
- Google handles 2FA, suspicious login detection, and account recovery
- Each user gets their own session — no shared bot tokens
MCP authentication
When you connect an AI tool (Claude, Cursor, etc.) via MCP, it triggers the same Google OAuth flow. Your AI tool inherits your exact permissions — it can only see libraries you have access to. There are no shared API keys or elevated bot accounts.
Encryption
In transit
All traffic is encrypted via HTTPS (TLS). This includes:
- Browser to Lore DB (via Vercel Edge Network)
- Lore DB to Supabase (SSL-encrypted PostgreSQL connections)
- Lore DB to OpenAI API (HTTPS)
At rest
- Database: Supabase PostgreSQL with AES-256 encryption at rest, enabled by default
- API keys: If you bring your own OpenAI key (BYOK), it’s encrypted with Fernet (AES-128-CBC + HMAC-SHA256) before storage. Only a masked hint is ever visible.
- Payments: Handled entirely by Stripe. We never see or store card numbers.
Access control
Every document access is checked against library membership:
| Role | Read | Search | Add/Edit docs | Manage members | Delete library |
|---|---|---|---|---|---|
| Viewer | Yes | Yes | No | No | No |
| Editor | Yes | Yes | Yes | No | No |
| Owner | Yes | Yes | Yes | Yes | Yes |
- Documents can only be accessed through library membership
- Write operations require Editor or Owner role
- MCP tools enforce the same permissions — no privilege escalation through AI
- Admin role is separate: admins can manage billing and models, but cannot access other users’ documents
What we send to OpenAI
When you use Search or Ask AI, document chunks and your query are sent to OpenAI’s API for embedding and completion. Important:
- No user PII is sent — only document content and queries
- Per OpenAI’s API data usage policy, API inputs and outputs are not used to train their models
- API data is retained by OpenAI for 30 days for abuse monitoring, then deleted
- If you use your own API key (BYOK), you have a direct relationship with OpenAI
Infrastructure
- Hosting: Vercel serverless functions — no persistent server state, isolated execution per request
- Database: Supabase PostgreSQL with PgBouncer connection pooling
- No self-hosted state: The application is fully stateless. OAuth session state is stored in the database, not in memory.
- Secrets management: All credentials stored as Vercel environment variables, never committed to code
What we don’t do
- We don’t store passwords (OAuth-only)
- We don’t train AI models on your data
- We don’t share your documents with other users or organizations
- We don’t access your documents for support purposes without your permission
- We don’t log document content — only metadata (IDs, titles, token counts) appears in operation logs
For data privacy details (GDPR, retention, data locations), see the Privacy & Data page. For questions about compliance or a Data Processing Agreement, contact us.