Skip to content

Enterprise IT FAQ

This page answers the questions enterprise IT, infosec, and compliance teams reliably ask before approving Graphnosis. It is written to be straightforward — including about current limitations — rather than to be a marketing document.

TL;DR: Graphnosis is a local, encrypted, user-owned memory store with no cloud back-end. All data stays on the device or container you deploy it on. The app makes one automatic outbound connection (a GitHub version check on startup), requires no elevated privileges, and exposes no network-accessible endpoints by default. IT policy controls are available via environment variables. Where current limitations exist they are documented below, along with the available mitigations and the roadmap status.


1. Installation — Windows, macOS, and Linux

macOS

  • Installer format: DMG containing a signed .app bundle
  • Code signing: Developer ID Application — Nehloo Interactive LLC (Team ID: C76ZLJ5UQW), verified by macOS Gatekeeper on every launch
  • Notarisation: Yes; Apple’s notarisation service has scanned the binary
  • Entitlements: JIT compilation and unsigned executable memory, required by the WebKit rendering engine. The App Sandbox is not yet enabled — the IPC socket path used by MCP clients has a length constraint that requires a TCP-based redesign before sandboxing is feasible. This is tracked and planned
  • Bundled binaries: graphnosis-sidecar (statically compiled, self-contained), graphnosis-biometric (Swift, Touch ID only), graphnosis-mcp-relay
  • Passphrase caching: macOS Keychain (signed builds), bound to the signed binary via audit token. Developer/unsigned builds use a file-based cache with user-only permissions
  • Auto-start: None — the sidecar starts only when the app is open and the cortex is unlocked

Windows

  • Installer format: MSI installer
  • Code signing: Windows Authenticode signing on the installer and .exe
  • Privilege level: User-level only — no UAC elevation, no kernel driver, no system service
  • Console window: Sidecar runs without a visible console window
  • Bundled runtime: Bun runtime statically bundled — no system Node.js required
  • Passphrase caching: Windows Credential Manager (DPAPI), scoped to the current OS user
  • AI client config files written on first connect:
    • Claude Desktop (MSI): %APPDATA%\Claude\claude_desktop_config.json
    • Claude Desktop (MSIX): %LOCALAPPDATA%\Packages\Claude_<hash>\LocalCache\Roaming\Claude\
    • Cursor: %APPDATA%\Cursor\mcp.json

Linux — desktop

  • Package formats: .deb (Debian/Ubuntu), .AppImage (portable, any distro with glibc ≥ 2.35)
  • Build baseline: Ubuntu 22.04 for widest glibc compatibility
  • Required system libraries: libwebkit2gtk-4.1, libgomp1 (OpenMP, needed by the ONNX embedding runtime)
  • Code signing: None — Linux desktop binaries are unsigned. Verify checksums published on the GitHub Releases page before deploying
  • Biometric helper: macOS-only; not present on Linux
  • Passphrase caching: File-based cache restricted to the current OS user (no system keychain integration on Linux desktop; on the roadmap)

Linux — headless / Docker (server mode)

  • Official image: ghcr.io/nehloo-interactive/graphnosis-app/graphnosis-server (linux/amd64, linux/arm64)
  • Process: Sidecar + browser UI only — no Tauri shell
  • Port: 3456 (browser UI and HTTP MCP bridge)
  • Default bind: 0.0.0.0the image exposes port 3456 to the network by default. Protect with GRAPHNOSIS_HTTP_UI_TOKEN and a reverse proxy or firewall rule
  • Cortex: Mounted volume at /data/cortex; never baked into the image
  • User: Runs as non-root graphnosis user inside the container
  • Embedding model: Downloaded from storage.googleapis.com on first embed (~90 MB). Pre-bake into the image for air-gapped deployments — the Dockerfile includes commented instructions for this

What installation does NOT do (all platforms)

  • No elevated privileges or UAC prompts
  • No kernel extensions, drivers, or system services
  • No global registry pollution beyond the app shortcut and the graphnosis:// deep-link URL scheme
  • No background daemon that starts at login

2. What Graphnosis reads and writes from the host machine

Filesystem writes

PathContentsWhen written
<cortex>/ (user-selected, default ~/GraphnosisCortex).gai engrams, source indexes, op-log, content cache, snapshots, encryption key files, and write-lockDuring cortex operation
~/.graphnosis/mcp.sockUnix socket for MCP clientsOn sidecar start
Passphrase cache (macOS dev/unsigned only)File-based passphrase cache, user-only permissionsAfter first unlock
AI client config files (see Section 1)MCP server path entryOn first AI client connect
<app-data>/.window-state.jsonWindow size/positionOn window move/resize

OS credential store

  • macOS: Keychain entry bound to the signed binary; cannot be read by other processes
  • Windows: Credential Manager (DPAPI), scoped to the current OS user
  • Linux / unsigned builds: File-based cache with user-only permissions

Filesystem reads

Only within:

  • The cortex folder you selected
  • Paths you explicitly ingest (drag-and-drop, file picker, URL paste, connector-configured directories)

What it never reads

  • Browser history, email, calendar, or clipboard — none of these are accessed without an explicit ingest action
  • Files outside the cortex folder or explicitly ingested paths

3. How the sidecar works in the background

The sidecar (graphnosis-sidecar) is a self-contained binary bundled inside the app. It is not a system service and does not start at login.

Lifecycle

  1. Lock screen shown — sidecar not yet running
  2. User unlocks cortex — Tauri shell spawns the sidecar as a supervised child process
  3. Sidecar acquires exclusive write lock — single-writer guarantee; a second instance trying to open the same cortex exits with a clear error
  4. Local sockets open — see table below
  5. IPC handshake — Tauri shell waits for the socket to appear, then completes the unlock
  6. User quits / locks — Tauri signals the sidecar to shut down gracefully; pending writes are flushed before exit; sockets and the write lock are released

Sockets opened (all local — no network exposure by default)

SocketPurpose
Desktop IPC socketDesktop app ↔ sidecar communication
Events socketPush event stream to the UI
MCP socket (~/.graphnosis/mcp.sock on Unix; loopback TCP on Windows)AI clients (Claude, Cursor, etc.)

The MCP socket uses a fixed per-user path so AI clients remain configured across cortex switches. The IPC and events sockets are internal to the app and not reachable by external processes.

What the sidecar accesses during normal operation

  • Cortex folder (read + write)
  • OS embedding model cache (~/Library/Application Support/graphnosis-sidecar/ or equivalent; populated once on first use)
  • Ollama at http://127.0.0.1:11434 — only if the optional Local LLM is enabled
  • storage.googleapis.com — one-time embedding model download on first use only

Passphrase handling

The Tauri shell passes the passphrase to the sidecar via the GRAPHNOSIS_PASSPHRASE environment variable. For interactive desktop use this is handled entirely by the app and never touches a shell. For headless or scripted deployments (Docker, CI), prefer injecting the value from a secrets manager (Docker secrets, Kubernetes secrets, HashiCorp Vault) rather than a plain environment variable, which is visible to other processes running under the same OS user.


4. Tamper resistance and data protection

Update integrity

Each update is verified against a minisign public key hardcoded in the app before being applied. A tampered or substituted binary will not install. On macOS, the running .app is Gatekeeper-verified on every launch against the Developer ID signature.

Data exfiltration via file copy

Every .gai engram is encrypted with XChaCha20-Poly1305, keyed from a data key derived via Argon2id from the user’s passphrase. Without the passphrase (or the 24-word BIP-39 recovery phrase stored separately), the files are opaque ciphertext. The data key never leaves the machine.

MCP socket access boundary

The MCP socket is accessible to processes running as the same OS user — an intentional design choice that avoids extra authentication round-trips for same-user AI tools. The practical implication is that Graphnosis’s application-layer controls sit above the OS user boundary, not below it: if the machine itself is compromised, endpoint protection rather than Graphnosis is the appropriate control.

The optional HTTP MCP bridge (port 3456) requires a Bearer token on every request and should be kept on its default loopback binding unless you have a specific cross-machine use case and appropriate network controls in place.

Data integrity and corruption protection

Every engram file is integrity-checked on load via authenticated encryption (the MAC covers the entire ciphertext) and an additional inner checksum on the graph bundle. A corrupted file is auto-quarantined — removed from the active cortex, preserved for recovery, and the user is notified. Writes are atomic (write to a temporary file, flush to stable storage, then atomically rename), so a power loss or kill mid-write leaves either the old file intact or the new one fully written — never a partial state.

Skill pack (.gsk file) safety

.gsk files contain only graph data (encrypted, signed with Ed25519). They carry no executable code and cannot run anything on the host. Packs that fail signature verification are rejected at import.

Binary integrity

On macOS, any modification to the .app bundle breaks the Developer ID code signature and Gatekeeper will refuse to launch the app. On Windows and Linux, protecting the install directory via OS-level access controls (standard file permissions, read-only mounts) is the appropriate defence — the same principle that applies to any desktop application. For Linux deployments, verify checksums published on the GitHub Releases page.


5. Deployment security checklist

The following table covers deployment considerations that enterprise IT teams commonly review. Most entries are standard configuration steps rather than product deficiencies — the same considerations apply to any local-first desktop or container application.

ConsiderationAction requiredNotes
Update deployment channelConfigure for your environmentBy default the app checks for updates on startup and prompts the user to install. For environments that require IT-validated updates, block the update endpoint at the firewall and deploy updates through your standard software distribution process. All updates are cryptographically signed
Headless / Docker passphrase injectionUse a secrets managerFor Docker and scripted deployments, inject the passphrase via Docker secrets, Kubernetes secrets, or a vault integration rather than a plain environment variable. Interactive desktop deployments are handled entirely within the app
Docker network bindingSet before deployingThe official Docker image exposes the browser UI on all interfaces by default to support reverse-proxy deployments. Set GRAPHNOSIS_BIND=127.0.0.1 to restrict to loopback, or place the container behind a reverse proxy with TLS and access controls. A bearer token (GRAPHNOSIS_HTTP_UI_TOKEN) is required in all cases
Per-call MCP audit loggingReview export workflow for your SIEMShipped in v1.18: durable encrypted per-call audit at <cortex>/mcp-audit.enc — one row per MCP tool call (client, tool, timestamp, consent grant ID, engram scope, token budgets, stable query hash; raw query text is never stored). Browse in Settings → Activity → AI access log. Enterprise: export op-log + MCP rows as CSV (Sharing → Export audit log) or bundle via Activity → Export signed evidence pack. Continuous SIEM ingest is not built in — schedule periodic export or ingest the CSV into your collector
Sensitive-data consent in headless environmentsVerify fallback works for your setupThe in-app consent modal works when a desktop GUI is available. For headless deployments (SSH, Docker, CI), a time-limited phrase shown in Settings provides the equivalent confirmation
Multi-user shared machinesNo action neededEach OS user account has an independent, separately encrypted cortex not accessible to other accounts
Air-gapped or proxy-restricted environmentsPre-stage the embedding modelThe embedding model (~90 MB) downloads once on first use. Pre-stage it before deployment or pre-bake it into the Docker image; the application operates fully offline after that
User-initiated cortex backup to cloud storageEnforce via MDM DLP policyCortex files are strongly encrypted and require the user’s passphrase to be useful. If organisational policy prohibits cloud backup of work data, apply data-loss-prevention rules to the cortex folder path
Connector credentials for integrated servicesFollow principle of least privilegeIntegration tokens (e.g. for GitHub or Slack) are encrypted with the same key as all other cortex data. Grant minimum-scope tokens and rotate them when personnel change
Linux desktop binary verificationVerify checksums before deploymentLinux desktop packages are not code-signed. Verify the SHA checksums published on the GitHub Releases page before deploying; for high-assurance environments, build from source
Machine-level securityCovered by your existing endpoint protectionGraphnosis’s access controls operate at the application layer. Like all desktop applications, defence at the machine level — full-disk encryption, EDR/XDR, locked-down user accounts — is the foundation
Third-party local LLM (Ollama) configurationConfigure Ollama independentlyGraphnosis communicates with Ollama on the loopback interface only. Ollama’s own privacy settings are outside Graphnosis’s scope
Enterprise SSO (OIDC)Configure in Settings → Enterprise SSOFederated cortex unlock via corporate IdP (Okta, Azure AD, Google Workspace, and other OIDC providers). Lock-screen sign-in, IdP group → sharing-role mapping, optional Entra tenant binding (tid / issuer match), and a reachability probe when the IdP is behind VPN. An admin saves SSO settings once while unlocked to provision the federated key on each Mac; optional break-glass passphrase remains available. Headless MCP seats: /admin/provision. SAML 2.0 is not yet supported — OIDC only

6. Guardrails and controls

Built-in (no configuration needed)

  • XChaCha20-Poly1305 authenticated encryption + Argon2id key derivation for all cortex data
  • OS-native credential store for passphrase caching — no plaintext passphrase files in production builds
  • Atomic fsync+rename writes — no half-written state after crashes or kills
  • Auto-quarantine on HMAC/MAC mismatch — corruption surfaces immediately and is never silently ignored
  • Single-writer cortex lock — prevents concurrent write corruption
  • Update signature verification (minisign) before any binary is applied
  • MCP rate limiting — per-client recall rate cap prevents burst access patterns
  • Session replay blocker — repeated near-identical queries are detected and blocked after natural retries
  • Sensitivity tiers (public / personal / sensitive) with mandatory consent gate for sensitive data
  • Source-available codebase (FSL-1.1) — auditable by your security team without NDA

IT-configurable controls (environment variables)

VariableEffect
GRAPHNOSIS_DISABLED_CONNECTORS=slack,githubBlocks named connectors org-wide; they will not start even if configured
GRAPHNOSIS_DISABLED_CLIENTS=cursor,claude-aiRejects MCP tool calls from named AI clients
GRAPHNOSIS_DISABLED_PROVIDERS=anthropic,openaiBlocks named model providers from Ghampus routing; shows lock badges in Settings → Models
GRAPHNOSIS_MANAGED_POLICY=1Marks policy as centrally managed; local user cannot loosen it from Settings
GRAPHNOSIS_CORTEX=/path/to/managed/cortexPins cortex location (e.g. to an encrypted volume or MDM-controlled path)
GRAPHNOSIS_BIND=127.0.0.1Locks optional HTTP bridges to loopback (override Docker default of 0.0.0.0)
GRAPHNOSIS_HTTP_UI_TOKEN=<secret>Mandatory Bearer token for the HTTP MCP bridge and browser UI
GRAPHNOSIS_EMBED_WORKERS=1Reduces embedding worker count for constrained hardware
GRAPHNOSIS_EMBED_DISABLE=1Disables on-device embeddings entirely (debugging / constrained environments)

A policy.json file placed in the cortex folder accepts the same disabledConnectors, disabledClients, and managed fields as the env vars, and merges with them. When GRAPHNOSIS_MANAGED_POLICY=1, the app UI cannot overwrite this file.

User-configurable controls (Settings)

  • Session caps (Settings → AI → Optional session caps): token budget, node budget, engram-breadth cap per AI session
  • Extra precaution mode (Settings → AI): gate personal-tier recalls behind the same in-app consent click as sensitive-tier data
  • Client policies (Settings → AI → Client policies): per-AI-client default (always-allow / ask-1h / ask-today / ask-every-time / never-allow)

Current limitations

Graphnosis is actively working on all items below. As each is addressed, this page is updated and the change is announced in the Changelog and via in-app release notes.

LimitationImpactCurrent mitigation
No MDM configuration profile (.mobileconfig / .admx)Policy must be deployed via scripted environment variables rather than an MDM payloadAll policy settings are available as environment variables and a policy.json file, both of which can be deployed via MDM shell-script or file-delivery mechanisms
No built-in update-check toggleThe update check cannot be disabled from the Settings UIBlock the update endpoint at the network layer for environments that require IT-controlled update deployment
No native SIEM/syslog streaming for MCP auditAudit rows stay local until exportedPer-call MCP audit is durable and encrypted (mcp-audit.enc); Enterprise CSV export and signed Evidence Pack cover SIEM handoff. Continuous syslog/CEF streaming is not built in — schedule periodic export or ingest the CSV via your log collector
No SAML 2.0 SP integrationIdPs that expose SAML only (no OIDC) cannot integrate nativelyEnterprise OIDC unlock is available today — see Section 5. Use an OIDC-capable IdP or bridge; SAML 2.0 service-provider flows are on the roadmap
macOS App Sandbox pendingThe app runs with standard user-level permissions rather than the tighter macOS App SandboxAccess is bounded to the user-selected cortex folder and explicitly ingested paths; no access to system directories, browser data, or other user files
Linux system keychain integration pendingPassphrase cache uses a user-restricted file rather than a system keychainUse full-disk encryption on the host to protect the cached passphrase at rest. Linux keychain integration is on the roadmap
Linux desktop code signing pendingBinary integrity cannot be verified via OS-level signature checkVerify SHA checksums published on the GitHub Releases page before deploying; build from source for high-assurance environments

7. Industrial, SCADA, robotics, and off-grid deployments

Graphnosis can act as an on-device AI memory layer in industrial environments — a place for operators or autonomous agents to store and recall knowledge about processes, incidents, configurations, and SOPs, without any dependency on cloud connectivity.

What works out of the box

Inbound webhook connector (SCADA / historian integration)

Any SCADA historian, PLC gateway, n8n/Zapier automation, or custom script can push data into Graphnosis by posting JSON to the local webhook server:

POST http://127.0.0.1:3458/webhook/<connectorId>/<token>
Content-Type: application/json
{ "text": "Pump P-201 cavitation alarm — 14:32 UTC", "label": "Alarm", "source": "DCS-UNIT-3" }

The event ingests into the target engram immediately. Per-connector UUID tokens prevent enumeration; rotate via Settings. The server binds to 127.0.0.1 by default; change the bind address with GRAPHNOSIS_BIND only if you need cross-machine posting and have appropriate network controls.

File-watcher connector (log file ingestion)

Configure a connector to watch a directory for new or modified files. Graphnosis ingests them within ~1.5 s of a file change; a full re-scan runs every 30 min for self-healing. Suitable for SCADA alarm logs, historian CSV exports, or robot task logs written to a shared mount.

Air-gapped / off-grid operation

After the one-time embedding model download (~90 MB, BGE-small-en-v1.5), Graphnosis operates 100% offline. For Docker deployments, pre-bake the model into the image at build time:

# Uncomment these lines in the Dockerfile to bake the model at build time:
RUN cd apps/desktop-sidecar && node -e "const{FlagEmbedding,EmbeddingModel}=require('fastembed'); \
FlagEmbedding.init({model:EmbeddingModel.BGESmallENV15,cacheDir:'/opt/graphnosis-models', \
showDownloadProgress:false}).then(()=>console.log('warmed'))"

Pro license tokens are verified locally via Ed25519 signature — no periodic server check at runtime. The billing server is only contacted when the token is initially fetched; it is not required for ongoing operation.

ARM64 hardware support

The official Docker image is multi-arch (linux/amd64, linux/arm64). Runs on Raspberry Pi 4/5, NVIDIA Jetson, and industrial ARM gateways. The ONNX runtime selects the correct platform binary automatically.

Port conflict check

Graphnosis portDefault bindOT protocolOT port
3456127.0.0.1 (or 0.0.0.0 in Docker)Modbus TCP502
3457127.0.0.1 (hardcoded)OPC-UA4840
3458127.0.0.1DNP320000
Unix socketlocalhost onlyEtherNet/IP44818
BACnet47808

No conflicts with any standard industrial protocol port.

Minimum hardware requirements

ResourceMinimumNotes
RAM~5 GB availableBun/JSC allocator baseline; embedding workers add ~100 MB each
Disk~1 GB + cortex sizeApp + embedding model; cortex grows with ingested data
CPUAny x86_64 or ARM64No GPU required; ONNX runs on CPU
Reduce RAMGRAPHNOSIS_EMBED_WORKERS=1Reduces to one worker process
Minimal modeGRAPHNOSIS_EMBED_DISABLE=1Disables embeddings; recall falls back to TF-IDF

Industrial single-board computers with less than 4 GB RAM require tuning.

OT-specific risks

ScenarioRiskMitigation
Auto-update check on SCADA workstation (Windows HMI)Outbound connection to GitHub at startupBlock github.com/nehloo-interactive/graphnosis-app at the OT/DMZ boundary
Webhook endpoint reachable from plant floorInbound injection into AI memory from a compromised segmentBind to management-network interface only; enforce network segmentation
Docker with GRAPHNOSIS_BIND=0.0.0.0 on OT serverPort 3456 reachable from the control networkSet GRAPHNOSIS_BIND=<mgmt-interface-IP>; add bearer token
Passphrase configured as a plain environment variableAccess to the Docker daemon should be appropriately restricted; prefer secrets injectionUse Docker secrets, Kubernetes secrets, or HashiCorp Vault to inject the passphrase at runtime
Sidecar crash stops AI agent memoryAgent loses recall until restartConfigure Docker restart policy (restart: unless-stopped); use Kubernetes liveness probe
Embedded system < 4 GB RAMOOM killGRAPHNOSIS_EMBED_WORKERS=1; optionally GRAPHNOSIS_EMBED_DISABLE=1

Current OT limitations

  • Native protocol connectors: Modbus, OPC-UA, DNP3, and EtherNet/IP are not natively supported. Data must be translated to JSON by a gateway or middleware layer before posting to the webhook endpoint. Native connectors are on the roadmap
  • High-availability clustering: The single-writer architecture ensures data integrity; HA is achieved through orchestrator-managed restarts (Docker restart policy, Kubernetes liveness probe) rather than parallel instances
  • Real-time process control: Graphnosis is a knowledge and memory layer, not a real-time data bus. Recall latency is appropriate for operator-assistance and agent-memory use cases, not for sub-second control loops. Published ~75 ms figures are warm, single-engram measurements on developer hardware — not federated multi-engram cold-boot SLAs. See Performance and recall latency for CI guards and pre-release benchmarking.

8. Compliance and regulatory mapping

This section maps Graphnosis’s architecture to major regulatory frameworks. It is not legal advice. Where gaps exist they are named explicitly.

Architectural properties relevant to compliance

PropertyImplementation
Data residency — strictly localNo Graphnosis / Nehloo server ever holds cortex data. Cortex never leaves the device or container unless the user manually copies it
Encryption at restXChaCha20-Poly1305 (AEAD, 256-bit key) + Argon2id key derivation
Encryption in transitLocal Unix socket (no network); optional HTTP bridge accepts TLS termination at the reverse proxy
Explicit consent for sensitive datasensitive-tier engrams require an in-app modal click (or phrase entry) before AI access. Consent is recorded (id, timestamps, client, tier, duration) in encrypted cortex settings
Right to erasureforget MCP tool (soft-delete nodes); source deletion via app UI. Data is never replicated to an external server, so erasure is local-only
Right to portability.gai files are decryptable with passphrase + open-source Apache-2.0 SDK (@nehloo/graphnosis). No vendor lock-in
No third-party AI API callsNo data sent to OpenAI, Anthropic, Google, or any hosted LLM. Optional local LLM uses Ollama on-device only
Deterministic recallSame query → same result; auditable. Non-deterministic features are opt-in and clearly labelled

GDPR (EU / UK GDPR)

  • Data controller: the user. Nehloo Interactive is not a data processor for cortex content — it has no copy
  • Article 9 (special-category data): the sensitive tier maps directly to this; access always requires explicit in-app consent
  • Data subject rights (access, rectification, erasure, portability): exercised locally via Settings → AI → Data tab
  • Data residency: fully enforceable — cortex never crosses a border unless the user moves it. Docker deployments can be pinned to any jurisdiction
  • Data transfer to AI providers: when a recall is allowed, the excerpt travels to the AI provider the user has configured — governed by that provider’s DPA, not Graphnosis’s. See Using Graphnosis with AI Clients
  • Nehloo’s role: holds only subscription email (billing); not an Article 28 processor for cortex content

HIPAA (US healthcare)

  • PHI classification: place patient-related engrams in a sensitive-tier engram — AI access always requires explicit consent; consent is logged
  • Encryption at rest (§164.312(a)(2)(iv)): XChaCha20-Poly1305 satisfies the addressable encryption requirement
  • Access controls (§164.312(a)(1)): OS-level user account separation + passphrase; no shared cortex across users
  • Audit controls (§164.312(b)): Consent grant/revoke history and per-call MCP tool audit rows are persisted in encrypted cortex files and exportable (Enterprise CSV export or signed Evidence Pack). Query content is hashed, not stored verbatim. Continuous SIEM streaming is not built in — schedule periodic export for centralized retention
  • BAA with Nehloo: Not required — Nehloo never receives or processes PHI. If PHI recall results are sent to a cloud AI provider, a BAA with that provider is required
  • Minimum necessary: Session caps, engram-breadth cap, and only_engrams MCP parameter support minimum-necessary principles

CCPA / CPRA (California)

  • Cortex data is stored on the user’s device; Nehloo cannot respond to CCPA requests about cortex content — it does not possess it
  • Users exercise access, deletion, and portability rights directly in the app

FedRAMP / FISMA / NIST 800-53 (US federal)

  • Air-gapped operation: fully supported (pre-bake embedding model; no runtime internet required)
  • Cryptographic module: XChaCha20-Poly1305 and Argon2id are not on the FIPS 140-2 approved algorithm list. This is a hard blocker for FedRAMP High and DoD IL4+. Contact us if this is a requirement for your deployment
  • Audit log (NIST AU-2): Consent history and per-call MCP tool audit rows are persisted locally and exportable on Enterprise. Centralized log aggregation requires scheduled export — native syslog/CEF streaming is not yet available
  • STIG/CIS hardening: Hardening guides are not yet published; apply standard OS and process hardening for your platform. A hardening guide is on the roadmap

ITAR / EAR (US export controls, defense / aerospace)

  • Air-gapped operation eliminates most data-exfiltration risk
  • Encryption export classification: EAR 5E002 (mass-market encryption product; typically self-classifiable)

IEC 62443 / NERC CIP (industrial / energy)

  • Graphnosis sits on the IT/DMZ side; it does not interface directly with control systems
  • NERC CIP-007: Document Graphnosis ports 3456-3458 in your Electronic Security Perimeter asset inventory; disable unused bridges
  • Network segmentation: bind the sidecar to the management network interface only; never expose port 3456 to the OT zone

FDA 21 CFR Part 11 (pharma / medical device / laboratory)

  • Consent history and MCP tool-call audit rows are append-only and encrypted with per-event timestamps. Electronic signatures on each recall/ingest operation (Part 11-style audit trails) are on the roadmap
  • Computer system validation (IQ/OQ/PQ) documentation is not yet available; organisations using Graphnosis in a regulated documentation workflow would need to include it in their own CSV programme in the interim

PCI-DSS (payment card)

  • Cardholder data must not be ingested into Graphnosis unless the deployment is within a defined CDE with appropriate controls
  • Encryption at rest satisfies PCI-DSS Requirement 3; there is no Graphnosis server in scope

Compliance roadmap

Graphnosis is actively working on the items below. Updates are announced in the Changelog as each is addressed. For requirements not covered by the current mitigations, contact us.

ItemAffected frameworksCurrent status and mitigation
FIPS 140-2 validated cryptographic moduleFedRAMP High, DoD IL4+, some NIST profilesNot yet available. Enforce FIPS at the TLS boundary layer in the interim; contact us to discuss your specific requirements
Native SIEM/syslog streaming for MCP auditHIPAA §164.312(b), SOC 2, NIST AU-2Per-call MCP audit is durable and exportable (Enterprise CSV, signed Evidence Pack). Continuous syslog/CEF streaming is on the roadmap; schedule periodic export in the interim
SOC 2 Type II reportEnterprise procurement, financial servicesIn progress. The source-available codebase (FSL-1.1) enables a customer-led or third-party audit in the interim
BAA with NehlooHIPAANot required — Nehloo never receives, stores, or processes PHI. If recalled PHI is sent to a cloud AI provider, a BAA with that provider is required
MDM configuration profiles (.mobileconfig / .admx)macOS MDM, Windows ADMXOn the roadmap. Current alternative: deploy env vars and policy.json via MDM script or file-delivery
Linux desktop code signingFrameworks requiring signed software distributionOn the roadmap. Current alternative: verify SHA checksums from the GitHub Releases page; build from source for high-assurance environments
Secrets manager integration for passphrase injectionFrameworks requiring managed secretsUse Docker secrets, Kubernetes secrets, or HashiCorp Vault. Interactive desktop deployments are handled entirely within the app
Multi-user RBACHealthcare, financial multi-operator environmentsEach operator maintains a separate, independently encrypted cortex. Shared cortex with role-based access is on the roadmap

What Leaves Your Device — complete inventory of every outbound request, with source links.

AI Access Controls — the five consent layers between AI clients and your memory.

Keeping Your Cortex Safe — passphrase, recovery phrase, encryption, atomic writes, and snapshots.

Verify It Yourself — how to independently confirm the privacy claims using a network monitor.

Environment Variables — complete reference for all configurable variables including the admin policy group.

File Formats — the on-disk layout of .gai, .gsk, and related files.

Using Graphnosis with AI Clients — what the AI provider sees once a recall is allowed.


Explore by use case

Enterprise — SSO provisioning, audit log export, org-scale deployment
Regulated — HIPAA, SOC 2, GDPR, ISO 27001 — compliance-first deployments
Air-gapped — zero internet dependency, SCADA/OT, classified environments