Zone 3

Memory Engine

Persistent context storage with semantic retrieval and cross-session threading. All data encrypted at rest with per-vault keys.

Full architecture Security
Z0 Auth Gateway Z1 API Router Z2 Session Manager Z3 Memory Engine Z4 Compute Sandbox Z5 Integration Layer Z6 MCP Gateway Z7 Security Policy Engine

Overview

The Memory Engine is the core of bRRAIn — the persistent, encrypted storage layer where institutional knowledge lives. It provides AES-256-GCM encryption with per-vault envelope encryption, semantic retrieval via vector storage, and cross-session context threading. The Memory Engine never exposes raw data — all access passes through the Security Policy Engine (Zone 7) before data is read or written. Enterprise customers can bring their own encryption keys (BYOK) with HSM support.

Key capabilities

AES-256-GCM Encryption

All data encrypted at rest using AES-256-GCM with per-vault envelope encryption and automatic key rotation.

Per-Vault Encryption Keys

Each vault has its own data encryption key (DEK) encrypted by a master key (KEK) for defense in depth.

Semantic Retrieval

Vector-based semantic search enables intelligent retrieval of contextually relevant institutional memory.

Cross-Session Threading

Context threads persist across sessions, enabling continuous institutional learning and knowledge accumulation.

BYOK / HSM Support

Enterprise customers can bring their own encryption keys with hardware security module integration.

Envelope Encryption

Master key rotation does not require re-encrypting vault data — only the envelope key is re-wrapped.

Security implications

How Zone 3 enforces bRRAIn's zero-trust security model:

  • All vault data is encrypted at rest with AES-256-GCM
  • Per-vault encryption keys provide defense in depth — compromising one vault does not expose others
  • BYOK support ensures customers retain full control of their encryption keys
  • All read/write operations pass through Zone 7 (Security Policy Engine) for policy enforcement
  • Automatic key rotation on configurable schedules without data re-encryption
Every zone enforces its own security boundary. No zone trusts another implicitly.

How it connects

Zone 3 stores and retrieves encrypted data, passing context to Zone 4 for AI inference when needed.

Zone 2 — Session Manager Zone 3 Memory Engine Zone 4 — Compute Sandbox Zone 7 — Security Policy Engine inspects all zone transitions

Related certifications

bRRAIn professionals who interact with Zone 3:

Implementation Specialist

Designs vault structures, configures encryption policies, and manages data organization.

Operations Controller

Manages encryption key rotation, monitors vault health, and enforces data governance policies.

See Zone 3 in action

Request a demo to see how bRRAIn's zero-trust architecture protects your institutional memory.

Request a demo Explore architecture