Encryption Hub · Encrypted Memory
The agent's memory, encrypted at rest
An agent has to remember your business to be useful: what you asked, what it did, what it learned. NuDay encrypts that memory before it is ever stored, so it stays searchable to the agent and unreadable to everyone else.
Most agent frameworks persist conversation and history as plaintext JSON, exactly the thing a reviewer flags.
The agent recalls its past by similarity search; an attacker sees only randomized ciphertext.
What we protect
What lives in agent memory
Two kinds of memory hold sensitive business context. NuDay encrypts both at the source.
Saved inputs and prompts
The risk
Standard agent solutions store user prompts and system inputs in plaintext, exposing sensitive business context and PII.
The NuDay standard
Every prompt, instruction, and input is encrypted before it is stored or logged, keeping proprietary logic confidential and satisfying GDPR and CCPA data-minimization requirements.
Searchable agent history
The risk
Agents need to remember past actions to complete complex tasks, but storing execution logs in standard databases creates a massive compliance liability.
The NuDay standard
Long-term history is encrypted yet stays vector-searchable: the agent queries its past via similarity search, while an attacker sees only randomized ciphertext.
How it works
Encryption the agent never has to think about
And an attacker can never get around.
Encrypted before it is written
Every prompt, response, and memory record is encrypted the moment it is created, under a key unique to that record. Nothing is buffered to disk or written to a log in the clear first.
Searched without a plaintext copy
The agent finds relevant past context by similarity, then decrypts only the matching records with its own keys. There is never a decrypted copy of your history sitting in the store for an attacker to take.
Retention and deletion you control
Memory lives exactly as long as your policy allows. Deletion is cryptographic: retire a record's key and its ciphertext becomes permanently unrecoverable, so a right-to-be-forgotten request is satisfied without combing through backups.
What is never stored in the clear
Prompts, responses, tool inputs and outputs, and long-term history are never written as plaintext, not in the state database and not in logs. Data is decrypted only in memory, only for the agent that holds the keys, and only for as long as a task needs it.
The evidence
What your reviewers get
Encrypted memory is not just a control, it is evidence. When security and audit ask how agent data is protected, you have concrete answers.
Encrypted at rest
Every memory record is ciphertext in the state database, per record, with an independent key.
Data minimization
Prompts and history never sit in plaintext, mapping directly to GDPR and CCPA expectations.
Tamper-evident
Any change to a stored memory is detected on load, and verification failures alert operators.
Under the hood
Backed by one cryptographic engine
Memory is protected by the same per-record pipeline that secures RAG and shared memory: checksum, signature, authenticated encryption under a per-record key, and an independent MAC. Native, zero-config, and near-zero overhead.
See how the encryption worksSee it in your stack
See encrypted memory in your stack.
Bring your pilot and your reviewers. We will show what is stored, how it is encrypted, and the evidence your teams receive.