Encryption Hub · Encrypted Memory

The agent's memory, encrypted at rest

An agent has to remember your business to be useful: what you asked, what it did, what it learned. NuDay encrypts that memory before it is ever stored, so it stays searchable to the agent and unreadable to everyone else.

An agent's memory records sealed as encrypted, signed blocks

Most agent frameworks persist conversation and history as plaintext JSON, exactly the thing a reviewer flags.

The agent recalls its past by similarity search; an attacker sees only randomized ciphertext.

What we protect

What lives in agent memory

Two kinds of memory hold sensitive business context. NuDay encrypts both at the source.

Saved inputs and prompts

The risk

Standard agent solutions store user prompts and system inputs in plaintext, exposing sensitive business context and PII.

The NuDay standard

Every prompt, instruction, and input is encrypted before it is stored or logged, keeping proprietary logic confidential and satisfying GDPR and CCPA data-minimization requirements.

Searchable agent history

The risk

Agents need to remember past actions to complete complex tasks, but storing execution logs in standard databases creates a massive compliance liability.

The NuDay standard

Long-term history is encrypted yet stays vector-searchable: the agent queries its past via similarity search, while an attacker sees only randomized ciphertext.

How it works

Encryption the agent never has to think about

And an attacker can never get around.

1

Encrypted before it is written

Every prompt, response, and memory record is encrypted the moment it is created, under a key unique to that record. Nothing is buffered to disk or written to a log in the clear first.

2

Searched without a plaintext copy

The agent finds relevant past context by similarity, then decrypts only the matching records with its own keys. There is never a decrypted copy of your history sitting in the store for an attacker to take.

3

Retention and deletion you control

Memory lives exactly as long as your policy allows. Deletion is cryptographic: retire a record's key and its ciphertext becomes permanently unrecoverable, so a right-to-be-forgotten request is satisfied without combing through backups.

What is never stored in the clear

Prompts, responses, tool inputs and outputs, and long-term history are never written as plaintext, not in the state database and not in logs. Data is decrypted only in memory, only for the agent that holds the keys, and only for as long as a task needs it.

The evidence

What your reviewers get

Encrypted memory is not just a control, it is evidence. When security and audit ask how agent data is protected, you have concrete answers.

Encrypted at rest

Every memory record is ciphertext in the state database, per record, with an independent key.

Data minimization

Prompts and history never sit in plaintext, mapping directly to GDPR and CCPA expectations.

Tamper-evident

Any change to a stored memory is detected on load, and verification failures alert operators.

Under the hood

Backed by one cryptographic engine

Memory is protected by the same per-record pipeline that secures RAG and shared memory: checksum, signature, authenticated encryption under a per-record key, and an independent MAC. Native, zero-config, and near-zero overhead.

See how the encryption works

See it in your stack

See encrypted memory in your stack.

Bring your pilot and your reviewers. We will show what is stored, how it is encrypted, and the evidence your teams receive.