How Ambience handles your team's context.

What we read

Three things, and you opt into each one:

• Agent session output. When you run Claude Code, Codex, Cursor, or any other connected client with Ambience installed, we capture the durable takeaways at the end of the session: the decisions, patterns, and references worth keeping.
• Identity at sign-in. Your name, email, and a stable ID from your SSO provider (Google, GitHub, or SAML via WorkOS). No password ever touches Ambience.
• Your email domain.The first person from a new domain claims the org. We use the domain to auto-join teammates later. We don't scrape your inbox or contacts.

What we don't read

Just as important, what stays out:

• Your source code at rest.We don't crawl your repo. We see what your agent session names: files, decisions, identifiers, never the code itself.
• Anything from agents you haven't connected. Capture only happens at the end of an explicit session. Nothing is read passively in the background.

Redaction before anything is stored

Every memory runs through redaction before it ever hits the database. We strip:

• API keys, secrets, and access tokens.
• Email addresses, phone numbers, postal addresses, and SSNs.
• Customer names and account identifiers from a list you maintain for your tenant.
• Anything that matches the rules you bring (custom redaction patterns are coming in v1).

Redaction is one-way. The unredacted version is never written to disk. If we redact something we shouldn't, the author can amend the memory; amends are added to the audit trail instead of overwriting it.

Scopes you can actually trust

Every memory lives in one of five scopes:

• personal: only the author can read or write.
• team: members of a team can read. Team admins and the original author edit.
• project: members of a project read. Project members write.
• org: everyone in the org reads. Org admins write.
• sensitive: no default access. Read or write requires an explicit grant. For legal opinions, security postures, customer NDAs, anything compliance-shaped.

You can override these defaults per person, with read, write, or admin granularity. Every retrieval filters by the caller's actual permissions. Not as a setting, as a hard constraint. A query that would surface a memory you can't read simply doesn't return it.

Every access is logged

Every read and every write is recorded in an append-only audit trail for your org. It's a separate, dedicated log, not something you have to reconstruct from request traces.

Org admins can query and export it. If your compliance team needs to know who read which memory on which day, the answer is one query away.

Audit entries don't change. Amends, deletions, and promotions all append new rows. The past is never rewritten.

Identity & SSO

Authentication runs through WorkOS AuthKit. Supported providers:

• Google (OAuth)
• GitHub (OAuth)
• SAML (any IdP: Okta, Azure AD, Google Workspace SAML, etc.)
• OpenID Connect

SSO isn't locked behind an enterprise tier. Every plan gets it. Revoking access is one action, and the audit row proves it happened.

Where your data lives

Memories live in Neon (Postgres) in a US region. Larger artefacts go to S3, also US-region. Background jobs run on Inngest, and auth goes through WorkOS. The full sub-processor list is at /legal/subprocessors.

EU-region hosting is on the v1 roadmap. If you need it today, or another region entirely, drop us a line at hello@ambience.sh and we'll talk about a managed deployment.

Where we are on compliance

• SOC 2 Type 1: in progress with our auditor. Happy to share the plan with prospective customers under NDA.
• GDPR: data subject access and deletion rights are handled per the privacy policy. Sub-processor list is public.
• DPA: available on request for paid tenants.
• HIPAA, ISO 27001, FedRAMP: not part of the early-access tier yet. We'll get there when customer demand calls for it.

Found something? Tell us.

Email security@ambience.sh with steps to reproduce. We'll acknowledge within one business day, move fast on anything critical, and credit you publicly unless you'd rather we didn't. There's no paid bounty program yet. We'll set one up when usage calls for it.

One ask: please don't test against live customer tenants. Spin up a free tenant on your own domain, or write to us and we'll set you up with a test org.

Keeping your org out of Ambience

If your org has a policy against tools that capture session context, or you'd just rather Ambience not be available on your domain, email hello@ambience.sh from a verifiable corporate address and we'll opt the domain out. New users from that domain can't claim it, and existing users get a heads-up.