memp is a privacy-first memory adapter that can be applied to existing memory systems -- such as mem0, Supermemory, Memobase, Memos -- to automatically separate recallability from readability.
memp does not replace memory systems. It wraps them.
In memp, any memory refers to memory abstractions already used by AI systems today, including but not limited to:
- mem0-style agent memories
- Supermemory long-term stores
- Memobase / Memos user memories
- Chat histories
- Agent traces
- Tool outputs
- Preferences, notes, and contextual facts
If a system:
- stores memory
- retrieves memory
- feeds memory into a model
then that memory can be privatized by memp.
Most memory systems today implicitly assume:
If memory can be recalled, it can be read.
This leads to:
- Raw memory stored or assembled in the cloud
- No distinction between finding a memory and revealing it
- Over-sharing by default
- Difficult privacy guarantees
memp introduces automatic memory separation via a lightweight decorator.
Instead of changing how memory systems work, memp intercepts memory operations and rewrites the data flow.
Original Memory
┌──────────────┐
│ raw content │
└──────────────┘
↓ memp decorator ↓
Separated Memory
┌──────────────┐ ┌──────────────────────┐
│ Recall Signal│ --> │ Private Raw Store │
│ (embedding, │ │ (local / user-owned) │
│ hash, id) │ │ │
└──────────────┘ └──────────────────────┘
- Recall uses derived signals
- Raw memory remains private by default
- Exposure is explicit and policy-controlled
memp wraps memory write/read operations:
- Intercept memory payload
- Generate a stable
mem_id - Store raw memory in a private vault
- Derive a recall signal (e.g. embedding)
- Pass only
{mem_id, signal}to the original memory system
- Original system returns
mem_ids - memp resolves them locally
- Applies exposure policy
- Returns:
- full memory
- partial memory
- redacted memory
- or no content at all
The underlying memory system remains unchanged.
After decoration, every memory becomes:
memory = {
id: mem_id,
signal: retrievable representation,
raw: private content,
policy: exposure rules
}
Only signal is visible to the original system.
- mem0 stores raw memory
- retrieval returns raw memory
- raw memory is sent to LLM by default
- mem0 stores
{mem_id, embedding} - raw memory stays local
- retrieval returns
mem_id - raw memory is revealed only if policy allows
mem0's API remains intact.
memp enforces privacy through architecture, not promises:
- No persistent cloud storage of raw memory
- No server-side visibility of plaintext
- No implicit memory exposure
- Minimal, auditable data flow
Privacy is not an option or a mode -- it is the default behavior.
- Zero or minimal changes to existing systems
- Composable with current memory abstractions
- Works across frameworks and vendors
- Avoids rewriting retrieval logic
memp is an adapter, not a platform.
- Memory leakage via storage or indexing
- Accidental over-sharing in RAG pipelines
- Server-side inspection of memory
- Memory reuse beyond original intent
- Trust in the final consumer (LLM or agent)
- Prompt injection attacks
- Fully encrypted computation
memp minimizes exposure; it does not eliminate trust.
- Recall does not imply permission to read
- Memory ownership is local by default
- Exposure must be explicit
- Existing systems should not need rewrites
- Privacy should be structural, not optional
Databases centralized data. Vector stores centralized recall. AI systems need memory -- but memory must remain private.
memp exists to privatize memory without breaking memory systems.
memp is an experimental privacy architecture and reference implementation. Use at your own risk.