# Sovereignty and your data

> Whose memory this is, and how that's enforced.

Memory is the part of an AI that should be most yours — yet today it is usually
the least yours. OceanDB exists to fix that. The promise is plain: it answers
only to you.

## What sovereign means here

- **Private.** Every row belongs to a person and is scoped to them. Your agent
  acts on your behalf, never beyond it.
- **Permanent.** Nothing is deleted behind your back. Memory is retired by
  setting a flag, never erased — so the record stays whole.
- **Portable.** It's your memory in a plain Postgres database. You can read it,
  export it, and take it with you.
- **Unextracted.** Nothing is mined, and nothing is sold. We tend; we never
  trade on what you remember.

## How it's enforced

This isn't only a promise — it's how the system is built.

- **Two roles, least privilege.** Your agent connects under a **de-fanged**
  role: it may read, add, and update, but it **cannot delete** — no `DELETE`,
  no `TRUNCATE`, no schema changes. The dashboard role can review and edit, but
  the social graph and workspace settings are locked down to exactly the writes
  they need. Nobody holds more power than the task requires.
- **Tenancy by membership.** Every read and write is scoped, at the database
  level, to the workspaces you belong to. A query can't reach memory that isn't
  yours, even by mistake.
- **No erasing.** Because the agent can't delete, the way to remove something is
  to archive it. The history stays; the clutter steps aside.

The result is one freedom, not two: freedom from tending your memory, and
freedom in owning it. The [Dreamer](/docs/dreamer) is the proof — it does the
work, and the memory stays yours.
