Trust and Operations

Published operational specifications. Real numbers, not hedged marketing copy. Everything on this page is implemented in production code and measurable against the running service.

Last updated: 2026-04-22.

Rate limits

Enforced per IP for unauthenticated requests and per API key for authenticated requests. The limiter uses a token-bucket algorithm: each request consumes one token, tokens refill continuously at the per-minute rate, and short bursts are allowed up to the burst ceiling.

Caller	Sustained	Burst	Identifier
Unauthenticated	120 req/min	20	client IP
Authenticated (`gs_ak_` key)	600 req/min (~10 req/sec)	20	API key
Admin	Unlimited	-	admin scope

When a caller exceeds its bucket, the server returns HTTP 429 Too Many Requests with a Retry-After header in seconds. Clients should respect the header and back off before retrying.

Retention and soft-delete

When an org is deleted, it enters a 90-day grace period during which the owner can restore it in full. No data is removed during the grace window - nodes, edges, source files, and connections remain intact.

Action	Effect	Window
Owner soft-deletes the org	Org flagged deleted, all access blocked	Immediate
Owner calls `POST /org/{id}/restore`	Org restored, all access re-enabled	Any time within 90 days
90 days elapse	Nightly purge job hard-deletes the graph, all edges, all source .md files	Permanent, not recoverable

The grace period is 90 days by default and configurable per deployment via the GRAPHORY_PURGE_GRACE_DAYS environment variable. Graphory cloud uses the default.

Individual record deletion (specific nodes or edges) applies immediately and does not enter the grace queue.

Data export

Owners can export the full state of their org at any time through the API. Export is asynchronous: submit the job, poll for completion, download from a signed URL.

Format	Contents	Use case
`zip`	All raw source .md files with YAML frontmatter	Source-of-truth portability, re-ingest anywhere
`graph-json`	Full graph state as JSON-LD: every node, every edge, every property, provenance	Load into any other graph store, build your own index

Flow:

GET /org/{org_id}/export?format=zip (or graph-json) returns 202 Accepted with an export_id.
GET /org/{org_id}/export/{export_id} returns the job status (pending, running, ready, failed).
When ready, the response includes a signed download URL valid for 24 hours.

What is included: all nodes, all edges, all properties, full provenance metadata (source, confidence, authority, timestamps).

What is excluded: third-party credentials, the internal review queue, audit logs, and cross-customer ontology rules. Credentials are your property and stay in the vault; internal system state is not part of the data contract.

Export is owner-only. Member roles cannot initiate an export.

Backup and disaster recovery

Property	Value
Snapshot cadence	Daily at 03:00 server time
Snapshot format	Full graph-store `.rdb` dump
Local retention	7 days on the application host
Offsite copy	B2 object storage (encrypted at rest, separate region)
Restore target	Manual restore in under 4 hours from the most recent dump

Backup and restore targets above are operational policy, not contractual guarantees. A public status page with real measured uptime and restore-drill results is on the 2026 roadmap. Enterprise customers can negotiate contractual RPO/RTO commitments.

SLA targets

Uptime targets per plan. These are policy commitments from Graphory, not contractual terms except on Enterprise. Measurement is the fraction of minutes in a calendar month during which the Graph API responds with 2xx to a health check from an external region.

Plan	Uptime target	Allowed downtime/month	Contractual
Free	Best effort	No target	No
Pro	99.5%	~3.6 hours	Policy
Business	99.9%	~44 minutes	Policy
Enterprise	Custom	Contract-defined	Yes

A public status page with live measurement is coming. Until then, incident history is shared on request to support@graphory.io.

Security

Per-org graph isolation. Each org has its own named graph in the graph store. Queries cannot cross org boundaries. No shared index, no shared cache that could leak data across tenants.
BYOC credentials. Connectors use your OAuth app and your tokens. Tokens are stored encrypted in WorkOS Vault, a per-org credential store. Graphory operators cannot read them in plaintext.
TLS everywhere. All endpoints terminate TLS via Let's Encrypt certificates with automatic renewal. HTTP is redirected to HTTPS.
Human auth. WorkOS AuthKit handles login, multi-factor, SSO, and org membership. No passwords stored in Graphory.
Machine auth. gs_ak_ API keys are scoped to a single org and created only by the owner. Keys can be revoked immediately from the Settings page.
Audit trail. Every write carries provenance: who (user or agent), what (before/after), when (timestamp), with what authority (code, AI, user correction, admin). User corrections outrank automatic extraction.

Compliance posture

Plain-English where we stand today:

SOC 2. Not certified yet. Controls mapping in progress; external audit targeted for 2026. Not eligible for procurement gates that require an in-hand SOC 2 Type II report.
HIPAA. Not in scope. Do not send PHI through Graphory cloud. A self-hosted path (see below) is the right answer for HIPAA-adjacent workflows.
PCI-DSS. Not in scope. Do not send cardholder data.
GDPR. Right-to-erasure is implemented via the soft-delete + 90-day hard-purge flow described above. Data exports satisfy portability. Data processing addenda available on request for Business and Enterprise plans.

Need data to stay in your own infrastructure?

For customers in regulated industries, air-gapped environments, or anyone who needs zero SaaS dependency, a self-hostable community edition is on the roadmap. See Self-Hosted for the model, timeline, and what is included.

Contact

Operational or security question: support@graphory.io
Procurement, security review, custom terms: info@graphory.io
Billing: billing@graphory.io