My company is very strict about data privacy and we cannot use cloud-based vector stores. We need to deploy entirely on-premise. Does the framework support encryption at rest, and how can we manage user-level access control so that one department's vectors are completely isolated from another's within the same instance?
3 answers
For high-security environments, the "self-hosted" nature of is its biggest asset. Since it runs on your hardware, you can manage encryption at rest using standard Linux tools like LUKS or cloud-native disk encryption if you're on a private VPC. Regarding multi-tenancy, the best practice is to use "Collections" as your isolation layer. Each department can have its own named collection, and your application layer (the API gateway) should handle the authentication to ensure a user from HR never queries the Legal collection. This logical separation is built into the core architecture, making it a very reliable choice for air-gapped or strictly regulated industries.
Does the SDK support RBAC (Role-Based Access Control) natively at the database level?
Using the Docker deployment with custom networking makes it much easier to isolate traffic.
Exactly, Gary. Keeping the vector store on a private subnet where only the application server can talk to it is the gold standard for security.
Currently, the open-source version focuses on the storage and retrieval engine rather than a full AAA (Authentication, Authorization, and Accounting) suite. You'll want to wrap the server in a proxy like Nginx or a custom FastAPI layer to enforce RBAC. This is actually a standard pattern for many modern database tools, allowing you to tailor the security headers and tokens to your specific enterprise identity provider like Okta or Active Directory.