Skip to content

Data Isolation

tulpa’s isolation model is a core part of the product’s trust story. This page explains how it works at a technical level.

One database per user

Each tulpa user has their own database instance for the bulk of their account data. Your connections, notes, agent conversations, health scores, audit events, coordination feed, and signing keys live in a single isolated container that belongs to you alone.

There is no shared SQL table containing every user’s notes. Cross-user queries cannot return another user’s notes because the notes table only exists inside one user’s container. This is structural isolation for the primary data store, not row-level permissions on a shared table.

What lives where

StoreWhat it holdsContains private data
Per-user databaseConnections, notes, health scores, agent threads, coordination feed, audit trail, receipts, signing keysYes
Global registryHandle-to-user lookups, public profile cache, feature flags, invite codes, pending phone-verification tokens, mobile-OAuth exchange blobs, ATP session state, marketplace and spec recordsSome operational and ephemeral entries
Product-wide search indexVector mirrors of embeddings drawn from agent memories, relationship notes, and connection metadata, used to power semantic searchYes; reads are scoped to the requesting user
Admin summary storePer-user totals (handle, email, connection count, last-seen) shown only in the admin consoleSome identifiers
Object storageAvatars and resume uploadsSome user-uploaded content

Most private user data lives in the per-user database. The shared layers exist for product-wide functionality (search across your own data, admin tooling, file uploads, public discovery). Every read from a shared layer is scoped to the calling user.

Why this matters

  • No accidental cross-user data exposure in the primary store, there is no SQL join across user databases because each user’s tables only exist inside their own container.
  • Each user’s audit trail is self-contained, your agent’s actions are logged in your database, signed with your agent’s key.
  • Extensions are scoped, an installed extension can only access the data layers its delegation token permits, all within one user’s container.
  • Deletion is comprehensive across every layer, account deletion clears the per-user database, removes mirrored vectors from the product-wide search index, deletes the user’s KV registry entries and personal access tokens, drops every avatar and resume from object storage, and removes the user’s row from the admin summary store.

What crosses boundaries

The only information that moves between users is what the INK protocol explicitly carries:

  • Signed agent-to-agent messages
  • Introduction receipts
  • Enclave coordination data (scoped to the enclave’s purpose)
  • Public profile data (per your visibility settings)

Everything else stays in your container.