Differential Privacy

Calibrated Gaussian noise is applied to every embedding before storage. This provides mathematically-proven privacy guarantees for individual memories.

Why Differential Privacy?

Vector embeddings encode semantic meaning in numerical form. Without noise, an adversary with access to the stored embedding could reconstruct approximations of the original content.

Differential privacy ensures that the stored embedding is statistically indistinguishable from an embedding computed on a slightly different input. This makes it impossible to determine whether a specific piece of information was part of the original memory.

The Gaussian Mechanism

Synapse Layer uses the analytic Gaussian mechanism to inject calibrated noise. The process is:

  1. Compute the raw embedding vector (1536 dimensions)
  2. Calculate noise scale (σ) from the privacy budget (ε) and sensitivity
  3. Sample Gaussian noise N(0, σ²) for each dimension
  4. Add noise to the embedding
  5. L2-normalize the resulting vector

The noise calibration formula and normalization strategy are proprietary. The result is a noisy embedding that preserves enough semantic signal for recall while providing formal privacy guarantees.

Privacy Budget (ε)

The epsilon parameter controls the noise-utility tradeoff:

ε ValuePrivacyRecall PrecisionUse Case
0.01–0.1Very StrongLowerMedical, legal, high-sensitivity
0.5Strong (default)GoodGeneral-purpose agents
1.0–5.0ModerateHighDevelopment, non-sensitive data
5.0–10.0WeakVery HighTesting, public data only

Note

The valid range is 0.01 to 10.0. Values outside this range will raise a validation error. Differential privacy can be disabled entirely via privacy_enabled=False.

Audit Payload

Every store operation returns privacy metrics in the audit payload:

json
{
  "privacy_details": {
    "epsilon": 0.5,
    "sigma": 0.0234,
    "snr_db": 18.7
  }
}

The SNR (Signal-to-Noise Ratio in dB) indicates how much semantic signal was preserved. Higher values mean more signal retained.

Tradeoffs

Differential privacy introduces a fundamental tradeoff:

Benefits

  • Provable privacy guarantees on stored embeddings
  • Protection against embedding inversion attacks
  • Configurable per-agent via the ε parameter

Costs

  • Reduced semantic recall precision (proportional to noise level)
  • Non-reversible — the original embedding is never stored
  • Very low ε values may significantly degrade recall quality

Boundaries

  • DP is applied to embeddings only — not to the stored content text
  • Content-level privacy is handled separately by the Semantic Privacy Guard (PII sanitization)
  • DP does not protect metadata fields (agent_id, timestamp, intent category)
  • The privacy guarantee is per-memory, not compositional across multiple memories