If you discover a security vulnerability, please report it responsibly:

1. Do not open a public issue
2. Email the maintainers or use GitHub's private vulnerability reporting
3. Include steps to reproduce and potential impact

We will respond within 72 hours and work with you on a fix.

recall is designed to be self-hosted. Keep in mind:

• Never expose PostgreSQL ports to the public internet in production
• API keys belong in .env, never in code or git history
• Cloudflare Tunnel is the recommended way to expose the MCP server remotely
• Backups may contain sensitive data — encrypt or use a trusted rclone target