Mem0 and Zep are solid memory retrievers. But neither solves governance. Here's the technical breakdown of what that gap means if you're building AI agents in regulated environments.
The question developers are actually asking in 2026
The AI memory market has consolidated. Mem0 and Zep are the two best-known players. Well-funded, well-documented, widely used.
But there's a different question under the surface in enterprise evaluations: "What happens to the data?"
- Who has access to what agents remember?
- Can we prove we deleted a user's data when they asked?
- Is PII getting stored in our AI memory layer without us knowing?
- Can our compliance team audit what the agent knew and when?
Mem0 and Zep don't have great answers to those questions. That's not a knock — it's a design choice. They built memory retrieval infrastructure. Governance was not the problem they were solving.
This comparison is for developers evaluating all three options with compliance in the picture.
The short version
| Trace Continuity | Mem0 | Zep | |
|---|---|---|---|
| Best for | Regulated industries, compliance-first teams | Fast onboarding, broad ecosystem | Temporal reasoning, knowledge graphs |
| PII auto-redaction | ✅ Pre-storage, 15+ types | ❌ Not a feature | ❌ Not a feature |
| Retention policies | ✅ Configurable TTL, auto-expiry | ❌ Not available | ❌ Not a feature |
| Audit logging | ✅ Every read/write/delete | ❌ None | ❌ None |
| Multi-tenant isolation | ✅ Architecture-level | ⚠️ Namespace-level | ⚠️ Application-level |
| GDPR deletion proof | ✅ Immutable deletion record | ❌ Manual | ❌ Manual |
| Free tier | ✅ Generous | ✅ 10K memories | ⚠️ 1,000 credits (minimal) |
Memory storage: all three solve the same retrieval problem
Mem0
Mem0's core is a vector store with an extraction layer. When you call client.add(), it runs the conversation through an LLM that extracts key facts, stores them as embeddings, and resolves conflicts. client.search() retrieves by semantic similarity.
const client = new MemoryClient({ api_key: process.env.MEM0_API_KEY });
await client.add("User prefers concise responses and hates jargon", { user_id: "alice" });
const memories = await client.search("communication style", { user_id: "alice" });
Excellent for personalization. The ecosystem breadth — 21 framework integrations, MCP server, AWS Bedrock, LangChain, CrewAI — is unmatched. Graph memory (Pro tier, $249/mo) is the most-cited developer complaint.
Zep
Zep's differentiator is Graphiti — a temporal knowledge graph where every fact has a validity window. "Alice is the project lead" becomes a node with a start time. When Alice steps down, the old fact is invalidated (not deleted). This enables temporal reasoning: "What did the agent know about Alice's role last quarter?"
await zep_client.thread.add_messages(thread_id, messages=[
Message(name="Alice", role="user", content="I'm stepping down as project lead next month.")
])
context = zep_client.thread.get_user_context(thread_id="thread_id", mode="basic")
Zep scores 63.8% on LongMemEval vs Mem0's 49.0% — a real gap for temporal reasoning tasks. Trade-off: Community Edition deprecated April 2025, self-hosting now requires Graphiti + graph database operational overhead.
Trace Continuity
Trace Continuity stores memories as text with semantic search for retrieval. The focus is what happens to data before and after storage: who redacted what, who accessed what, when things expire.
const response = await fetch('https://tracecontinuity.com/v1/memories', {
method: 'POST',
headers: { 'Authorization': `Bearer ${process.env.TCL_API_KEY}`, 'Content-Type': 'application/json' },
body: JSON.stringify({
content: "Patient John Smith (SSN 078-05-1120) prefers morning appointments.",
agent_id: "intake-bot",
ttl_days: 365
})
});
// What gets stored: "Patient [REDACTED] prefers morning appointments."
// Governance events logged: PII_REDACTED (SSN), PII_REDACTED (name)
// TTL set: auto-expires after 365 days
One API call. Every governance action happens automatically.
The governance gap: what neither competitor solves
PII redaction
In a healthcare or fintech context, your AI agents receive inputs that may contain SSNs, credit card numbers, email addresses, dates of birth, names — and that context gets stored as memory.
Neither Mem0 nor Zep runs a PII scan before storage. If your agent passes "Patient DOB: 1978-04-15, SSN: 078-05-1120" to Mem0's add(), that data enters the vector store as-is.
Trace Continuity runs PII redaction as part of the write path — before anything touches storage. The original text never reaches the database.
Retention policies
Neither Mem0 nor Zep has configurable retention policies as a product feature. You can delete memories manually, but there's no "expire memories after 90 days" capability built in.
Trace Continuity enforces TTL at the infrastructure layer. Set ttl_days: 90 and the memory auto-purges. Per-tenant policies can enforce maximum retention regardless of what individual agents specify.
Audit logging
With Mem0 or Zep, the answer to "show me every time an AI agent accessed patient memory records last quarter" is: "We don't have that."
With Trace Continuity, every read, write, and delete generates an immutable governance event: agent ID, tenant, timestamp, action type, what was redacted.
Multi-tenant isolation
Mem0 uses namespace-level isolation (user_id or app_id parameters). If the application layer passes the wrong user ID — memories can leak across tenants.
Trace Continuity enforces isolation at the architecture layer. The API key itself is scoped to a tenant. A mismatch returns a 403 — not a filtered result, a hard rejection.
The code comparison
Mem0 — writing memory:
await client.add([{ role: "user", content: userInput }], { user_id: userId });
// Stored as-is. No PII scan. No TTL. No audit record.
Zep — writing memory:
await zep.thread.add_messages(thread_id, messages=[Message(role="user", content=user_input)])
# Stored in temporal knowledge graph. No PII scan. No TTL. No audit record.
Trace Continuity — writing memory:
const res = await fetch('https://tracecontinuity.com/v1/memories', {
method: 'POST',
headers: { 'Authorization': `Bearer ${apiKey}`, 'Content-Type': 'application/json' },
body: JSON.stringify({ content: userInput, agent_id: agentId, ttl_days: 90 })
});
// PII scanned and redacted before storage.
// TTL set: auto-purge after 90 days.
// Governance event logged: who wrote what, when, what was redacted.
// Tenant isolation enforced at the API key layer.
The code differences reflect the architecture. You can't bolt these capabilities onto Mem0 or Zep in application code and get the same guarantee — the guarantee comes from the infrastructure running before your code can make mistakes.
When to use each
Choose Mem0 if: You need the fastest path to production, building a consumer product with no regulated data, need ecosystem breadth (LangChain, CrewAI, AWS Bedrock, Vercel AI). ~52K GitHub stars. The default choice when governance isn't a constraint.
Choose Zep if: Temporal reasoning is core to your use case — facts that change over time, validity windows, superseded facts. Research tools or knowledge graph applications. LongMemEval advantage (63.8% vs 49.0%).
Choose Trace Continuity if: Building in healthcare, fintech, HR tech, legal, insurance, or government. Your compliance team is involved. You need PII handled before storage — not cleaned up afterward. You've been asked "how do we handle memory deletion requests?" by a lawyer or auditor.
Pricing summary
| Trace Continuity | Mem0 | Zep | |
|---|---|---|---|
| Free | 500 memories, full governance | 10K memories | 1,000 credits |
| Entry paid | $99/mo | $19/mo (no graph) | Usage-based |
| Graph memory | Vector + semantic | $249/mo (Pro) | Included (Graphiti) |
| BAA available | ✅ Enterprise | ✅ Enterprise | ✅ Enterprise |
Governance is included at every Trace Continuity tier, not sold separately.
Bottom line
Mem0 = best-in-class general-purpose memory with minimal setup friction. Dominates on ecosystem and ease of use.
Zep = best-in-class for temporal knowledge graphs. When you need to model how facts evolve over time.
Trace Continuity = built for the question neither competitor was designed to answer: what happens to the data? If your answer to that question affects your company's legal and compliance posture, it's the right infrastructure.
Try the Playground to test PII redaction in 30 seconds — no API key required. Or get started free →.
Originally published on Trace Continuity Labs
Top comments (0)