MCPTotal Security Policy

1. Compliance

• MCPTotal is SOC 2 Type II compliant. We implement, maintain, and continually improve controls around security, confidentiality, and availability.
• We undergo independent annual audits, pen-tests and continuous evaluation as part of this compliance.
• Our compliance program also aligns with relevant global data protection regulations (e.g. GDPR, CCPA) as required.

2. Customer Data Protection & Encryption

Account Authentication & Authorization (for platform login)

• Passwords are salted & hashed, stored in encrypted databases.
• Users (or customers) can enable MFA / 2FA for their accounts.
• Role-based access (RBAC) is available for different access levels (admins, users, etc.).

Encryption

• Data in transit is encrypted (TLS).
• Data at rest is encrypted using EBS which uses industry-standard encryption (e.g. AES-256 or FIPS-compliant).

Credentials & Third-Party Integrations (at the MCP servers level)

• When customers link third-party services (via API keys, OAuth, etc.), MCPTotal recommends using secure methods (OAuth where possible, scoped keys).
• Credentials are stored securely in a proprietary vault. More on that in our security overview blog.
• Having a vault means only specific containers can access a specific set of credentials, unlike the whole backend accessing a DB and fetching whatever it wants.
• We don't log credentials in live executions by default.

Data Residency & Deletion

• All data is stored in AWS US data centers.
• Every MCP Server's data is stored isolated from everything else using AWS EBS. This is enforced in the following way - Each space receives its own EBS allocation. Within each space, MCP servers are isolated through containerization: specific paths are mounted to Podman, preventing different MCP server containers from accessing anything outside of their designated volumes.
• MCP servers independently determine which data to cache according to how they work; we simply provide transparent hosting and do not access this data in any way.
• Upon a user's deletion of their MCPTotal space or a specific MCP server, all associated data will be immediately erased.

3. Infrastructure & Hosting

• MCPTotal uses hardened, monitored infrastructure. We use AWS US data centers to meet high compliance, security, and certification standards. We use EKS and Bottlerocket with immutable disks.
• All production services are logically isolated; access to infrastructure resources is tightly controlled.
• Backups are performed regularly, encrypted, and stored in secure, geographically appropriate locations.

4. MCP Server Hosting

• MCP Servers run in a single tenant environment (dedicated pod) for the data plane per customer per space.
• Each tenant has its own Kubernetes namespace.
• Each MCP server runs in a container, thus fully isolated from others.
• You can read more about our Kubernetes and security architecture in this blog.

5. Secure Development Practices

• We maintain separate environments for testing, staging, and production.
• Accessing the environments requires 2fa, and login resets every 12h.
• New code is reviewed by someone other than the author (code review).
• Use of CI/CD pipelines with checks, including static analysis / SAST tools to catch vulnerabilities early.
• Strict change management: restricted permissions for deployments, only authorized personnel can push to production.

6. Access Controls

• Access privileges follow the principle of least privilege.
• Privileged access requires multi-factor authentication.
• Access is reviewed regularly (e.g. on role change, off-boarding, periodic audits).

7. Threat & Vulnerability Management

• Regular vulnerability scans (internal and/or third party) on production systems.
• At least annual external penetration testing. Or every time a new big feature is shipped.
• Intrusion detection / monitoring systems in place.
• A defined vulnerability disclosure process.

8. Business Continuity & Incident Recovery

• Defined incident response plan, including containment, investigation, remediation, and customer notification as required.
• Regular backups with tested restoration procedures.
• Disaster recovery plan for major failures.

9. Corporate Security & Employee Policies

• Employee onboarding includes security / privacy training.
• Background checks and appropriate confidentiality / data protection agreements with employees & contractors.
• Strict off-boarding process: revoke access, retrieve assets etc.
• Workstations / devices follow security best practices (e.g. encryption, anti-malware, auto updates, lock screens).

10. Transparency & Customer Rights

• Customers can request access to our SOC 2 report (for eligible plans/customers).
• We publish summaries of our security practices.
• We support a data processing agreement (DPA) as needed.
• Vulnerability disclosure policy: customers / security researchers can report security concerns, and we commit to investigating in a timely manner.

11. Bug Bounties and the Security Researcher Community

• We appreciate community-reported security bugs at security@mcptotal.ai.
• Should a report confirm a security vulnerability, we will immediately initiate the patching process and might notify our customers accordingly.
• A monetary award may be granted to the security researcher at our discretion.