MCPSpendHonest answers about how we
protect your data.
We're an indie team and we don't hide behind marketing copy. Below: every control we have in place today, what's actively being built (SOC 2 Type I in progress with Vanta), and what's on the roadmap. Every entry links back to a real implementation choice or a public partner page.
For procurement and security questionnaires, email support@mcpspend.com — we typically reply within one business day.
Data protection
Encryption in transit
In placeAll HTTP/HTTPS traffic uses TLS 1.2+. Cipher suites enforced by Caddy at the edge.
Encryption at rest — secrets
In placeSensitive config (Slack webhooks, future PATs) encrypted with AES-256-GCM, keyed by APP_ENCRYPTION_KEY on the API server.
Encryption at rest — database
In placePostgres volume on encrypted disk at the hosting provider.
API key hashing
In placeAPI keys stored as SHA-256 hashes only. We cannot recover a key — only revoke and reissue.
Password hashing
In placebcrypt with cost factor 12.
No tool arguments collected
In placeOur proxy reports only metadata (tool name, server name, latency, payload size). Tool arguments and responses never leave your machine.
Hosting & isolation
EU-hosted infrastructure
In placeServers in Hostinger EU data centers. All data — DB, Redis, logs — stays in the EU.
Per-organization data isolation
In placeEvery API endpoint scopes by organizationId. No cross-tenant data leak possible at the query layer.
Stripe — no card data on our servers
In placeStripe Checkout collects all card data; we receive only a customer ID. SOC 2 / PCI DSS Level 1 inherited from Stripe.
Dedicated single-tenant deployment
On roadmapAvailable for Enterprise. Separate VPS + database, your own subdomain.
Compliance
GDPR-aligned
In placeEU-hosted, anonymous compat telemetry, opt-in cookies, DPIA available on request. Privacy Policy details data subject rights.
SOC 2 Type I
In progressAudit started Q4 2026 with Vanta. Type II expected Q2 2027.
ISO 27001
On roadmapRoadmap H2 2027 after SOC 2 Type II.
DPA (Data Processing Agreement)
In placeAvailable for Enterprise customers on request — signed within 5 business days.
HIPAA / PHI
On roadmapMCPSpend is not currently designed to process PHI. Email support if you need a BAA — we can scope a dedicated deployment.
Operations
Daily Postgres backups
In placeEncrypted snapshots to S3-compatible storage (R2). 30-day retention. Restore drill quarterly.
Public status page
In placemcpspend.com/status — live probes against API, MCP HTTP endpoint, dashboard, npm, Open VSX, Smithery.
Audit log
In placeAppend-only record of sensitive actions (billing changes, member changes, key revoke). Available in the dashboard for Team+ plans.
Sub-processors disclosed
In placeFull list with purpose and geography below.
Incident notification SLA
In placeWithin 72 hours per GDPR Art. 33 for any data-breach involving personal data.
Sub-processors
Third parties that process data on our behalf. Listed for GDPR transparency (Art. 28). Enterprise customers receive notification before we add a new sub-processor.
| Sub-processor | Purpose | Data shared |
|---|---|---|
| Hostinger (EU region) | Application + database hosting (VPS) | All MCPSpend data |
| Stripe (US/EU, GDPR + DPA in place) | Payment processing | Customer email, billing address, card via Stripe (we never see card data) |
| Resend (US, GDPR + DPA in place) | Transactional email delivery | Recipient email and the body of messages we send (magic links, alerts, digests) |
| Cloudflare R2 (EU region) | Encrypted backup storage | Postgres dumps, encrypted |
| Google Analytics 4 (US) | Marketing-page traffic analytics, opt-in only | Anonymised IP, page URL, referrer |
Responsible disclosure
Found a security issue? Email security@mcpspend.com with reproduction steps. We acknowledge within 48 hours and aim to remediate critical findings within 7 days. We don't run a paid bug bounty yet — we'll credit you publicly with permission and gift Pro plan years to thank you.