Security

Security isn't just what we do—it's who we are.

Our Security Commitment

As a security company, we hold ourselves to the highest standards. We believe you can't protect others if you can't protect yourself. Here's how we secure MCPShield.

Infrastructure Security

Encryption

All data encrypted in transit (TLS 1.3) and at rest (AES-256).

Network Security

Firewalls, DDoS protection, and network segmentation.

24/7 Monitoring

Continuous monitoring for threats and anomalies.

Application Security

  • Authentication: JWT tokens with short expiration, bcrypt password hashing
  • API Keys: Cryptographically random, securely hashed storage
  • Rate Limiting: Protection against brute force and abuse
  • Input Validation: Strict validation on all inputs
  • SQL Injection: Parameterized queries through ORM
  • XSS Protection: React's built-in escaping, Content Security Policy
  • CSRF Protection: Token-based protection on all mutations

Agent Security

Our agent is designed with privacy and security as core principles:

  • No Credential Capture: We NEVER capture actual secret values—only environment variable names
  • Local Config Storage: API keys stored with appropriate file permissions
  • Minimal Permissions: Agent only reads config files, nothing else
  • Secure Communication: All API calls over HTTPS
  • Open Scanning: We're transparent about what paths are scanned

Data Protection

  • Multi-Tenancy: Complete data isolation between organizations
  • Minimal Data: We only collect what's necessary for the service
  • Data Retention: Configurable retention policies, default 90 days for logs
  • Backup: Encrypted backups with point-in-time recovery
  • Deletion: Complete data deletion upon account termination

Compliance

  • SOC2 Type II: Available for Enterprise customers
  • GDPR: Compliant with EU data protection regulations
  • CCPA: Compliant with California privacy requirements
  • DPA: Data Processing Agreements available on request

Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, please report it to:

Email: security@mcpshield.app

We commit to:

  • Acknowledge receipt within 24 hours
  • Provide regular updates on remediation progress
  • Not pursue legal action against good-faith reporters
  • Credit researchers who wish to be acknowledged

Security Updates

We maintain an active security program:

  • Regular penetration testing
  • Automated vulnerability scanning
  • Dependency updates and patching
  • Security-focused code reviews
  • Employee security training

Contact

For security concerns or questions:

security@mcpshield.app