Skip to main content
This page covers the security architecture, compliance posture, and data handling practices of the Deeto MCP Server.

Compliance & certifications

Deeto maintains the following certifications and compliance programs, all of which apply to the MCP Server as part of the Deeto platform. For a full overview of Deeto’s security posture, visit the public Trust Center: trust.deeto.ai Certification reports and attestation letters are available under NDA upon request.

Architecture & data flow

The Deeto MCP Server runs entirely within Deeto’s infrastructure. There is no third-party intermediary between your AI client and Deeto.
All data returned by the MCP Server is scoped to the workspace associated with the API key. Cross-workspace data access is not possible.
In transit: TLS 1.2+ encryption on all connections. At rest: AWS RDS encryption, covered under the SOC 2 scope. Keys: Stored as one-way SHA-256 hashes server-side. The plaintext key is shown only once at creation time and cannot be retrieved.

Access model

Standard access — Keys are per-user credentials bound to a specific user identity and workspace. Privilege level is set at creation. Every action is traceable to the individual key owner. Lifecycle is managed by the customer. Design Partner Program — For early onboarding, Deeto provisions a single workspace-level key on the customer’s behalf. This key is revoked automatically when the partnership ends. Lifecycle is managed by Deeto.

Privilege levels

Privilege levels control which tools an API key can invoke. Each tool enforces its minimum required privilege on every request. Minimum privilege for a read-only connector: contentViewer

Key management


Penetration testing

Deeto conducts annual penetration tests against its full platform, including the MCP Server, performed by an independent third-party security firm. The latest attestation letter is available under NDA via trust.deeto.ai or by contacting your account manager.

Data retention & deletion

Connector interaction data follows the same retention policy as the rest of the Deeto platform, covered under the SOC 2 scope. No query-level logs are stored beyond what is part of the conversation record. For specific retention periods or data deletion requests, contact privacy@deeto.ai.

Security contact

For security questionnaires, vulnerability disclosures, or custom assessments: