> ## Documentation Index
> Fetch the complete documentation index at: https://knowledge.deeto.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> Compliance certifications, architecture, key management, penetration testing, and data handling for the Deeto MCP Server.

This page covers the security architecture, compliance posture, and data handling practices of the Deeto MCP Server.

***

## Compliance & certifications

Deeto maintains the following certifications and compliance programs, all of which apply to the MCP Server as part of the Deeto platform.

| Certification | Scope                                                              |
| ------------- | ------------------------------------------------------------------ |
| SOC 2 Type II | Security, Availability, and Confidentiality trust service criteria |
| ISO/IEC 27001 | Information security management system                             |
| CSA STAR      | Cloud security assurance                                           |
| GDPR          | EU data protection and privacy                                     |
| HIPAA         | Health information privacy (where applicable)                      |

For a full overview of Deeto's security posture, visit the public Trust Center: [trust.deeto.ai](https://trust.deeto.ai)

Certification reports and attestation letters are available under NDA upon request.

***

## Architecture & data flow

The Deeto MCP Server runs entirely within Deeto's infrastructure. There is no third-party intermediary between your AI client and Deeto.

```
AI Client → (① HTTPS + API key) → AWS API Gateway
                                        ↓ ② Authenticate + route
                                   Deeto MCP Server
                                        ↓ ③ Query workspace data
                                   Deeto Database
                                        ↓ ④ Results
                                   Deeto MCP Server
                                        ↓ ⑤ JSON-RPC Response
AI Client ←─────────────────────────────────────────
```

<Note>
  All data returned by the MCP Server is scoped to the workspace associated with the API key. Cross-workspace data access is not possible.
</Note>

**In transit:** TLS 1.2+ encryption on all connections.

**At rest:** AWS RDS encryption, covered under the SOC 2 scope.

**Keys:** Stored as one-way SHA-256 hashes server-side. The plaintext key is shown only once at creation time and cannot be retrieved.

***

## Access model

**Standard access** — Keys are per-user credentials bound to a specific user identity and workspace. Privilege level is set at creation. Every action is traceable to the individual key owner. Lifecycle is managed by the customer.

**Design Partner Program** — For early onboarding, Deeto provisions a single workspace-level key on the customer's behalf. This key is revoked automatically when the partnership ends. Lifecycle is managed by Deeto.

***

## Privilege levels

Privilege levels control which tools an API key can invoke. Each tool enforces its minimum required privilege on every request.

| Privilege       | Tools available                                               | Recommended for                       |
| --------------- | ------------------------------------------------------------- | ------------------------------------- |
| `contentViewer` | get-stats, get-people, get-companies, get-contents            | Read-only integrations, BI connectors |
| `rep`           | All above + get-prospects-dashboard, get-content-instructions | Sales team integrations               |
| `manager`       | All above + start-agent                                       | Automated AI workflows                |
| `admin`         | All above + create-company, create-person, save-draft-content | Full integrations with write access   |

**Minimum privilege for a read-only connector:** `contentViewer`

***

## Key management

| Capability                 | Supported         | Notes                                                                             |
| -------------------------- | ----------------- | --------------------------------------------------------------------------------- |
| Immediate revocation       | ✅ Yes             | Revoked keys are rejected on the next request — no propagation delay              |
| Key rotation               | ✅ Yes             | Generate a new key and revoke the old one at any time via the Deeto admin console |
| Automatic expiration (TTL) | 🔄 In development | Keys can be manually revoked at any time in the interim                           |
| IP allowlist               | ❌ No              | Not currently supported                                                           |

***

## Penetration testing

Deeto conducts annual penetration tests against its full platform, including the MCP Server, performed by an independent third-party security firm.

The latest attestation letter is available under NDA via [trust.deeto.ai](https://trust.deeto.ai) or by contacting your account manager.

***

## Data retention & deletion

Connector interaction data follows the same retention policy as the rest of the Deeto platform, covered under the SOC 2 scope. No query-level logs are stored beyond what is part of the conversation record.

For specific retention periods or data deletion requests, contact [privacy@deeto.ai](mailto:privacy@deeto.ai).

***

## Security contact

For security questionnaires, vulnerability disclosures, or custom assessments:

* **Email:** [support@deeto.ai](mailto:support@deeto.ai)
* **Trust Center:** [trust.deeto.ai](https://trust.deeto.ai)
