MCPLinkLayer protects every tool call, every credential, and every data flow — with a semantic firewall, envelope encryption, tenant isolation, and full audit trails.
Hosted in Germany. GDPR/DSGVO compliant. Every feature described here is implemented in production.
Every tool call, resource read, and prompt get passes through a pipeline of 7 stateless security scanners — on both the request and response side. The firewall operates in enforce, shadow, or disabled mode per deployment.
Detects API keys, tokens, private keys, and connection strings before they reach tools or leave the platform.
Identifies personal data like SSNs, credit card numbers, IBANs, and email addresses in tool arguments and results.
Catches system override attempts, role impersonation, delimiter injection, and response poisoning.
Blocks dangerous shell commands (rm -rf, DROP TABLE), SQL injection, reverse shells, and force pushes.
Detects exfiltration endpoints (webhook.site, ngrok), credentials in URLs, and internal network access attempts.
Catches bulk data extraction patterns, SELECT *, pagination bypass, and oversized response payloads.
Detects privilege escalation (sudo), path traversal, command chaining, and subcommand injection.
Request rejected immediately. Container never called. Full audit entry.
Sensitive content replaced with safe placeholders. Execution continues with cleaned data.
Execution paused. Admin must approve or deny within 5 minutes.
Finding recorded in audit trail. Execution continues unchanged.
The firewall scans across all MCP transports, not just REST.
Every credential is encrypted with a unique per-tenant Data Encryption Key (DEK). The DEK itself is encrypted with a Key Encryption Key (KEK) managed by your choice of KMS provider.
AES-128-CBC + HMAC-SHA256 authenticated encryption. Plaintext is never stored in the database.
Each tenant gets a unique random encryption key. Compromise of one tenant's data does not expose others.
KEK managed via Local Fernet (default), AWS KMS, or HashiCorp Vault Transit. Pluggable at deployment.
Rotate tenant DEKs without downtime. All credentials re-encrypted atomically with version tracking.
Credentials are decrypted only at container start time and injected as environment variables. The LLM never receives plaintext.
A global log sanitizer filters all logs for secret patterns (API keys, tokens, passwords) before they reach disk.
Multi-tenancy is enforced at the PostgreSQL level via Row-Level Security (RLS). Even if the application layer has a bug, the database prevents cross-tenant data access.
PostgreSQL RLS policies enforce tenant_id = current_tenant_id() on every query. Fail-closed: if tenant context is missing, all queries return zero rows.
Four principal types (Human, Agent, Service, Workflow). API keys stored as SHA-256 hashes only — plaintext shown once at creation.
Fine-grained access control with allow/deny/rate-limit rules. Pattern matching on server names, tool names, and capability types.
Unknown OAuth scopes require admin approval. Predefined scope packs classify risk levels (low/medium/high/critical).
Deny-by-default: servers must have explicit connection grants to use OAuth credentials. Grants are individually revocable.
MCP server containers run as non-root (UID 1000), with read-only filesystem, no privilege escalation, and all Linux capabilities dropped.
Over 50 distinct audit actions are tracked across the platform. Every tool call, login, credential access, configuration change, and governance decision is logged with tenant isolation.
11 actions
Tool calls, resource reads, server start/stop, bridge requests
19 actions
Login, OAuth flows, token revocation, device registration
7 actions
Registration, data export (Art. 20), account deletion (Art. 17)
5 actions
Block, redact, require approval, log only, confirmation resolved
All servers and data exclusively in German data centers. Your data never leaves the EU.
Full data portability endpoint (Art. 20). Users can export all their data as structured JSON at any time.
Complete account deletion (Art. 17) with container cleanup. Audit logs retained per legal obligation exception (Art. 17(3)(e)).
Let's Encrypt certificates with auto-renewal. All HTTP traffic redirected to HTTPS. HSTS enabled with 1-year max-age.
X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy, Permissions-Policy for camera/mic/payment disabled.
Docker network separation: internal network (database, backend, containers) and web network (reverse proxy, frontend). No direct public access to backend services.
We publish our DPA (Art. 28 GDPR), privacy policy, and legal notice. For security-specific inquiries, contact us directly.