Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into between:

• Controller — the legal entity or individual that has agreed to the MCPShield Terms of Service (“Customer”, “you”).
• Processor — MCPShieldVow, the operator of the MCPShield platform, acting on the Controller’s behalf (“we”, “us”).

This DPA forms part of, and is subject to, the Terms of Service. In the event of a conflict between this DPA and the Terms, this DPA shall prevail with respect to data-protection obligations.

The Processor provides a cloud-based MCP runtime sandbox, threat-intelligence network, and cryptographic supply-chain attestation service (“Service”). In doing so, the Processor processes personal data on behalf of the Controller solely to deliver, maintain, and improve the Service as described in the Terms of Service and this DPA.

Processing operations carried out on behalf of the Controller include:

• Storage and retrieval of account and configuration data.
• Execution of MCP tool-call events within an isolated sandbox environment.
• Threat-intelligence analysis of MCP traffic (payload hashing, IOC matching, anomaly scoring).
• Cryptographic attestation of MCP server supply-chain artefacts.
• Transmission of aggregated telemetry and audit logs to the Controller via the console and API.

The Controller may submit personal data to the Service relating to the following categories of data subjects:

• End users — employees, contractors, or users of the Controller’s systems who interact with MCP servers.
• Administrators — individuals authorised by the Controller to manage the MCPShield console.

Personal data categories may include:

• Account identifiers (email address, display name).
• Authentication credentials (passkey public key; never secret keys or passwords).
• IP addresses and request logs retained for 30 days (CONST-STACK-11).
• MCP telemetry — tool-call metadata, sandbox outcomes, and threat-intel signals. Message content is not retained unless the Controller explicitly enables it.

Special-category data (Art. 9 GDPR) must not be submitted to the Service unless the Controller has obtained explicit consent and notified the Processor in writing.

The Processor shall:

• Process personal data only on documented instructions from the Controller, including with regard to international transfers, unless required by EU or Member State law to process otherwise.
• Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement technical and organisational measures as described in Section 8 of this DPA.
• Respect the conditions for engaging sub-processors described in Section 7 of this DPA.
• Assist the Controller with data-subject rights requests (access, rectification, erasure, restriction, portability, objection) to the extent reasonably possible given the nature of the processing.
• Assist the Controller in complying with its obligations under Arts. 32–36 GDPR (security, breach notification, DPIA, prior consultation).
• At the Controller’s choice, delete or return all personal data after the end of service provision, and delete existing copies unless EU or Member State law requires storage.
• Make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR and contribute to audits and inspections as described in Section 9.

This DPA remains in force for the duration of the Terms of Service. Obligations regarding confidentiality and deletion of personal data survive termination of the Terms for a period of five (5) years, or such longer period as required by applicable law.

The Controller grants general written authorisation for the Processor to engage the following sub-processors. The Processor shall impose data-protection obligations equivalent to those in this DPA on each sub-processor by contract.

The Processor shall notify the Controller of any intended changes to sub-processors at least 30 days in advance by updating this page and sending an in-console notification. The Controller may object in writing within 14 days of notice. If no agreement is reached, either party may terminate the Terms without penalty.

The Processor maintains the following technical and organisational measures:

• Encryption in transit — TLS 1.2+ enforced on all endpoints; HSTS enabled.
• Encryption at rest — all storage volumes (PostgreSQL, MinIO, Redis) use encrypted disks.
• Authentication — Ed25519 JWT (1-hour access token, 7-day httpOnly refresh cookie) and WebAuthn passkeys (CONST-STACK-05).
• Access control — production infrastructure access is restricted to named engineers with MFA; least privilege enforced.
• Network segmentation — MCP sandbox containers are isolated with network-level egress filtering.
• Logging and monitoring — structured JSON logs (CONST-LOG-01); access logs retained 30 days; anomaly alerts for privileged actions.
• Vulnerability management — dependency audits on every CI run; CVE triage within 72 hours for critical findings.

The Controller may, on reasonable written notice of at least 30 days and no more than once per 12-month period, conduct or commission an audit of the Processor’s processing activities under this DPA. Audits shall be conducted during normal business hours, at the Controller’s expense, and in a manner that does not unreasonably disrupt the Processor’s operations. The Processor may satisfy this obligation by providing a current third-party security assessment (SOC 2 Type II or equivalent) in lieu of an on-site audit, subject to the Controller’s reasonable acceptance.

All personal data is stored and processed within the EEA on EU-region infrastructure (CONST-STACK-11). In the event that any transfer to a third country becomes necessary:

• The Processor shall rely on Standard Contractual Clauses (SCCs) adopted by the European Commission or another approved safeguard under Chapter V GDPR.
• The Processor shall conduct a Transfer Impact Assessment (TIA) and notify the Controller prior to commencing any such transfer.

In the event of a personal data breach within the meaning of Art. 4(12) GDPR, the Processor shall notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Notification shall include, to the extent available: the nature of the breach, categories and approximate number of data subjects and records affected, probable consequences, and measures taken or proposed. Further information may be provided in phases if not all details are immediately available.

Each party’s liability under this DPA is subject to the limitations set out in the Terms of Service. Where both parties are responsible for a GDPR infringement:

• Each party shall be held liable for the damage caused by its own processing in breach of GDPR.
• A party shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

Data-protection queries and DPA requests: privacy@mcpshield.dev. Legal notices: legal@mcpshield.dev. We respond to all DPA-related requests within 30 days.