All legal agreements governing the MCP Fortress service. Enterprise customers can request executed copies via legal@mcpfortress.com.
MCP Fortress ("Service") provides a managed gateway for the Model Context Protocol (MCP) that enables organizations ("Customer") to govern, audit, and control how AI assistants access Customer's SaaS applications. The Service includes a policy engine, credential vault, PII redaction engine, audit trail, and administrative dashboard.
You must register using a valid work email and provide accurate company information. Each organization receives one workspace. You are responsible for maintaining the confidentiality of your API keys and admin credentials. Notify us immediately of unauthorized access.
The Service is designed for legitimate business use of AI-SaaS integration governance. You may not: use the Service to circumvent SaaS vendor terms of service, attempt to reverse-engineer the gateway infrastructure, exceed rate limits through automated abuse, or use the Service for any unlawful purpose. We reserve the right to suspend accounts that violate these terms with 24 hours written notice except in cases of imminent security risk.
MCP Fortress processes Customer Data only as a data processor acting on your instructions. "Customer Data" means SaaS API credentials stored in the vault and API response content that transits the gateway. We do not retain API response content — it passes through the gateway in real-time and is not stored. Audit logs record metadata (timestamp, user, action, connector, decision) but never API response payloads or credential values. Credential storage and encryption are governed by your selected tier (SOHO/Team/Enterprise).
You retain all rights to your Customer Data. We retain all rights to the Service, including the gateway infrastructure, policy engine, connector definitions, and administrative interface. You are granted a non-exclusive, non-transferable license to use the Service during your subscription term.
Pricing is based on your selected tier and user pack. Billing is monthly in arrears. Active users exceeding the contracted pack size are billed at 1.25× the base rate. Invoices are due within 30 days. We do not block users who exceed pack size — production continuity is guaranteed. Disputed charges must be raised within 60 days of the invoice date.
Either party may terminate with 30 days written notice. Upon termination, your access to the dashboard is revoked, all credentials in the vault are permanently deleted within 72 hours, and audit logs are retained for the period specified by your tier (90 days, 1 year, or 7 years) then permanently deleted. You may export audit data before termination.
To the maximum extent permitted by law, MCP Fortress's total liability for any claims arising from the Service is limited to the fees paid by Customer in the 12 months preceding the claim. We are not liable for: SaaS provider outages or API changes, loss of data due to Customer-initiated kill switch or credential revocation, or consequential, incidental, or punitive damages.
Customer agrees to indemnify MCP Fortress against claims arising from: Customer's violation of SaaS vendor terms, Customer Data content, or Customer's misconfiguration of policies resulting in unauthorized access. MCP Fortress agrees to indemnify Customer against claims arising from our breach of the DPA or unauthorized access to the vault infrastructure.
These terms are governed by the laws of the State of Arizona, United States. Any disputes shall be resolved through binding arbitration in Maricopa County, Arizona.
Account Information: Work email, name, company name, and billing details provided during registration. Usage Data: Dashboard interactions, API request metadata (timestamp, action, connector, decision, latency), and aggregate usage statistics. Customer Credentials: SaaS API keys/tokens stored in the vault, encrypted at rest per your selected tier.
We do not store API response content — SaaS API responses transit the gateway in real-time and are relayed to the AI assistant without persistence. We do not track individual end-user behavior within SaaS applications. We do not collect personal data from your SaaS accounts beyond what transits the gateway. PII redacted by the redaction engine is masked before it reaches the AI assistant and is never stored in its unmasked form.
Account information is used to provide the Service and communicate about your account. Usage metadata populates your admin dashboard (Status Board, Traffic Feed, Billing). Aggregated, anonymized usage statistics may be used to improve the Service. We do not sell, rent, or share your information with third parties for marketing purposes.
Account information: retained while your account is active, deleted within 90 days of account termination. Audit logs: retained per your tier (SOHO: 90 days, Team: 1 year, Enterprise: 7 years), then permanently deleted. Vault credentials: deleted within 72 hours of connector removal or account termination. Usage metrics: retained in aggregated form for 2 years.
Under GDPR and applicable data protection laws, you have the right to: access your personal data, correct inaccurate data, delete your account and associated data, export your audit logs, restrict processing, and object to processing. Contact privacy@mcpfortress.com to exercise these rights. We respond within 30 days.
The Service infrastructure is hosted in AWS regions. Data may be processed in the United States and European Union. For EU customers, we maintain Standard Contractual Clauses (SCCs) as part of our DPA. Enterprise tier customers may select a single-region deployment to maintain data residency requirements.
We implement encryption at rest (AES-256) and in transit (TLS 1.3), per-request memory-only credential decryption, role-based access controls on internal systems, and immutable append-only audit logs. See our Security page for the full compliance framework mapping.
The admin dashboard uses essential session cookies only. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No consent banner is required because we use only strictly necessary cookies.
This Data Processing Agreement ("DPA") is entered into between the Customer ("Data Controller") and MCP Fortress, Inc. ("Data Processor") and supplements the Terms of Service.
MCP Fortress processes Customer Data solely for the purpose of providing the gateway service: evaluating access policies, resolving credentials, proxying API requests, applying PII redaction, and generating audit logs. Processing occurs only on Customer's documented instructions.
Credential Data: SaaS API tokens and keys stored in the vault. Transit Data: SaaS API responses passing through the gateway in real-time (not stored). Metadata: Request logs including timestamp, user identity, action, connector, policy decision, and latency. Admin Data: Dashboard configuration changes recorded in the Change Log.
MCP Fortress implements: AES-256 encryption at rest for all stored data, TLS 1.3 encryption in transit, per-request memory-only credential decryption with sub-second lifespan, three-tier credential isolation (managed, customer-key, zero-trust mTLS), immutable append-only audit logs, RBAC on internal systems with quarterly access reviews, SOC 2 Type II aligned controls, and ISO 27001 aligned information security management system. Full mapping available on our Security page.
Current sub-processors are listed on our Sub-Processors page. We provide 30 days advance notice before engaging new sub-processors. Customer may object to a new sub-processor within 14 days. If the objection cannot be resolved, Customer may terminate the affected services without penalty.
MCP Fortress will assist Customer in responding to data subject requests (access, rectification, erasure, portability) within 10 business days of notification. Costs for extraordinary requests are borne by Customer.
MCP Fortress will notify Customer of any confirmed personal data breach without undue delay and within 72 hours of confirmation. Notification will include: nature of the breach, categories and approximate number of affected records, likely consequences, and measures taken to address the breach.
Customer may audit MCP Fortress's compliance with this DPA once per calendar year with 30 days written notice. Audit scope covers security controls relevant to Customer Data. Alternatively, Customer may review our SOC 2 Type II report and ISO 27001 certification in lieu of an on-site audit.
Upon termination of the Service, MCP Fortress will permanently delete all Customer Data within the timeframes specified in the Privacy Policy. Customer may request a data export before termination. Deletion is certified in writing upon request.
For processing subject to GDPR: MCP Fortress acts as processor under Article 28. Standard Contractual Clauses (Module 2: Controller to Processor) are incorporated by reference. MCP Fortress will process data only within the EEA and approved jurisdictions unless Customer explicitly authorizes otherwise.
Availability: The BAA is available on the Enterprise tier only. Contact sales@mcpfortress.com to execute.
This Business Associate Agreement ("BAA") is required when Customer is a Covered Entity or Business Associate under HIPAA and uses the Service to process Protected Health Information ("PHI"). MCP Fortress agrees to be designated as a Business Associate.
MCP Fortress may use or disclose PHI solely for: performing its obligations under the Service Agreement, and as required by law. MCP Fortress will not use or disclose PHI for marketing, sell PHI, or use PHI for any purpose not expressly permitted.
MCP Fortress implements administrative, physical, and technical safeguards appropriate to protect PHI including: Enterprise tier mTLS (PHI credentials never stored in our infrastructure), PII redaction engine configured to detect and mask PHI fields (patient names, MRNs, dates of birth), AES-256 encryption at rest with customer-managed keys, TLS 1.3 encryption in transit, and access controls limiting MCP Fortress personnel access to PHI to those with a demonstrated need.
MCP Fortress will report any Breach of Unsecured PHI to Customer without unreasonable delay and no later than 30 calendar days after discovery. Report will include: identification of each individual affected (if known), description of the breach, types of PHI involved, and remediation steps taken.
MCP Fortress will ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of MCP Fortress agrees to substantially similar restrictions as contained in this BAA.
MCP Fortress will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining Customer's compliance with HIPAA. MCP Fortress will provide access to PHI within 10 business days of a written request.
Upon termination, MCP Fortress will return or destroy all PHI received from Customer or created on Customer's behalf. If return or destruction is not feasible, MCP Fortress will extend the protections of this BAA to the remaining PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.
Downtime is defined as the gateway returning 5xx errors or failing to respond to valid MCP requests for more than 5 consecutive minutes. The following are excluded from downtime calculations: scheduled maintenance (announced 72 hours in advance), SaaS provider outages (Zendesk, Salesforce, etc. being down is not MCP Fortress downtime), force majeure events, and Customer-initiated actions (kill switch activations, credential deletions).
If monthly uptime falls below the committed target, service credits are applied to the next invoice. Credits are calculated as: (committed uptime% - actual uptime%) × 10 × monthly fee, capped at the maximum credit percentage for your tier. Example: Team tier at 99.7% uptime = (99.9% - 99.7%) × 10 × monthly fee = 2% credit.
Submit credit requests to sla@mcpfortress.com within 30 days of the affected month. Include your org ID and the dates/times of experienced downtime. We will validate against our monitoring data and apply credits within one billing cycle.
MCP Fortress operates a public status page at status.mcpfortress.com showing real-time gateway health, planned maintenance windows, and historical uptime. Customers receive email notifications for SEV 1 and SEV 2 incidents. Enterprise tier includes a dedicated Slack channel for incident communication.
MCP Fortress uses a minimal set of sub-processors to deliver the Service. We provide 30 days advance email notice before engaging any new sub-processor. Enterprise customers may object within 14 days.