Is mcpgate ISO 27001 certified?

No. mcpgate implements and is aligned with the controls of ISO/IEC 27001:2022 (Annex A) — encryption, access control, logging, secure development, supplier and incident management — and operates them today. It is not certified: no accredited certification body has audited the information security management system. We state this distinction transparently.

How do I report a security vulnerability in mcpgate?

Email hello@mcpgate.de privately — do not open a public issue. Reports are acknowledged within two business days and handled under coordinated disclosure; details are published in the release notes once a fix has shipped.

Security & Compliance

Security built in, not bolted on.

Q: Where is mcpgate's hosted data stored?

The hosted services (demo and feedback relay) run in the European Union — Hetzner, Falkenstein, Germany — on infrastructure certified to ISO/IEC 27001:2022 and BSI C5. Self-hosted deployments run entirely on the operator's own infrastructure.

mcpgate sits between your AI clients and your tools. That position demands real controls — here is exactly what we do, and what we don't claim.

ISO/IEC 27001:2022 — aligned, not certified

mcpgate's information security management is built on and aligned with the controls of ISO/IEC 27001:2022 (Annex A) — encryption, access control, logging, secure development, supplier and incident management. We operate these controls today and maintain them as a living management system.

To be precise: mcpgate is not (yet) certified. No accredited certification body has audited this management system. We treat that distinction as a matter of honesty — when we are certified, we will say so, with the certificate.

What we actually do

Encryption

OAuth tokens and sensitive data are encrypted at rest (Google Cloud KMS or AES-256-GCM). All traffic is TLS, with HSTS enforced.

Access & authentication

OpenID Connect / OAuth 2.0 with PKCE, per-service authorization, and an explicit allow-list guest model. Administration is token-gated.

PII & privacy

Personal data is pseudonymized before it ever reaches an LLM and rehydrated only for the actual tool call. Logs carry hashed identifiers, never raw emails or IPs. GDPR data-subject rights are supported.

Auditability

Security-relevant events — sign-ins, tool calls, admin actions — are recorded in an append-only audit log using hashed identifiers, ready to pipe into your own SIEM.

Secure development & supply chain

Every release runs through CI with automated dependency vulnerability scanning (Renovate, pip-audit, Trivy) and static analysis (Bandit); the security test suite must pass before a build ships.

Hosting & data residency

The hosted services run in the EU — Hetzner, Falkenstein, Germany — on infrastructure certified to ISO/IEC 27001:2022 and BSI C5. Self-hosted deployments stay entirely on your infrastructure.

Backup & continuity

Nightly off-server full-disk backups plus daily encrypted database snapshots; encryption keys are escrowed off the server so backups stay recoverable.

Incident response

A documented response process with a coordinated vulnerability-disclosure path and a GDPR breach-notification procedure.

An AI-governance layer, not just a proxy

Because mcpgate sits on the path between your AI clients and your real tools, it is the right place to govern what AI can see and do:

Least-privilege tool access

AI reaches only the services you allow-list — scoped per user and per service, not all-or-nothing.

Human in the loop

Destructive actions require explicit confirmation; hooks can enforce policy checks before a tool call runs.

Data governance

Personal data is pseudonymized before it reaches the model, and oversized responses are capped.

Accountability

Every AI tool call lands in the append-only audit log; the throughput view flags unusual data pulls.

Self-hosted: who secures what

mcpgate runs on your infrastructure, so security is shared. The split is framework-neutral — it maps onto ISO 27001, SOC 2 and BSI C5 alike.

mcpgate provides

Token & secret encryption (KMS / AES-256-GCM)
OIDC / OAuth 2.0 + PKCE authentication
PII pseudonymization + data-leak guardrails
Append-only audit log
Secure-development pipeline (dependency scanning, SAST, tests)
Safe defaults + setup verification

You provide

Host & OS hardening and patching
Network, firewall, TLS termination
Your identity provider & access policy
Backups of your deployment
Your data-processing agreements & retention
Physical / data-centre security

Our security whitepaper lays out the full picture — measures, the shared-responsibility matrix, and standards alignment for your ISO 27001 / SOC 2 / C5 evidence. Download the security whitepaper (PDF) — no form, no email required.

Found a vulnerability?

Report it privately — please don't open a public issue. We acknowledge within two business days and work under coordinated disclosure: details go into the release notes once a fix has shipped.

Email hello@mcpgate.de