Security & data

Built to pass procurement questionnaires. UK-hosted, encrypted, GDPR-aware.

Authentication

  • Passwordless magic-link login via Supabase Auth.
  • Session cookies are HttpOnly, Secure, SameSite=Lax.
  • No sensitive data is stored in browser storage.

Xero token storage

  • Refresh tokens encrypted at rest with AES-256-GCM.
  • Access tokens rotated on each API call as they expire (~30 min).
  • OAuth flow uses HMAC-SHA256-signed state to prevent CSRF.

Data isolation

Multi-tenant Postgres with Row Level Security — every query is scoped to your organisation at the database layer, so a bug in application code can't leak another org's data.

Hosting

  • Application: Vercel (EU region).
  • Database: Supabase (eu-west-1, London).
  • Email: Resend (EU region).
  • Payments: Stripe (UK entity for UK customers).

GDPR

  • We're the data processor for your customer data; you're the controller.
  • Data export: contact hello@mcp-g.com for a JSON dump of everything we hold.
  • Data deletion: delete your account from settings, or email support. All data purged within 30 days.
  • Sub-processors: Supabase, Vercel, Resend, Stripe. Full list on request.

Incidents

We'll notify affected users within 72 hours of any incident that affects their data.


Next: FAQ →