Security & data
Built to pass procurement questionnaires. UK-hosted, encrypted, GDPR-aware.
Authentication
- Passwordless magic-link login via Supabase Auth.
- Session cookies are HttpOnly, Secure, SameSite=Lax.
- No sensitive data is stored in browser storage.
Xero token storage
- Refresh tokens encrypted at rest with AES-256-GCM.
- Access tokens rotated on each API call as they expire (~30 min).
- OAuth flow uses HMAC-SHA256-signed state to prevent CSRF.
Data isolation
Multi-tenant Postgres with Row Level Security — every query is scoped to your organisation at the database layer, so a bug in application code can't leak another org's data.
Hosting
- Application: Vercel (EU region).
- Database: Supabase (eu-west-1, London).
- Email: Resend (EU region).
- Payments: Stripe (UK entity for UK customers).
GDPR
- We're the data processor for your customer data; you're the controller.
- Data export: contact hello@mcp-g.com for a JSON dump of everything we hold.
- Data deletion: delete your account from settings, or email support. All data purged within 30 days.
- Sub-processors: Supabase, Vercel, Resend, Stripe. Full list on request.
Incidents
We'll notify affected users within 72 hours of any incident that affects their data.