Compliance

Public data,
handled responsibly.

MCP Wiki is built around a hard boundary: we process only publicly available information, and we give customers the controls and documentation to use it lawfully.

This page describes our practices, not legal advice. For your specific use case, consult your counsel.

Public surfaces only

No login replay, no private endpoints, no authentication bypass — ever.

GDPR & CCPA aligned

Lawful-basis tooling, data-subject request handling, and a signable DPA.

Audited access

Every key and request is logged, attributable, and revocable in real time.

Rapid takedowns

Documented process to remove or suppress data on valid request.

Data sourcing

MCP Wiki collects information that is publicly accessible — content and metadata any unauthenticated visitor could view on the network in question. We index trends, public posts, public profile attributes, and aggregate engagement metrics.

We do not purchase scraped datasets of unknown provenance, and we do not commingle private or leaked data into our index. Provenance is tracked per record so that data can be traced back to its public source.

What we don't do

  • We never replay credentials, cookies, or sessions to reach gated content.
  • We never access private accounts, direct messages, or follower-only material.
  • We never circumvent technical access controls intended to restrict the public.
  • We never resell raw personal data for the purpose of building shadow profiles.

GDPR & CCPA

Where the data we process includes personal data of EU or California residents, MCP Wiki acts as a processor on behalf of the customer, who is the controller and is responsible for establishing a lawful basis for their use case.

We support data-subject access, rectification and erasure requests, and we will assist customers in responding to requests they receive. Use the contact form to initiate a request.

Controller vs. processor. You decide why and how the data is used; we provide the infrastructure that retrieves it. Your obligations as controller — notice, lawful basis, retention — remain yours.

DPA & subprocessors

A Data Processing Addendum is available to all paid customers and is countersigned on request. It governs confidentiality, security, breach notification and sub-processing.

We maintain a current list of subprocessors (cloud hosting, error monitoring, billing) and provide 30 days' notice before adding a new one that processes customer data.

Security

  • Encryption. TLS 1.2+ in transit; AES-256 at rest.
  • Access control. Least-privilege internal access, scoped and logged.
  • Key management. API keys are hashed at rest and revocable instantly.
  • Isolation. Workspaces are logically separated; Sovereign tier offers dedicated ingestion.

Responsible use

Customers agree not to use MCP Wiki to harass, stalk, or unlawfully surveil individuals, to build discriminatory profiles, or to violate any platform's terms in a way that creates liability. We reserve the right to suspend access for abuse.

Takedowns

If you believe data served by MCP Wiki should be removed, submit the record and legal basis through our contact form. We acknowledge valid requests within two business days and act to suppress or remove qualifying data.