Company & Compliance
A registered, regulated company
LiftMCP is a real company with real accountability — not an anonymous side project.
UK Incorporated
LiftMCP Ltd (company number 17177294) is incorporated in England & Wales. We are a real legal entity with directors on public record at Companies House.
Cyber Essentials Certified
We hold Cyber Essentials certification (IASME iasme-31228) — the UK Government-backed scheme covering firewalls, secure configuration, access control, malware protection, and patch management. Certified 2026-04-29, valid until 2027-04-29.
ICO Registered
We are registered with the UK Information Commissioner's Office (ICO:00013889271) as a data controller under the UK GDPR and Data Protection Act 2018.
EU Data Residency
All customer data is stored in the European Union. Our database is hosted on AWS RDS in Frankfurt (eu-central-1) and our application infrastructure runs on AWS eu-west-2 (London). Your data never leaves EU soil.
Encryption
Encrypted everywhere
Data is encrypted both in transit and at rest. No exceptions.
TLS 1.2+ In Transit
Every connection to LiftMCP — web app, API, and MCP runtime — is encrypted with TLS 1.2 or higher via AWS Certificate Manager. Downgrade attacks are rejected at the load balancer.
AES-256 At Rest
All database storage is encrypted at rest using AES-256 encryption provided by AWS RDS. Backups are encrypted with the same standard.
Secrets Management
All secrets and API keys are stored in AWS Systems Manager Parameter Store as SecureString parameters (AES-256, AWS KMS). No credentials are hardcoded in source code or configuration files.
Email Security
SPF, DKIM, and DMARC records are configured on liftmcp.com to prevent email spoofing and phishing. All transactional emails are sent via authenticated channels.
Application Security
Defence in depth
Multiple independent security layers ensure that no single point of failure can compromise your data.
Tenant Isolation
Every database query is automatically scoped to your organisation by a Prisma middleware extension. Cross-tenant data access is architecturally impossible — not just policy, but code-enforced. Verified by automated cross-tenant integration tests on every deployment.
Row Level Security
Every database table has Postgres Row Level Security (RLS) enabled as a deny-by-default gate. Even if an attacker bypasses the application layer, the database itself enforces access control.
Authentication & Session Management
JWT tokens with 1-hour expiry and automatic rotation. Email confirmation required on signup. Rate limiting on authentication endpoints (20 requests/minute) to prevent brute force attacks.
Rate Limiting & DDoS Protection
Global rate limiting at the application layer (100 requests/minute) with tighter limits on sensitive endpoints. Infrastructure-level protection via AWS load balancers and CloudFront edge network.
Least-Privilege Database Roles
The application runtime uses a restricted database role that can only read and write data — it cannot create, alter, or drop tables. Even in a worst-case application compromise, your schema and other tenants' data remain protected.
Domain Verification
Before any MCP capabilities can be exposed for a domain, ownership must be verified via a DNS or file-based challenge. This prevents impersonation and ensures only authorised site owners can publish MCP endpoints.
Infrastructure
Built on enterprise-grade cloud
LiftMCP runs entirely on AWS — the platform trusted by millions of businesses worldwide.
AWS Infrastructure
ECS Fargate (serverless containers), Application Load Balancers, CloudFront CDN, Route 53 DNS, S3, and Certificate Manager. No self-managed servers.
Managed Database
AWS RDS PostgreSQL with automated backups, point-in-time recovery, and connection pooling. Database patches and security updates are applied automatically.
Automated Deployments
All deployments go through CI/CD pipelines (GitHub Actions). No manual pushes to production. Database migrations are version-controlled and applied automatically.
Monitoring & Logging
We watch so you don't have to
Comprehensive observability across every service, with retention policies that balance security investigation needs against data minimisation principles.
Error Tracking
Sentry is integrated across all three services (web, API, MCP runtime) with session replay on errors. Issues are surfaced in real time, not discovered by customers.
Structured Audit Logging
All API and MCP runtime requests are logged to AWS CloudWatch with structured JSON records. Logs are retained for 90 days in line with UK GDPR storage limitation principles.
Uptime Monitoring
External uptime monitoring checks every service endpoint at regular intervals. Our public status page at status.liftmcp.com shows real-time availability.
Automated Link & Service Checks
Scheduled GitHub Actions workflows run link checking and service health reviews automatically, catching broken endpoints and configuration drift before they affect users.
MCP Protocol Security
Purpose-built for the agentic era
MCP endpoints face unique threats that traditional web security frameworks don't cover. We designed for them from day one.
API Key Authentication
Every MCP endpoint requires a unique API key, automatically generated per property. Unauthenticated agent requests are rejected before reaching any business logic.
Capability Controls
Each MCP capability has an explicit enabled/disabled flag. Disabled capabilities are invisible to agents — they cannot be discovered, called, or enumerated. You control exactly what AI agents can and cannot do.
Input Schema Validation
Tool arguments from AI agents are validated against declared input schemas before execution. Malformed, unexpected, or injection-attempt payloads are rejected at the boundary.
Internal Service Isolation
The API control plane and MCP runtime data plane are separate services with an internal service secret for cross-service calls. Compromising the public-facing MCP endpoint does not grant access to the control plane.
Open Standards
Built on open, auditable standards
LiftMCP implements open protocols — not proprietary black boxes. You can verify exactly what agents see and do.
Model Context Protocol
Governed by the Agentic AI Foundation under the Linux Foundation. Not a proprietary format — an open standard.
IETF Internet-Draft
MCP site discovery follows an active IETF Internet-Draft. The discovery mechanism is public, peer-reviewed, and standards-track.
Transparent by Default
Your MCP discovery file and endpoint are inspectable. You can see exactly what agents see — no hidden data, no undocumented fields.
Responsible Disclosure
Found a vulnerability?
We take security reports seriously and respond promptly. We follow coordinated disclosure practices and will never take legal action against good-faith security researchers.
How to report
Email security@liftmcp.com with a description of the issue, steps to reproduce, and any supporting evidence. We aim to acknowledge reports within 48 hours and provide an initial assessment within 5 business days.
Our machine-readable security contact information is published at /.well-known/security.txt in accordance with RFC 9116.
Our commitments
- ✓ Acknowledge within 48 hours
- ✓ No legal action for good-faith research
- ✓ Credit in our changelog if desired
- ✓ Coordinated disclosure timeline
Subprocessors
Who handles your data
We use a minimal set of trusted infrastructure providers. No unnecessary third parties touch your data.
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services | Application hosting, CDN, DNS, secrets management, email delivery | EU (London, eu-west-2) |
| AWS RDS | Database (PostgreSQL) | EU (Frankfurt, eu-central-1) |
| Sentry | Error tracking and performance monitoring | EU |
| GitHub | Source code hosting and CI/CD pipelines | US |
Have a security question?
We're happy to discuss our security posture in detail. Reach out and we'll respond personally.
Contact security@liftmcp.com