MCP Server Privacy Policy
mcp.inscada.online — data flow for the MCP gateway service
Effective date: May 16, 2026
This policy covers the MCP Server only (mcp.inscada.online) — the gateway that lets AI clients (claude.ai, Claude Desktop, ChatGPT, etc.) talk to your inSCADA Cloud account. The general inscada.com Privacy Policy and the inscada.cloud platform's own policy are separate.
1. What the MCP Server is
The MCP Server is a thin protocol gateway. When you connect an AI client (claude.ai, Claude Desktop, etc.) to it, the server authenticates you against your existing inSCADA Cloud account and forwards your tool calls to inscada.cloud. The MCP Server does not store your SCADA project data — it passes it through.
2. Data we collect and store
| Category | What | Why | How long |
|---|---|---|---|
| OAuth tokens | JWT access + refresh tokens issued after you log in to inSCADA Cloud | To keep your AI client connected without re-asking for credentials | Until you revoke them (AI client / admin panel / logout) or until they expire (access: 5 min; refresh: 1 day; cycled automatically) |
| Session metadata | Session ID, originating IP, User-Agent string at login time | Security audit (detect suspicious logins, link sessions to clients) | Until token is revoked or 1 hour of inactivity |
| Audit logs | Token issuance events, per-session API call counts, lifecycle events (login, refresh, revoke) | Operations monitoring, abuse detection | 90 days, then deleted |
| Cookies | inscada_admin (HMAC-signed admin auth, 24h), OAuth state cookies (short-lived) | Admin panel sign-in, OAuth flow correlation | Per cookie TTL above |
Tokens are stored encrypted at rest in a permission-restricted file on the server (chmod 600, root-owned). The encryption key is held in the server process; tokens never leave disk in plaintext.
3. Data that flows through but we do NOT store
- Your inSCADA Cloud password. Never seen by the MCP Server when you sign in via Google OAuth. For email/password flow it is forwarded to inSCADA Cloud once at login then discarded; only the resulting JWT is retained.
- Your SCADA tool call payloads — variable values, alarm definitions, animation SVGs, scripts, dashboard HTML, project structure, etc. These pass through the MCP Server in memory only and are sent to
inscada.cloud. We do not log payload bodies. - Your conversation with Claude — the AI client sees this, not us. We only see the resulting tool call.
4. Third parties
The MCP Server talks to exactly one external service: inscada.cloud (the SCADA backend that you, the user, authenticated with). There are no analytics SDKs, telemetry providers, or third-party API integrations on the MCP Server itself.
The AI client (claude.ai, Claude Desktop, ChatGPT) has its own privacy practices governed by its vendor — review Anthropic's / OpenAI's policies separately.
5. Health, biometric, or sensitive personal data
None collected. The MCP Server's purpose is industrial automation — process variables, equipment alarms, plant dashboards. PII collected is limited to your inSCADA Cloud username/email (carried in the JWT).
6. Your rights
- Revoke connection at any time: disconnect the connector in your AI client, or sign in to the admin panel at
https://mcp.inscada.online/admin(if you have credentials) and revoke a specific token / session / client. - Request data export: email info@inscada.com — we will export audit log entries tied to your account within 30 days.
- Request deletion: email info@inscada.com to permanently delete audit logs and revoke all active tokens for your account.
For data inside inscada.cloud itself (your SCADA projects, historian data, etc.), the MCP Server has no access beyond what your account permits — request those changes through the inSCADA Cloud platform directly.
7. Security
- HTTPS-only (Let's Encrypt; HSTS-eligible). HTTP requests are rejected.
- OAuth 2.1 + PKCE + Dynamic Client Registration (RFC 7591). No client secrets stored client-side.
- Origin header validation (DNS rebinding protection) for browser-based MCP clients.
- CSRF protection (Spring Security X-XSRF-TOKEN) on backend calls.
- Systemd hardening (
NoNewPrivileges,ProtectSystem=strict,PrivateTmp). - Admin panel cookie: HMAC-signed, HttpOnly, Secure, SameSite=Lax, 24h TTL.
- Tokens cycled automatically when inSCADA Cloud refreshes the underlying JWT (write-back pattern, no stale tokens).
We do not claim a formal certification (ISO 27001, SOC 2, etc.) — this is a small operation. We follow the security best practices listed above.
8. Hosting and jurisdiction
- Server: Hetzner Cloud, Germany (EU). Subject to GDPR.
- Operator: İNS Yazılım Sanayi ve Ticaret A.Ş., Turkey.
- Backend (inscada.cloud): see its own privacy policy for hosting region.
If you are in the EU and prefer your data not transit through a Turkey-operated service, contact us before connecting; we will help you decide.
9. Changes to this policy
We will update this page when the data flow changes (new audit log fields, new third-party integration, retention change, etc.). The "Effective date" at the top will move forward. If the change is material, we will notify connected clients via the chat notification stream when possible. We do not maintain a mailing list for policy updates.
10. Contact
- Email: info@inscada.com
- Operator: İNS Yazılım Sanayi ve Ticaret A.Ş.
- Address: Mustafa Kemal Mah. Dumlupınar Bulv. 266 C Blok No:46 Tepe Prime, Çankaya / Ankara, Turkey