Privacy

Last updated July 2026. Plain language on purpose. Questions: email us.

What Passport is, in privacy terms

Passport is a governed gateway between your team's AI clients and the MCP servers they use. Its core privacy property is that upstream credentials never land in an AI client's configuration; Passport brokers them server-side. That means Passport stores those credentials, and most of this page is about how they're protected.

What we store

Identity: member names, work emails, titles, teams, and roles, plus your workspace name and settings.

Credentials: the OAuth tokens members grant to MCP servers, company API keys admins supply, and your SSO/SCIM secrets. All of these are encrypted at rest (AES-256-GCM) and are never shown back in full or sent to an AI client.

Activity: tool-call metadata. Who called which tool from which AI client, the outcome, and a short argument summary clipped to 60 characters. We do not store full prompts, full tool arguments, or tool results.

Where data flows

Workspace data lives in our database (Postgres). Tool calls flow through the gateway to the MCP servers your admins approved, carrying the member's own credential for that server.

If your admin configures them: transactional email is sent via Resend (sign-in links, invites, request notifications), billing runs through Stripe (we never see card numbers), and audit events can be exported to your own SIEM endpoint. There is no advertising, no tracking pixels, and no sale of data to anyone.

Isolation

Every workspace is its own isolated document. No workspace can read another's members, credentials, policies, or activity. Session tokens are workspace-scoped and stored only as digests.

Deletion

Removing a member revokes their sessions everywhere and drops their connected-account grants. Deleting the workspace (Settings → Danger zone) permanently erases everyone, every credential, all policies, and all activity. The document and its event log are purged, not soft-deleted.

The fine print

This page is a summary of the full data-handling document in our repository, which reflects the actual implementation. If the code and the document ever disagree, the code is the source of truth and the disagreement is a bug we want to hear about.