# Passport trust and procurement summary

Last reviewed: July 2026

This is a factual product and control summary, not a certification, audit report, penetration-test report, or contractual service-level agreement.

## Service and data flow

- Passport is a governed gateway between employees' AI clients and workspace-approved MCP servers.
- Upstream OAuth tokens, company credentials, and identity-provider secrets remain at the gateway and are encrypted at rest with AES-256-GCM.
- Long-lived Passport session validation records, bridge credentials, and agent keys are stored only as SHA-256 digests. A desktop device-flow approval uses a short-lived encrypted handoff so the raw session can reach the polling desktop; that handoff can be polled for up to 10 minutes and then expires.
- MCP inputs, outputs, prompts, files, cookies, authorization headers, and response bodies are deliberately excluded from operational telemetry.
- The hosted service runs on Railway with managed Postgres. Cloudflare fronts the service; optional email, billing, release distribution, and privacy-filtered diagnostics use the subprocessors listed at /subprocessors.

## Implemented controls

- Tenant isolation, version-guarded writes, server-side passes, per-tool controls, guardrails, approvals for interactive member identities, client selection, and append-only activity/audit records.
- OAuth 2.1 with PKCE, single-use authorization codes, refresh-token rotation, and reuse detection for hosted clients.
- SSRF protection for configured MCP, webhook, SIEM, and identity-provider URLs, including DNS/private-range checks on redirect hops.
- Production fail-closed configuration checks, secret scanning, dependency auditing, SAST, and broad end-to-end security/tenancy contracts in CI.
- 121 catalog endpoints have dated point-in-time MCP handshakes; 17 openly listable toolsets have committed definition hashes and observable risk scans. These are evidence snapshots, not uptime guarantees or provider endorsements.

## Reliability and recovery evidence

- External probes are scheduled every five minutes to check liveness, database readiness, the public status surface, and a read-only product contract.
- Recurring synthetic drills restore a logical Postgres backup, decrypt protected fixture data, exercise two replicas against one database, and run bounded gateway load.
- A bounded per-workspace/app upstream circuit breaker contains repeated provider transport failures without retrying tool calls.
- The application restore drill proves Passport's backup tooling and decryption path. It does not prove that a hosted platform's production backup/PITR toggle or retention setting is enabled; operators verify those separately.

## Current assurance status

- No SOC 2 report yet.
- No independent third-party penetration-test report yet.
- No independent third-party uptime history yet; /status is a live, self-reported component view.
- No contractual SLA, RTO, or RPO is published during early access.
- DPA terms are handled on request. Enterprise contract, support, data-residency, and recovery commitments must be agreed explicitly; this page does not create them.

## Evidence and contacts

- [Security posture](/security)
- [Privacy policy](/privacy)
- [Subprocessors](/subprocessors)
- [Live status](/status)
- [Terms](/terms)
- [Self-hosting](/self-host)
- [Vulnerability policy](/.well-known/security.txt)
- [Security reports](mailto:security@passportmcp.com)
- [Procurement and DPA requests](mailto:hello@passportmcp.com)
