Trust & Privacy

Data handling, retention windows, and GDPR controls for Confluence MCP Remote.

Trust And Privacy

This service is designed to use the minimum data needed to authenticate users, execute Confluence actions, and operate safely in a shared enterprise environment.

Authentication

Users sign in via the configured OAuth identity provider using OAuth. The service validates issued tokens and extracts user identity from token claims. No passwords are handled by this service.

What Data Is Stored

  1. Sign-in and session state:
    • Temporary login and session details needed to complete browser sign-in and bind MCP sessions to the right user.
    • A browser CSRF token for cookie-authenticated web UI actions, bound to the current web session and retained only as transient state.
    • Per-session MCP client names used for usage analytics and troubleshooting.
    • This state is persisted in Azure Table Storage when MCP_TRANSIENT_STATE_BACKEND=table is enabled.
  2. Confluence PAT enrollment state:
    • A user-scoped Confluence PAT and whether it is currently valid.
    • PAT secrets are stored in Azure Key Vault when MCP_PAT_STORAGE_BACKEND=keyvault. They are never stored in plaintext.
  3. User MCP profiles, API keys, and browser preferences:
    • Profile id, profile name, selected tools, API-key metadata, onboarding state, and tool-result format preferences.
    • API-key secrets are shown once and then retained only as hashed metadata and display prefixes.
    • Profiles, API key metadata, onboarding state, and output-format preferences are persisted in the configured profile store at /tmp/crabfluence-mcp-profiles.json.
  4. Upload staging data:
    • Temporary file content and metadata while processing attachment uploads or restore-style flows.
    • Stored on the service filesystem for short-lived staging only (max 25 MiB per file, expires after 15 minutes).
  5. Security audit and operational events:
    • Structured records for authentication, PAT lifecycle, profile changes, policy decisions, and tool calls.
    • Request correlation ids are included to support incident investigation.
    • Structured audit records are emitted to stdout and are available to Azure Log Analytics for this deployment.
  6. Admin dashboard statistics:
    • Aggregated usage counts can be shown for top tools, top MCP clients, and top profiles.
    • The admin dashboard shows aggregated usage counts queried from Azure Log Analytics over a 24-hour window. Only designated admin users can open it.

What Is Not Stored

  1. PAT values in plaintext at rest.
  2. PAT values in telemetry, audit events, or analytics.
  3. Raw usernames, emails, profile names, or tool arguments in audit logs beyond what is necessary for local browser rendering and operator troubleshooting.
  4. Arbitrary server-local file paths from clients for remote attachments.
  5. Confluence content as a separate datastore. This service proxies Confluence requests; it is not a content warehouse.

Retention

  1. OAuth, login, and CSRF transient state:
    • Login and OAuth transient states are retained for minutes, not hours. Browser CSRF state for cookie-authenticated web actions is retained for up to 8 hours.
  2. MCP session state:
    • Up to 720 hours since last activity, or until session deletion.
  3. Upload staging:
    • Expires after the configured upload TTL. Successfully consumed uploads are deleted immediately after processing when possible.
  4. PAT records:
    • Retained in the configured PAT store until the user rotates or deletes the PAT, or deletes account data.
  5. Custom profiles, API keys, onboarding state, and browser preferences:
    • Retained until the user deletes them or deletes account data.
  6. Automatic inactive-account cleanup:
    • Automatic inactive-account cleanup is currently disabled for this deployment.
  7. Audit events and analytics:
    • Retained according to the Azure Log Analytics workspace retention policy for this deployment.

GDPR

  1. Data minimization:
    • Only data needed for authentication, authorization, and safe operation is retained.
  2. User self-service deletion:
    • Users can delete account-scoped data from Settings.
  3. PAT lifecycle controls:
    • Users can enroll, rotate, and delete their PAT.
  4. Automatic data hygiene:
    • Dormant accounts can be cleaned automatically when the configured inactivity window elapses and the stored Confluence PAT no longer works.
  5. Data subject requests (access or erasure):
    • Fulfilled by deleting user-scoped Confluence PAT, profile, API key metadata, onboarding, and activity records from the configured stores. Azure Log Analytics retention controls still apply to already-emitted operational logs.