Data Processing Addendum

Last updated: June 30, 2026

Scope note: MCP Inspector is local-first. The traffic your team captures is stored on your own device or your self-hosted aggregator — we are not a processor of that trace data. This DPA covers the limited account data we do process for you (e.g., admin email, license/seat records). It applies where we act as a processor of personal data on your behalf and forms part of the Terms of Service.

This Data Processing Addendum ("DPA") is entered into between you ("Controller", "Customer") and MCP Inspector ("Processor", "we") and applies to processing of personal data subject to the EU/UK GDPR or comparable laws. A countersigned copy is available to Team and Enterprise customers on request at [email protected].

1. Roles & subject matter

For account, license, and seat administration carried out on your behalf, you are the Controller and we are the Processor. The subject matter is our provision of the MCP Inspector licensing/account service; the duration is the term of your subscription plus any legally required retention; the nature and purpose is license issuance, validation, seat enforcement, and support.

2. Types of personal data & data subjects

Data subjects: your authorized users/seat holders and account administrators.
Personal data: name, email, organization, hashed license key, machine fingerprint, tier/seat metadata, and validation timestamps. We do not process the contents of captured MCP traffic.
We do not request or require special-category (sensitive) data.

3. Processing on documented instructions

We process personal data only on your documented instructions (including as set out in the Terms and this DPA), except where required by law, in which case we will inform you unless legally prohibited.

4. Confidentiality

Personnel authorized to process personal data are bound by confidentiality obligations.

5. Security (Art. 32)

We implement appropriate technical and organizational measures appropriate to the risk, including encryption in transit, hashing of license keys and machine identifiers, access controls, and use of reputable infrastructure providers. Because trace data is not transmitted to us, the personal data we hold is limited by design.

6. Sub-processors

You provide general authorization for us to engage the sub-processors listed on our Sub-processors page. We impose data-protection obligations on each sub-processor no less protective than this DPA, and remain responsible for their performance. We will give reasonable notice of material changes and you may object on reasonable data-protection grounds.

7. Assistance with data-subject requests

Taking into account the nature of the processing, we will assist you with appropriate measures to respond to data-subject requests (access, rectification, erasure, restriction, portability, objection). If a data subject contacts us directly, we will refer them to you where appropriate.

8. Personal data breaches

We will notify you without undue delay after becoming aware of a personal data breach affecting your data, and provide information reasonably necessary for you to meet your notification obligations.

9. Audit & demonstrating compliance

We will make available information reasonably necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, including reasonable inspections, subject to confidentiality and reasonable scheduling.

10. International transfers

Where we transfer personal data out of the EEA/UK, we rely on a valid transfer mechanism such as the Standard Contractual Clauses (and the UK Addendum/IDTA where applicable), incorporated by reference into this DPA.

11. Return & deletion

On termination, we will, at your choice, delete or return the personal data we process on your behalf, except where retention is required by law. Because trace data resides with you, you control its deletion directly.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions in the Terms of Service.

13. Contact

To request a signed DPA or ask a data-protection question, email [email protected].