Legal · MCP
NORMA MCP Server Privacy
What we log, what we don't, and how to verify it yourself.
Last updated: May 2026
1. Introduction
This page describes how the NORMA MCP Server handles your interactions. It is a concrete technical note, not a full GDPR informativa.
For the umbrella Kynosure privacy notice (data controller, legal basis, GDPR rights, subprocessors, international transfers), see the umbrella Privacy Notice.
This document is for technical information purposes and does not constitute legal advice.
2. What we log (counters only)
Every MCP request emits ONE structured log record: tool name + outcome + latency. Nothing else.
Whitelist of logged fields:
-
tool_name— name of the MCP tool invoked (e.g. search_controls) -
status— outcome: ok | error -
latency_ms— request duration in milliseconds -
error_class— error class when applicable (e.g. ZodError, TimeoutError) -
started_at— ISO 8601 timestamp of the request start
Anti-list — what we NEVER log:
- query content (keywords, prompts)
- framework parameters (e.g. iso27001, nis2)
- company_context field or business profiles
- specific template names requested
- IP addresses (handled by the Cloudflare edge layer, not the server)
- Authorization headers or API tokens
- error.message (may echo payload back from Zod validation)
- error.stack (may contain file paths and variables)
3. Source-level proof
The logger is public. Inspect src/log.ts in the GitHub repository to verify the invariant: the log() function accepts only whitelisted scalar fields (string | number | boolean); no request payload is ever serialised.
src/log.ts @ github.com/kynosure-ai/norma-mcp-server
— Open src/log.ts on GitHub
This is the key difference: the privacy promise is not "trust us", it is "audit it yourself". The public repository is the audit trail.
4. Architecture — open code, private data
The NORMA compliance corpus is hosted in a private Cloud Storage bucket inside the kynosure-ai GCP project. Only the dedicated runtime service account norma-mcp-runtime@kynosure-ai.iam.gserviceaccount.com has read-only access, scoped to that bucket (NOT to the project).
Application Default Credentials (ADC) — no JSON keys committed in repo. Bucket-scoped IAM (NOT project-scoped) ensures that even if the service account were compromised, no other Kynosure buckets (e.g. Pyxis user data) would be exposed.
The service runs on Google Cloud Run in europe-west3 (Frankfurt) behind a Cloudflare proxy. Structured JSON logs flow into Cloud Logging GCP (EU region). Bucket: gs://kynosure-norma-corpus.
5. Access tiers and rate limit
Anonymous tier (front door)
10 requests/hour per IP. No signup, no email captured, no cookies. The first call is frictionless.
API key tier
100 requests/hour per key. Email is captured only at voluntary signup with double opt-in (Resend). Email is used ONLY to: (a) identify the tier, (b) send occasional service updates (revocations, breaking changes, service shutdown).
No third-party trackers, no analytics on the /mcp endpoint. Cloudflare edge applies IP rate limiting — we do not share data with Cloudflare beyond what is intrinsic to HTTP routing.
6. Cookies and browser state
This page uses no cookies. The MCP endpoint /mcp uses no cookies — it is a stateless JSON-RPC service, each request is independent.
Marketing pages on kynosure.ai use minimal analytics cookies with explicit consent; for details see the umbrella Privacy Notice (cookie section).
7. Retention and deletion
Counter logs are retained 30 days in Cloud Logging GCP, then automatically deleted by the retention policy.
Emails captured at API-key signup are retained until explicit deletion request. To delete: send a request to privacy@kynosure.ai indicating the email to remove — you will receive confirmation within 30 days as required by GDPR.
8. GDPR rights and contact
For details on GDPR rights (access, rectification, erasure, portability, objection, legal basis of processing, subprocessors), see the umbrella Privacy Notice.
For specific requests or questions about the NORMA MCP Server: privacy@kynosure.ai
This document describes the technical practices of the NORMA MCP Server and does not constitute legal advice or professional compliance counsel. For compliance advice, consult a qualified professional.