Architecture & Infrastructure
Q: What is the Consensus MCP Server architecture?
The Consensus MCP Server uses a secure bridge architecture based on enterprise level OAuth2 protocol that connects AI platforms to your Consensus workspace through the Model Context Protocol (MCP), an open standard created by Anthropic. The server acts as a secure intermediary that:
- Authenticates all requests through Consensus OAuth2 server
- Respects existing Consensus permission structures
- Operates as a stateless service (no data storage)
- Maintains encrypted connections (HTTPS)
- Supports both local (client-side) and remote (cloud-hosted) deployment models
Q: Where is the MCP Server hosted?
Hosted on Consensus infrastructure at https://mcp.goconsensus.com/mcp/
Q: Does the Consensus MCP Server store or cache any customer data?
No. The Consensus MCP Server is designed as a stateless service that does not store, cache, or retain any customer data. All queries are processed in real-time and responses are transmitted directly to the requesting AI platform.
Q: What happens if the Consensus MCP Server is unavailable?
The Consensus platform remains fully accessible through traditional web interfaces. The Consensus MCP Server is an enhancement layer, not a replacement for existing access methods. If the Consensus MCP Server experiences downtime, direct web access to Consensus data remains unaffected and no data loss occurs.
Authentication & Access Control
Q: How does authentication work with the Consensus MCP Server?
The Consensus MCP Server supports standard OAuth2 authentication method:
OAuth 2.0 (Enhanced Security):
- Supports autodiscovery required in Model Context Protocol
- RFC 6749 compliant implementation
- Supports authorization code flow with PKCE
- Resource Indicators (RFC 8707) for enhanced token security per MCP Protocol Specification v2025-06-18
- Support for token refresh mechanisms
Q: Does the Consensus MCP Server respect existing Consensus permissions?
Yes. the Consensus MCP Server enforces all existing Consensus permission structures:
- Users can only access demos they have permission to view
- Demoboard creation respects user creation permissions
- Demo editing requires appropriate modification permissions
- All actions are executed in the context of the authenticated user
- Permission inheritance follows standard Consensus RBAC model
Q: Can we implement role-based access control (RBAC)?
Yes. RBAC is implemented at multiple levels:
Consensus Platform Level:
- User roles defined in Consensus workspace
- Permissions inherited through standard RBAC
MCP access token Level:
- Access tokens inherit permissions from the issuing user
- Access token audit trails maintained
Data Security & Privacy
Q: What data is transmitted through the Consensus MCP Server?
the Consensus MCP Server transmits only the minimum data necessary for operation:
Transmitted Data:
- Demo search queries and filter criteria
- Demo metadata (titles, descriptions, creation dates, creators)
- Demo transcripts (when explicitly requested)
- Demoboard configuration data (recipients, demos, settings)
- Authentication credentials (API keys in headers)
Never Transmitted:
- User passwords or personal credentials
- Payment information
- Data not requested by the user
Q: Is data encrypted in transit?
Yes. All data transmission uses industry-standard encryption:
- Transport Security: HTTPS connections required
- Certificate Validation: SSL/TLS certificate verification
- No Fallback: Plaintext HTTP connections are rejected
Q: How do you handle personally identifiable information (PII)?
PII handling follows strict privacy principles:
Data Minimization:
- Only collect PII necessary for service function
- Demoboard recipient data (names, emails) transmitted only when creating/updating demoboards
- No PII stored on MCP Server infrastructure (stateless design)
Access Controls:
- PII accessible only to authorized users with proper permissions
- Data segregation between workspaces
Retention:
- PII is not retained by MCP Server (stateless)
- Retention policies follow Consensus platform settings
Compliance:
- Consensus privacy compliance program aligned with U.S. Data Privacy Framework, GDPR, and CCPA requirements
- Data Processing Addendum available
Q: How do you handle data in AI platform integrations?
AI platform data handling varies by provider. Customers should review each AI platform's specific privacy policies:
Claude (Anthropic):
- Enterprise plans may offer enhanced data retention controls
- Conversation data handling per Anthropic's privacy policy
ChatGPT (OpenAI):
- Business/Enterprise plans exclude data from model training
- Retention policies vary by plan tier
Microsoft Copilot Studio:
- Data handling governed by Microsoft Cloud Agreement
- Azure data residency options available
GitHub Copilot:
- Code snippets handling per GitHub's privacy policy
- Telemetry data handling varies by subscription tier
Network Security
Q: What network connectivity is required?
Outbound Connections:
- HTTPS (port 443) to mcp.goconsensus.com (for remote deployment)
- HTTPS (port 443) to your Consensus workspace
- No inbound connections required
Firewall Requirements:
- Allow outbound HTTPS to Consensus domains
- Standard enterprise firewall rules compatible
- No special ports or protocols required
Q: Do you support VPN or private network connectivity?
VPN Support:
- Client VPN compatibility with remote deployment
- Local deployment operates entirely within customer network
For enhanced private connectivity options, please contact your Account Executive or Customer Success Manager.
Q: Is the Consensus MCP Server endpoint publicly accessible?
Remote Deployment: Yes, the endpoint is publicly accessible but:
- Protected by authentication (no anonymous access)
- Monitored for suspicious activity
- CORS policies restrict browser-based access
Local Deployment: No public endpoint exists. Server runs locally on user's machine.
Compliance & Governance
Q: What compliance certifications does Consensus hold?
Current compliance posture:
SOC 2 Type II:
- Consensus has obtained SOC 2 Type II certification
- Annual audit by independent third party
- Report available upon request (subject to NDA and with 30 days' notice per Terms of Service)
GDPR Compliance:
- Privacy compliance program aligned with GDPR requirements
- Data Processing Addendum available
- Consensus's Subscriber Agreement commits to processing personal data consistent with GDPR requirements
CCPA Compliance:
- Privacy compliance program aligned with CCPA requirements
- Privacy policy compliant with CCPA
Consensus maintains appropriate technical and organizational measures for protection of security, confidentiality, and integrity of Customer Data.
Q: Can we audit the Consensus MCP Server security controls?
Audit rights are defined in Consensus's Terms of Service and Data Processing Addendum:
Standard Process:
- SOC 2 Type II report available upon written request with 30 days' notice (subject to confidentiality obligations)
- Executive summary of most recent penetration test available upon request
Please contact your Customer Success Manager or security@goconsensus.com for audit requests.
Q: How do you manage vendor security for AI platforms?
Customer Control:
- Customers choose which AI platforms to use
- Option to use only platforms meeting customer security requirements
- Local deployment option eliminates platform dependency for processing
Q: How do you handle regulatory changes?
Consensus maintains a compliance program that monitors regulatory developments and implements required controls within mandated timeframes.
Integration Security
Q: Are there security risks from prompt injection attacks?
Prompt injection is a recognized risk in LLM integrations. Mitigations include:
Server-Side Validation:
- Input validation on all MCP Server requests
- Schema validation against expected formats
- Rejection of malformed or suspicious requests
Permission Enforcement:
- All actions validated against user permissions
- Write operations may require explicit confirmation in some platforms
Best Practices:
- Review AI platform security documentation
- Enable write operation confirmations where available
- Monitor MCP Server usage regularly
- Use appropriate API key permissions for each environment
Q: Can the Consensus MCP Server be exploited to bypass Consensus security controls?
No. the Consensus MCP Server cannot bypass security controls:
- All requests authenticate as a specific user
- All actions subject to that user's permissions
- No elevated privileges granted through MCP
- Anomaly patterns may trigger error responses
The Consensus MCP Server is an authenticated API client, not a privileged system component.
Incident Response & Monitoring
Q: What logging and monitoring capabilities exist?
Security Monitoring:
- Failed authentication attempts logged
- Suspicious activity patterns may trigger alerts
Customer Access:
- API usage visibility through Consensus workspace
- Failed request monitoring
For detailed monitoring capabilities, please contact your Customer Success Manager.
Q: What is your incident response process?
For security incidents or concerns, contact security@goconsensus.com
Consensus maintains security incident response procedures aligned with SOC 2 requirements.
Q: How quickly do you patch security vulnerabilities?
Consensus follows security best practices for vulnerability management including:
- Continuous monitoring
- Regular security assessments
- Annual third-party penetration tests
- Timely remediation of identified vulnerabilities
Specific patching SLAs are maintained as part of SOC 2 compliance controls.
Incident Response & Monitoring
Q: What logging and monitoring capabilities exist?
Security Monitoring:
- Failed authentication attempts logged
- Suspicious activity patterns may trigger alerts
Customer Access:
- API usage visibility through Consensus workspace
- Failed request monitoring
For detailed monitoring capabilities, please contact your Customer Success Manager.
Q: What is your incident response process?
For security incidents or concerns, contact security@goconsensus.com
Consensus maintains security incident response procedures aligned with SOC 2 requirements.
Q: How quickly do you patch security vulnerabilities?
Consensus follows security best practices for vulnerability management including:
- Continuous monitoring
- Regular security assessments
- Annual third-party penetration tests
- Timely remediation of identified vulnerabilities
Specific patching SLAs are maintained as part of SOC 2 compliance controls.
Additional Information
Q: What third-party services does the MCP Server depend on?
Infrastructure:
- Consensus is hosted on Amazon AWS
- For more information: AWS Security
AI Platforms (Customer Choice):
- Customers choose which AI platforms to integrate
- Supported platforms include Claude, ChatGPT, Microsoft Copilot Studio, GitHub Copilot, and others
Q: Is penetration testing performed on the MCP Server?
Yes. Consensus conducts annual third-party penetration tests as part of its security program. Executive summary of results available upon request.
Q: How do you handle security in the development pipeline?
Consensus uses security-focused software development practices aligned with OWASP Secure Coding Practices to defend against OWASP Top 10 security vulnerabilities.
Contact your Customer Success Manager for air-gapped deployment documentation.
Q: What is your responsible disclosure policy?
Security researchers are encouraged to report vulnerabilities to security@goconsensus.com
Contact Information
Security Team
Email: security@goconsensus.com
Customer Support
For questions about the MCP Server, contact your Customer Success Manager or Account Executive
Documentation
Security information: Consensus Security Center
This document provides security information about the Consensus MCP Server based on verified documentation. For the most current information or specific security requirements, please contact security@goconsensus.com or your Customer Success Manager.
Information in this document is subject to change. Consensus maintains security practices aligned with SOC 2 Type II requirements and industry best practices.