Skip to content

Security

Terminology

In this document, “Customer” refers to the user of Gram. “End User” refers to a user of an MCP server hosted by Gram on behalf of the Customer.

Gram is designed as a high-performance, security-first, serverless tools platform. It routes requests from a hosted MCP server (often hosted at mcp.your-company.com) to production APIs, following all modern security practices for web application development and data storage.

Gram maintains the following security certifications and compliance standards:

  • SOC 2 Type II - Independently audited controls for security, availability, and confidentiality
  • ISO 27001 - International standard for information security management
  • GDPR compliant - Data processing agreements available with privacy by design
  • CCPA compliant - User data deletion on request

Gram is hosted on Speakeasy servers provisioned in Google Cloud Platform and consists of two main components:

The control plane includes:

  • Gram Dashboard - Web interface for managing toolsets and configurations
  • Metadata database - Storage for Gram toolset metadata
  • Authentication service - Customer authentication provided through WorkOS SSO

The data plane consists of a request proxy that:

  • Processes requests from MCP endpoints
  • Forwards requests to APIs according to the grouping of endpoints in a toolset
  • Processes requests to LLM inference providers (OpenAI, Anthropic) when using the in-app playground feature

Authentication in the Gram platform is shared with the Speakeasy platform. Access is granted through Organizations with login support available through Google and GitHub identity providers. Unauthenticated sessions are not supported.

SSO support is available on request to enterprise customers.

All data processed by Gram is encrypted in transit. HTTPS is the standard protocol for all MCPs hosted by Gram.

For customers using Gram-managed authentication, customer keys and secrets are encrypted using symmetric key encryption in the database, in addition to the encryption defaults provided by Google CloudSQL.

If Gram experiences downtime, there is no impact to the customer’s API uptime. MCP servers hosted by Gram will become unavailable, meaning requests from MCP clients to those specific servers will not be processed.

Metadata on customer toolsets is stored in GCP CloudSQL with:

  • Multi-region replication
  • Failover redundancy
  • Encrypted connections

Gram does not store customer data. It only processes data in transit.

By default, Gram does not store API secrets.

Users have the option to store API secrets if they choose to use Gram-managed authentication and API keys. This option is only available for internal users, not public users of an API.

Gram only stores metadata. Customer data is only processed in transit.

Stored data on Gram’s servers includes:

  • Email addresses used to log in to the Gram platform
  • Metadata on created tools, specifically:
    • Date and time of tool creation
    • Corresponding API endpoint
    • Specification version
    • Error details for any errors that occurred during creation
  • Metadata on tool calls, specifically:
    • Tool used
    • Time
    • Request origin
    • Request shape
    • Request success or failure
  • Point-in-time snapshots of API specifications for comparing changes