Remote MCP applies the same security controls that already protect your Remote account. This article summarizes how authentication, authorization, and data handling work.
Authentication
Remote MCP uses OAuth with the same browser-based sign-in you use for Remote. Your password is never shared with the AI client. For more detail, see What does signing in to Remote MCP actually authorize?
Authorization
Every connection respects your existing Remote roles, permissions, and Row-Level Security, so users only access data — and take only the limited write actions (such as time off and expenses) — that their account already allows. For the full explanation, see How do roles and permissions work in Remote MCP?
Data handling
- The server only returns data when an AI client explicitly requests it.
- All traffic is encrypted in transit using HTTPS/TLS.
- Remote MCP is governed by your Remote Terms of Service, Terms of Use, and Data Processing Agreement.
- Remote sends data only to the AI client you have signed into.
- Once data reaches your AI client, it is subject to that client's own privacy policy and data retention practices. Remote does not control how your AI client processes or stores the data it receives.
Certifications
Remote's underlying platform is:
- ISO 27001 certified
How to revoke access
Users can disconnect Remote MCP from any AI client at any time (see: How do I disconnect Remote MCP from my AI client?). Access is also revoked automatically when a user's Remote account is deprovisioned — for example, during offboarding — so removing someone in Remote also cuts off their AI client's access.
Comments
0 comments
Please sign in to leave a comment.