Compliance proxy for MCP servers — now available for regulated teams.
Talk to an EngineerEvery tool call to your MCP servers passes through ACAI's compliance pipeline — PII detection, data classification enforcement, tool authorization, and tamper-proof audit logging. Register your servers, apply a policy, and hand your auditor a report.
MCP servers let AI agents query databases, read patient records, search documents, and execute commands. When the auditor asks which tools were called, what data was accessed, and whether PII was exposed — you need answers in seconds, not a forensic investigation.
The MCP Layer intercepts every tool call, enforces your compliance policy, and generates the evidence. Same MCP protocol, same servers — compliance built in.
Four steps. Every tool call. Automatic.
Register your MCP servers — name, URL, auth method, and maximum data classification level. One dashboard, all your servers.
Pick a compliance template (HIPAA, SOC 2, PCI DSS, etc.) or build a custom policy. Set tool allow/block lists and classification ceilings.
Point your MCP client at the ACAI MCP endpoint. Every JSON-RPC request is intercepted — PII scanned, classification enforced, tools authorized — then forwarded to your server.
Audit trail fills automatically. Generate framework-mapped compliance reports covering tool authorization, PII handling, and classification enforcement. Hand your auditor a report.
Everything you need to make MCP tool calls compliant — without changing your servers.
Every tool parameter and response passes through PII detection before reaching your MCP server — and again before results reach the client. 14+ PII patterns plus NER-based entity recognition.
Whitelist approved tools or block dangerous ones per-server. Policy enforcement happens at the proxy layer — your MCP server never sees unauthorized requests.
Four classification levels — Public, Internal, Confidential, PHI. Set a maximum classification per server. Tool calls that exceed the server's classification ceiling are rejected before they leave the proxy.
Every JSON-RPC request logged with tool name, parameters (redacted), response summary, classification level, PII findings, and latency. Immutable records with correlation IDs.
One-click evidence exports for HIPAA, SOC 2, PCI DSS, GDPR, CCPA, NIST 800-53, and FERPA. Reports cover tool authorization, PII handling, classification enforcement, and complete request logs.
Automatic circuit breaking on failing MCP servers. Configurable thresholds, half-open recovery, and health checks. Your compliance proxy stays up even when backends don't.
The MCP Layer speaks native MCP — no SDK changes, no client modifications.
Full Server-Sent Events support. Tool responses stream through the compliance layer in real time — no buffering, no added latency on streamed responses.
Native JSON-RPC 2.0 at the wire level. Request IDs, error codes, batch requests — all preserved. Your MCP client doesn't know the proxy exists.
Per-server circuit breakers with configurable failure thresholds. Half-open recovery probes. Your proxy stays healthy even when backends are down.
Bearer tokens, API keys, or no auth — the MCP Layer handles authentication to your MCP servers. Secrets stored encrypted (AES-256-GCM) in the backend.
Set a max data classification per server. A server marked 'Internal' rejects tool calls carrying Confidential or PHI data — before the request leaves the proxy.
Allow-list and block-list tools per server. Only approved tools get proxied. Blocked tools return a policy violation — logged, audited, reported.
Talk to an engineer about your MCP compliance requirements — or explore the AI Layer for AI inference compliance.