Security

Gram is designed as a high-performance, security-first, serverless tools platform. It routes requests from a hosted MCP server (often hosted at mcp.your-company.com) to production APIs, following all modern security practices for web application development and data storage.

Certifications

Gram maintains the following security certifications and compliance standards:

• SOC 2 Type II - Independently audited controls for security, availability, and confidentiality
• ISO 27001 - International standard for information security management
• GDPR compliant - Data processing agreements available with privacy by design
• CCPA compliant - User data deletion on request

Architecture overview

Gram is hosted on Speakeasy servers provisioned in Google Cloud Platform and consists of two main components:

Control plane

The control plane includes:

• Gram Dashboard - Web interface for managing toolsets and configurations
• Metadata database - Storage for Gram toolset metadata
• Authentication service - Customer authentication provided through WorkOS SSO

Data plane

The data plane consists of a request proxy that:

• Processes requests from MCP endpoints
• Forwards requests to APIs according to the grouping of endpoints in a toolset
• Processes requests to LLM inference providers (OpenAI, Anthropic) when using the in-app playground feature

Authentication

Authentication in the Gram platform is shared with the Speakeasy platform. Access is granted through Organizations with login support available through Google and GitHub identity providers. Unauthenticated sessions are not supported.

SSO support is available on request to enterprise customers.

Encryption

All data processed by Gram is encrypted in transit. HTTPS is the standard protocol for all MCPs hosted by Gram.

For customers using Gram-managed authentication, customer keys and secrets are encrypted using symmetric key encryption in the database, in addition to the encryption defaults provided by Google CloudSQL.

Business continuity and disaster recovery

If Gram experiences downtime, there is no impact to the customer’s API uptime. MCP servers hosted by Gram will become unavailable, meaning requests from MCP clients to those specific servers will not be processed.

Metadata on customer toolsets is stored in GCP CloudSQL with:

• Multi-region replication
• Failover redundancy
• Encrypted connections

Data storage FAQ

Does Gram store my API or customer data?

Gram does not store customer data. It only processes data in transit.

Can Gram store my API secrets?

By default, Gram does not store API secrets.

Users have the option to store API secrets if they choose to use Gram-managed authentication and API keys. This option is only available for internal users, not public users of an API.

What data does Gram store?

Gram only stores metadata. Customer data is only processed in transit.

Stored data on Gram’s servers includes:

• Email addresses used to log in to the Gram platform
• Metadata on created tools, specifically:
  • Date and time of tool creation
  • Corresponding API endpoint
  • Specification version
  • Error details for any errors that occurred during creation
• Metadata on tool calls, specifically:
  • Tool used
  • Time
  • Request origin
  • Request shape
  • Request success or failure
• Point-in-time snapshots of API specifications for comparing changes

Further reading

• Enterprise features
• Adding OAuth to MCP servers
• API keys