Security and data handling
What the Spanly gateway sees, what it stores, how long it keeps it, and what happens when Spanly infrastructure is degraded.
The gateway puts Spanly in the request path in front of your MCP server, so this page answers the questions a security review asks. Everything here describes shipped behavior.
What data does the gateway see?
Every request and response that flows between your end users and your MCP server, as JSON-RPC over HTTP. The gateway terminates TLS, applies your edge rules, proxies the request to your server, and captures a copy for observability on a side path.
What is stored, and where?
Captured traffic stays in the region you chose (US in Oregon, EU in Frankfurt) for its whole life. What gets stored depends on the capture mode you set per gateway:
- Full: request and response bodies are stored (gzipped) in regional object storage, alongside metadata rows.
- Redacted: bodies are stored, but secret and personal-data spans are
replaced with
[REDACTED:<kind>]before anything durable is written. Raw bodies exist only in memory and in the in-region queue during transit. - Metadata only: bodies never leave the gateway process. Only metadata (method, tool name, sizes, timing, status) is stored.
Metadata rows always exclude bodies; they hold the method, tool name, byte sizes, durations, error and status codes, and identities.
How long is data kept?
Data is retained for your plan's retention window. You can set a shorter per-environment override, which can only shorten retention, never extend it. A daily job physically deletes data past the effective retention.
Region guarantees
A gateway is pinned to its environment's region. The routing layer refuses to resolve or capture across regions, so a US gateway never routes or stores into EU infrastructure, and the reverse.
Is traffic encrypted?
Yes, end to end: client to gateway, gateway to your server, and gateway to Spanly ingest all use TLS. Per-gateway secrets (the ingest key and any static headers you inject) are encrypted at rest with AES-256-GCM. Client keys are stored only as hashes.
What happens if Spanly is degraded?
The gateway is fail-open by design. If capture, ingest, or the config service is degraded, your traffic keeps flowing to your server; only the observability copy is affected. A quota cap never blocks traffic either: at the cap the gateway keeps proxying at full fidelity and only reduces capture sampling.
Access controls at the edge
Per gateway you can require a Spanly-issued client key (for servers with no auth of their own), restrict access to IP ranges, cap request sizes, and rate limit per client. Client keys are validated at the edge and stripped before the request reaches your server.
Subprocessors
Hosting is on Render in the region you select. Object storage and the analytics database are the same regional stores used by the rest of Spanly. Ask support for the current subprocessor list and a DPA.