MCP Connector — Security & Usage

The X-Analytics MCP (Model Context Protocol) server lets approved AI assistants — such as Claude — securely work with your organization's cyber-risk data on your behalf. Access is granted only with your explicit consent, is scoped to your own organization, and can be revoked by you at any time.

Each organization connects on its own dedicated URL, available inside the product under Account Settings → Connectors:

https://{your-org}.app.x-analytics.com/mcp

When you add the connector in your AI client, you'll be taken to an X-Analytics consent screen showing exactly what access is being requested. The connection is established only after you approve it.

• Authentication uses OAuth 2.1. There is no API-key or password path — your credentials are never shared with the AI client.
• A connected assistant receives the same access as the user who authorized it, limited to that user's organization. It cannot see or act on any other organization's data.
• Access tokens are short-lived and bound to the approved connection.

The server exposes a focused set of tools for reading and updating cyber-risk information: five read-only tools (listing risk profiles and retrieving risk scores, trends, framework scores, and recommendations) and one write tool that updates NIST CSF 2.0 sub-category scores on a profile you already have permission to edit. Each tool is labelled with an accurate read/write indicator so your AI client can show you what it does.

You stay in control of every connection, with no support request required. To review or revoke a connected assistant, go to Account Settings → Connectors and disconnect it. Revocation takes effect immediately — active sessions stop working right away.

• Data is encrypted in transit and at rest, and is kept isolated per organization.
• Information retrieved through the connector is sent to the AI assistant you choose and is then processed by that assistant's provider under its own terms and privacy policy, which X-Analytics does not control. Please review what you ask the assistant to retrieve.
• X-Analytics does not use data accessed through the MCP server to train AI models.

For how we handle personal data more generally, see our Privacy Policy.

Only connect to the official X-Analytics server on app.x-analytics.com, and only use AI clients you trust. If you are unsure whether a connector is genuine, confirm the URL inside your account before approving access.

If you have any questions about the connector or our security posture, you can contact us by email at security@x-analytics.com.