## Security and Best Practices

Using Databox MCP means an AI (or any client) is effectively accessing your data, so it's important to be mindful of security and proper use.

### API Key Security

Treat your API key like a password. Do not hard-code it in publicly shared scripts or expose it in client-side applications. If you suspect it's compromised, regenerate it via Databox account settings. All MCP requests happen over HTTPS for encryption in transit.

### OAuth Authentication

OAuth tokens provide secure, time-limited access without exposing your permanent API key. Current token validity is **30 days**, making it ideal for scheduled automations and n8n workflows. Tokens automatically expire and require re-authentication monthly. OAuth is recommended for multi-user environments, third-party integrations, and automation tools.

### Data Permissions

The MCP server enforces Databox's permission model — the AI cannot access any data that you wouldn't normally be able to access through your Databox account. Use separate API keys or service accounts if you want to restrict what an automation can do (for example, an API key scoped to specific data sources only).

### Audit and Monitoring

Activities through MCP are logged. You can review dataset ingestions and queries via Databox's ingestion history (`get_dataset_ingestions`) and any logging your AI client provides. This helps trace what the AI did with your data, which is useful for compliance and debugging.

### AI Output Verification

While Databox provides accurate data, the AI's interpretation is its own. Always verify critical or sensitive outputs — there is a risk of the AI misinterpreting a question or producing a faulty analysis. Use MCP as a powerful assistant, but keep a human in the loop for important decisions.

### Rate Limits and Performance

The MCP server may apply rate limiting or resource constraints, especially in beta. Extremely large queries or very frequent calls might be throttled. Start with reasonable data sizes and query frequencies. If you encounter HTTP 429 responses, consider batching requests or contacting Databox support for higher throughput.

## Enterprise Security Considerations

For organizations deploying Databox MCP in production environments:

### Service Accounts

Create dedicated Databox API keys or OAuth applications for automation workflows rather than using personal accounts. This ensures continuity when team members change roles.

### Scope Limitation

Use Databox's permission model to create service accounts with access only to the necessary data sources, following the principle of least privilege.

### Audit Trail

All MCP operations are logged within Databox. Review `get_dataset_ingestions` for data modification history and maintain compliance with your organization's audit requirements.

### Network Security

All MCP communication uses HTTPS/TLS encryption in transit to protect data from interception.

### Credential Rotation

Regularly rotate API keys and OAuth tokens as part of your security hygiene. For OAuth, plan for monthly re-authentication cycles.

## AI Provider Security

### Security Certifications

Claude (Anthropic) and ChatGPT (OpenAI) maintain SOC 2 Type II certification, meeting industry-leading data security and privacy standards.

### Data Processing

AI providers process your Databox data in real-time to generate insights but do not persistently store your business data. Data is used only during the active query session.

### Compliance

Ensure your use of AI-powered analytics aligns with your organization's data governance policies and applicable regulations (GDPR, CCPA, HIPAA, etc.).

## Privacy Considerations

When you use an AI service through the Databox MCP (for example, Claude or Gemini), your Databox data may be processed by that AI provider. Review your organization's policies on AI-powered analytics tools and ensure compliance with any applicable regulations such as GDPR or CCPA.

The AI models available through this MCP server are developed and maintained by third-party providers. Databox is not responsible for any outputs these models produce — including inaccuracies, hallucinations, or other errors — regardless of whether those outputs are generated from your Databox data.