What CraftedTrust stores and why.
No ad tech, no tracking pixels, and no third-party analytics in the public product. We keep the data needed to run the registry, publisher workflow, and research feed.
Account and access data
Email, name, organization membership, MFA records, sessions, API keys, and notification settings. This data supports sign-in and publisher operations.
Public trust data
Server URLs, scores, scan timestamps, findings summaries, certification state, and public profile information shown in the registry.
Review materials
Publisher submissions, scan setup details, review notes, certification records, and generated reports or trust assets.
Disclosure and advisory records
Touchstone findings, disclosure timelines, researcher submissions, and published advisory content tied to MCP ecosystem research.
Retention and controls
The product is built to keep collection narrow and explainable.
Kept only as long as it is useful
Public trust records remain while a server is listed. Account and publisher data remain while the account or workflow is active, subject to legal and operational requirements.
Edge-first storage
CraftedTrust runs on Cloudflare Workers with D1 for structured data and R2 for stored artifacts.
Protected in transit and at rest
TLS protects traffic in transit. Cloudflare-managed encryption protects D1 and R2 storage at rest.
Minimal by default
No ad networks, no tracking pixels, no Google Analytics, and no Mixpanel in the public product.
Questions about your data
For processing questions or deletion requests, contact cyber.craft@craftedcybersolutions.com.