Security & Privacy

Preloop is designed for organizations that need to trust their AI governance layer completely. This page explains what Preloop sees, stores, and how to deploy it securely.

How the MCP Proxy Works

Preloop sits between your AI agent and your MCP servers:

AI Agent → Preloop Proxy → Your MCP Servers

When an agent calls a tool:

1. Preloop receives the tool call — the tool name, arguments, and metadata
2. Policy evaluation — Preloop checks access rules and approval workflows
3. If allowed, the call is forwarded to your actual MCP server
4. If approval required, the call is held until a human approves or denies
5. If denied, the agent receives an access denied response
6. The result from the MCP server passes back through Preloop to the agent

What Preloop Sees

Data	Access	Notes
Tool names	✅ Read	Needed for policy evaluation
Tool arguments	✅ Read	Needed for policy evaluation and audit
Tool results	✅ Pass-through	Forwarded to the agent; optionally logged for audit
Agent identity	✅ Read	API key identifies the agent
Your prompts/conversations	❌ None	Preloop never sees your LLM conversations
Your source code	❌ None	Only tool call arguments are visible
Your MCP server credentials	✅ Stored (encrypted)	Required to connect to your MCP servers

What Preloop Stores

• Tool call logs: Tool name, arguments, result status, timestamps, and who approved/denied
• Approval requests: Pending, approved, and denied requests with approver comments
• Audit trail: Complete history of all tool calls and approvals for compliance
• User accounts: Email, hashed passwords, notification preferences
• Configuration: MCP server connections, access rules, approval workflows

Data Retention

• Audit logs are retained indefinitely by default
• You can configure retention policies via the admin settings
• All data can be exported or deleted on request

Deployment Options

Cloud Hosted (preloop.ai)

• Hosted on secure infrastructure
• Data encrypted at rest and in transit (TLS 1.3)
• SOC 2 compliance in progress
• Available for immediate use — sign up at preloop.ai

Self-Hosted (Open Source)

• Full control: Deploy on your own infrastructure
• Your data stays yours: Nothing leaves your network
• No phone-home: Zero telemetry, no external API calls
• Docker Compose or Kubernetes (Helm) deployment
• Same features as cloud, managed by your team

# Self-hosted deployment
git clone https://github.com/preloop/preloop.git
cd preloop
docker-compose up -d

Enterprise Self-Hosted

• Everything in self-hosted, plus:
• RBAC, team management, quorum approvals
• CEL-based conditional policies
• Priority support and SLA
• Contact sales@preloop.ai

Encryption

Layer	Method
In transit	TLS 1.3 (HTTPS)
At rest	AES-256 database encryption
API keys	Bcrypt hashed, only prefix stored in plain
MCP server credentials	Encrypted with application-level key
Passwords	Bcrypt with configurable work factor

Network Architecture

Preloop needs outbound access to:

• Your MCP servers — to forward tool calls
• Email provider (SMTP) — for approval notifications
• APNs / FCM — for mobile push notifications (optional)
• Slack / Mattermost — for chat notifications (optional, webhook-based)

Preloop does not need access to:

• Your LLM provider (unless using the AI Model Gateway)
• Your source code repositories (unless using the GitHub App integration)
• Any third-party analytics or telemetry service

Responsible AI Integration

When using the AI Approval Workflows feature (Enterprise):

• AI models evaluate approval requests based on your custom criteria
• The AI model's decision and reasoning are logged in the audit trail
• AI approvals can be configured to require human confirmation for high-risk decisions
• You choose which AI model to use — your data is sent only to the provider you select

Reporting Security Issues

If you discover a security vulnerability, please report it responsibly:

• Email: security@preloop.ai
• We will acknowledge receipt within 24 hours
• We aim to provide a fix within 72 hours for critical issues