This document describes the security properties of docuware-mcp across its two deployment tracks. For personal data and GDPR specifics, see GDPR.md.
The MCP server runs as a local process on the user's own machine, launched directly by the AI client (Claude Desktop, Claude Code, etc.).
| Property | Detail |
|---|---|
| Network exposure | None — communication is over stdio, never a network socket |
| Credential storage | OAuth tokens stored in the OS keychain (Windows Credential Manager, macOS Keychain, libsecret on Linux) |
| Data in transit | All DocuWare API calls use HTTPS (TLS 1.2+) |
| Data at rest | Tokens in OS keychain; no database, no cloud storage |
| Authentication | OAuth 2.0 PKCE against the DocuWare instance |
| Multi-user | No — single user per local installation |
| Logging | Local process output only; no remote log collection |
In local mode, no data leaves the user's machine except outbound API calls to the DocuWare instance the user already has access to.
The MCP server runs as an HTTPS service, reachable by Claude.ai and other remote MCP clients. Users authenticate via OAuth 2.1; no passwords are stored on the server.
| Property | Detail |
|---|---|
| Hosting | Google Cloud Run (managed, serverless containers) |
| Token store | Google Cloud Firestore (managed NoSQL database) |
| Data in transit | HTTPS enforced by Cloud Run; all DocuWare API calls use HTTPS |
| Data at rest | Firestore: GCP-managed encryption + field-level AES-256-GCM for DocuWare tokens |
| Authentication | OAuth 2.1 + PKCE (MCP layer) → OAuth 2.0 confidential client (DocuWare layer) |
| Access control | Firestore access restricted to the Cloud Run service account via GCP IAM |
| Secrets | TOKEN_ENCRYPTION_KEY and OAuth client secret stored in GCP Secret Manager |
| Logging | Structured JSON to Cloud Logging (stdout); see Audit log below |
| Property | Detail |
|---|---|
| Hosting | Any Linux VM or Windows Server with Python 3.10+ |
| Token store | SQLite file on local disk |
| Data in transit | HTTPS via reverse proxy (nginx, IIS, Caddy, etc.) |
| Data at rest | Field-level AES-256-GCM for DocuWare tokens (TOKEN_ENCRYPTION_KEY) |
| Access control | OS file permissions on the SQLite file and the encryption key |
| Logging | stdout; operator-defined log collection |
When deployed on GCP, docuware-mcp runs on infrastructure that holds the following certifications:
| Certification | Scope |
|---|---|
| ISO/IEC 27001 | Google Cloud infrastructure and operations |
| ISO/IEC 27017 | Cloud-specific security controls |
| ISO/IEC 27018 | Protection of PII in public clouds |
| SOC 1 / SOC 2 / SOC 3 | Google Cloud services |
| C5 (BSI Germany) | Cloud computing compliance criteria catalogue |
These certifications apply to the Google-managed infrastructure (Cloud Run, Firestore, Secret Manager). They do not automatically certify docuware-mcp itself or the operator's deployment configuration.
Google's full compliance documentation and current certificates: https://cloud.google.com/security/compliance/offerings
The remote server writes a structured JSON audit entry to stdout for every MCP tool call and significant auth event. Audit entries contain:
session_id— opaque random ID (not directly identifying)user_id— DocuWare user UUID (in the structured payload; not a GCP log label)tool— name of the MCP tool that was calledaction— event type (e.g.mcp_tool_called,token_issued,session_cleanup)status—success,failure, orerror
Tool arguments and document contents are never logged.
user_id is deliberately kept out of GCP log labels to avoid creating a
persistent indexed identity mapping in Cloud Logging outside the controlled
token store. See GDPR.md § Audit log
for the identity tracing procedure and privacy rationale.
| Token type | Storage | Notes |
|---|---|---|
| DocuWare access token | AES-256-GCM encrypted | Decrypted in memory only, never logged |
| DocuWare refresh token | AES-256-GCM encrypted | Same |
| MCP access token | SHA-256 hashed (irreversible) | Only the hash is stored |
| MCP refresh token | SHA-256 hashed (irreversible) | Same |
MCP tokens are never stored in recoverable form. A stolen token store does not yield usable MCP tokens.
docuware-mcp operates with the permissions of the authenticated DocuWare user. It requests only the scopes needed for read-only document access:
docuware.platform — DocuWare REST API
dwprofile — User profile (name, org, language)
openid — OIDC identity
offline_access — Refresh token (for silent token renewal)
The server itself performs only read operations on DocuWare. No documents are created, modified, or deleted by any MCP tool.
The remote server uses RFC 7591 Dynamic Client Registration
so that MCP clients (Claude.ai, Claude Desktop, etc.) can self-register without
manual configuration. By default this is unrestricted, which is fine for
private deployments. For public-facing servers, set ALLOWED_REDIRECT_DOMAINS
to limit which redirect URI hosts are accepted at registration time.
# Recommended for public servers
ALLOWED_REDIRECT_DOMAINS=*.claude.ai,claude.ai
localhost and 127.0.0.1 are always allowed regardless of this setting.
Patterns use shell glob rules (* matches any character sequence within a
hostname). A registration attempt with a non-matching host is rejected with
invalid_redirect_uri and a message telling the user to contact the
administrator.
If the variable is not set, all redirect URIs are accepted (current default).
Please report security issues privately to the maintainers rather than opening a public GitHub issue. Contact details are in the repository's GitHub Security Advisory settings.