AI and MCP

AI safety and privacy

HollyHR's API and MCP surfaces are designed for controlled HR integrations, not unbounded data export. API keys and future OAuth connector access are organisation-scoped, scope-limited, audited, and revocable.

During developer preview, HollyHR MCP uses scoped bearer API keys. OAuth-based connector-gallery access is planned for tenants configured with WorkOS/AuthKit or an equivalent authorization server.

What clients can see

Clients can only access data covered by the scopes you grant. For MCP, HollyHR also applies a stricter server-side projection layer:

tenant id is derived from the credential and is never accepted as tool input;
MCP outputs exclude payroll, bank, tax, government identifiers, compensation, home contact details, document links, document filenames, and raw sensitive absence labels;
absence and document metadata are bucketed where needed to reduce special-category inference;
daily HR-data row ceilings limit broad workforce extraction;
request logs record source, status, request id, and row counts rather than raw model prompts or returned HR payloads.

Writes

MCP writes are disabled in production unless HollyHR explicitly enables the tenant write-mode gate:

Code
HOLLYHR_MCP_WRITE_MODE=enabled

Even when enabled, writes require:

ordinary REST write scopes for the data being changed;
the additional mcp:write opt-in scope;
host form elicitation, so the user sees and approves the action;
a frozen server-signed payload;
idempotency keys and ETags where the REST API requires them;
a human-entered business reason for lifecycle writes.

Hosts that do not support MCP form elicitation cannot commit MCP writes.

Customer responsibility

Only connect HollyHR to tools you trust. A third-party MCP host, AI client, or integration platform may process data under its own terms. Review the client's data handling, retention, training, subprocessors, and region controls before granting a production API key or OAuth consent.

Use a disposable synthetic tenant for demos, directory review, and partner proofs. Do not use a real customer tenant for experiments.

Review status

HollyHR maintains an internal DPIA/DPO sign-off pack for MCP and AI-agent access. Production MCP writes should not be enabled until that pack is approved for the specific rollout.

For integration questions or security concerns, contact support.

Last modified on June 23, 2026

Reviewer demo guide

What clients can see

Clients can only access data covered by the scopes you grant. For MCP, HollyHR also applies a stricter server-side projection layer:

tenant id is derived from the credential and is never accepted as tool input;

MCP outputs exclude payroll, bank, tax, government identifiers, compensation, home contact details, document links, document filenames, and raw sensitive absence labels;

absence and document metadata are bucketed where needed to reduce special-category inference;

daily HR-data row ceilings limit broad workforce extraction;

request logs record source, status, request id, and row counts rather than raw model prompts or returned HR payloads.

Writes

MCP writes are disabled in production unless HollyHR explicitly enables the tenant write-mode gate:

Code

HOLLYHR_MCP_WRITE_MODE=enabled

Even when enabled, writes require:

ordinary REST write scopes for the data being changed;

the additional mcp:write opt-in scope;

host form elicitation, so the user sees and approves the action;

a frozen server-signed payload;

idempotency keys and ETags where the REST API requires them;

a human-entered business reason for lifecycle writes.

Hosts that do not support MCP form elicitation cannot commit MCP writes.

Customer responsibility

Use a disposable synthetic tenant for demos, directory review, and partner proofs. Do not use a real customer tenant for experiments.