# AI safety and privacy

HollyHR's API and MCP surfaces are designed for controlled HR integrations, not
unbounded data export. API keys and future OAuth connector access are
organisation-scoped, scope-limited, audited, and revocable.

During developer preview, HollyHR MCP uses scoped bearer API keys. OAuth-based
connector-gallery access is planned for tenants configured with WorkOS/AuthKit
or an equivalent authorization server.

## What clients can see

Clients can only access data covered by the scopes you grant. For MCP, HollyHR
also applies a stricter server-side projection layer:

- tenant id is derived from the credential and is never accepted as tool input;
- MCP outputs exclude payroll, bank, tax, government identifiers, compensation,
  home contact details, document links, document filenames, and raw sensitive
  absence labels;
- absence and document metadata are bucketed where needed to reduce
  special-category inference;
- daily HR-data row ceilings limit broad workforce extraction;
- request logs record source, status, request id, and row counts rather than raw
  model prompts or returned HR payloads.

## Writes

MCP writes are disabled in production unless HollyHR explicitly enables the
tenant write-mode gate:

```text
HOLLYHR_MCP_WRITE_MODE=enabled
```

Even when enabled, writes require:

- ordinary REST write scopes for the data being changed;
- the additional `mcp:write` opt-in scope;
- host form elicitation, so the user sees and approves the action;
- a frozen server-signed payload;
- idempotency keys and ETags where the REST API requires them;
- a human-entered business reason for lifecycle writes.

Hosts that do not support MCP form elicitation cannot commit MCP writes.

## Customer responsibility

Only connect HollyHR to tools you trust. A third-party MCP host, AI client, or
integration platform may process data under its own terms. Review the client's
data handling, retention, training, subprocessors, and region controls before
granting a production API key or OAuth consent.

Use a disposable synthetic tenant for demos, directory review, and partner
proofs. Do not use a real customer tenant for experiments.

## Review status

HollyHR maintains an internal DPIA/DPO sign-off pack for MCP and AI-agent access.
Production MCP writes should not be enabled until that pack is approved for the
specific rollout.

For integration questions or security concerns, contact
[support](/support).