Skip to main content
Connecting ELI to your AI assistant is safe by design. This page lays out exactly what the MCP connection can access — the complete list — and what it has no ability to touch at all.
The one thing to know. ELI’s MCP works only with metadata about your software stack — which tools you run, what they cost, and who has access. It has no capability to read the content inside those tools: no emails, messages, documents, files, source code, tickets, calendars, or customer records. That isn’t a policy we choose to follow — there is no operation in the connection that can do it.

Everything the MCP can do

The connection exposes exactly five tools. This is the complete surface — it cannot perform any operation that isn’t on this list.

Search the catalog

Searches ELI’s public catalog of 10,000+ software tools. Uses no data from your workspace. Read-only.

Tool details

Returns public details about one tool from that catalog. Uses no data from your workspace. Read-only.

Your stack

Returns the stack metadata for workspaces you belong to: workspace name, the tools in each, their monthly cost, team members and their roles. Read-only.

Insights

Returns read-only analytics calculated from the stack metadata above. Nothing new is collected, and nothing outside your workspace is used.
The fifth tool can make administrative changes only — like adding a team member, adjusting a role, or cancelling a license. Even then it never touches the data inside your tools, only who has access and what you pay. See Administrative actions for the full list and the safeguards around it.

What the MCP can never access

These aren’t restrictions we apply — they’re capabilities the connection simply doesn’t have. No tool listed above, given any input, can reach them.

Can see

  • Names, categories, and status of the tools you run
  • Monthly spend and seat counts per tool
  • Team members and their roles
  • Renewal dates and contract terms
  • Public information about tools in ELI’s catalog

Can never access

  • The content inside your tools — emails, messages, files, documents, code, tickets, calendars, customer records
  • Any workspace you don’t belong to
  • Your stored connector credentials (encrypted, never returned)
  • Your passwords or login credentials
  • Raw payment card numbers (held by Stripe, never by ELI)
Why “never”? A connected tool only ever exposes a fixed set of administrative facts to ELI — who has access, how many seats, and what it costs. Reading a message or opening a file is not one of the operations the connection can perform, so no prompt — however it’s phrased — can make it happen.

Administrative actions

One tool — and only one — can do more than read, and everything it does is administrative: it changes who has access, how many seats, and which licenses are active — never the data inside a tool. It runs a fixed, standardized list of operations, and nothing outside this list can ever be run:

Read operations

List users · list seats · view billing — see who has access, seat counts, and billing. Read-only.

Management operations

Add a user · deactivate a user · change a role · reduce seats · cancel a license — change access, roles, or licenses.
Every management operation is protected on multiple layers, enforced in the backend — not just in the prompt:

Only when you ask

Management operations run only when you explicitly request them. ELI never initiates a change on its own.

Permission-gated

They require tool-management permission on top of workspace membership. Without it, the action is refused.

Workspace-bound

A connection registered to one workspace is rejected if used from another. You can only act on tools in your own workspace.

Fully logged

Every action — successful or failed — is written to your activity log: who, what, and when.

How access is controlled

Authenticated every request

Each request authenticates with OAuth 2.0 or a Personal Access Token bound to ELI’s MCP server specifically. A token issued for anything else is rejected.

Short-lived & revocable

Access tokens expire hourly. Personal Access Tokens are stored only as a hash (we can’t recover them) and can be revoked instantly — effective on the next request.

Encrypted end to end

All traffic runs over HTTPS (TLS 1.2+). Data is encrypted at rest (AES-256); connector credentials are additionally sealed with AES-256-GCM.

Never used for training

Your data and prompts are never used to train or fine-tune any AI model, internal or external.

You stay in control

You decide what to connect, and you can cut off access at any time by revoking your token or disconnecting the MCP — it takes effect on the next request. For how ELI stores the credentials behind your connections, see Security.
Questions about how your data is handled, or want to review our controls in depth? Email security@techbible.ai.