Security by architecture.

Exagomatica is a local MCP server. It runs on the user’s own computer and talks to Claude Desktop over stdio — there is no Exagomatica cloud in the data path. Your Power BI queries and Azure DevOps data are processed locally and are not sent to, or stored on, our servers.

You sign in with the same Azure AD / Entra ID account you already use, and multi-factor authentication is fully supported. Exagomatica acts as you: it can only see the data you are already authorised to access, and row-level security and every other access control your organisation has configured are always enforced.

Exagomatica reads from your data sources to answer questions; it does not modify them. Data-definition and destructive operations (DDL) are blocked, so a question can never turn into a schema change or a delete.

Credentials are held in an encrypted local store, not in plaintext config. Exagomatica ships with no usage telemetry — it does not phone home with what you ask or what your data contains.

The site is served only over HTTPS and sends HSTS so browsers refuse to downgrade to HTTP. A strict Content Security Policy plus X-Content-Type-Options, a constrained Referrer-Policy, and a Permissions-Policy that denies camera, microphone, and geolocation harden every page against common web attacks.

When you become a customer, sign-in is handled by Clerk and billing by Paddle, our merchant of record — so card data is processed by a PCI-compliant provider and never touches our own systems. See our privacy notice for how we handle personal data.

If you believe you have found a security issue, we want to hear from you. Email hello@exagomatica.com with the details and we will respond promptly. Please give us a reasonable chance to investigate and remediate before any public disclosure.