Security & AI data

What stays local, what MCP transmits, and credential vault behavior.

Local-first credentials

Connection strings encrypt into Windows Credential Manager (AES-256-GCM). Nexoxa servers never receive your postgres://, ssh://, or s3:// secrets.

MCP context

MCP tools use saved connection names and schema metadata — not full URLs with embedded passwords.

AI Copilot

Copilot is BYOK. See full security page for what may be sent to AI providers.

Ask a question… Ctrl+I