How to Build a Dedicated SLA & Security Page for Managed MCP Offerings
Enterprise procurement teams will block your AI agent integrations without a dedicated SLA and security page. Compare managed MCP platform approaches - including Truto vs Arcade.dev - and get the blueprint to pass vendor risk assessments.
Your AI agent feature passed every internal review. Sales is closing six-figure contracts on the back of it. The champion loves your AI-powered product. The economic buyer signed off on the budget. The contract moves to procurement and IT security for final review—and then the deal stalls indefinitely for nine weeks.
The reason is almost always the same: you exposed Model Context Protocol (MCP) tooling to enterprise buyers without a public, versioned dedicated MCP integration reference documenting uptime, security posture, rate-limit behavior, and data retention guarantees.
Enterprise procurement teams will reject your contract before they ever open your pricing page if your AI agent integrations lack documented governance. When you sell to SMBs, a generic status page and a "best effort" support policy are usually enough to get by. Enterprise software procurement requires a completely different standard. IT buyers do not care about your marketing copy. They care about liability, vendor risk, and architectural guarantees.
This guide is the architectural blueprint senior PMs and engineering leaders need to build that dedicated SLA and security page. Whether your team is evaluating managed MCP platforms like Truto or Arcade.dev for AI agent integrations, the infrastructure choices you make directly determine which SLA commitments you can credibly publish. It is designed to be a single public URL your champion can paste into a procurement ticket and attach to a Master Service Agreement (MSA), structured to survive a 30-minute vendor risk assessment and a 90-minute architecture review.
Why Enterprise Procurement Blocks Undocumented MCP Servers
The shift from SMB to enterprise selling is structural. An SMB buyer reads a feature list to feel confident. An enterprise buyer reads a security datasheet to assign liability.
The base Model Context Protocol (MCP) specification was designed for capability, not compliance. It rapidly became the standard for connecting AI models to external data, solving the integration bottleneck by providing a universal JSON-RPC 2.0 interface. However, it defines how a client talks to a server, not how that server commits to 99.99% availability, how it logs every tool invocation for SOC 2 auditors, or what happens when an LLM hammers a tool past the upstream rate limit. Enterprise procurement treats those omissions as unsigned liability.
Financial regulators and enterprise IT teams flag the lack of formal SLAs and offline fallback in raw MCP as a major operational risk. The security record reinforces this skepticism. The number of exposed MCP servers has nearly tripled to 1,467, and these servers are becoming a vector for direct attacks against cloud infrastructure - attackers are now capable of compromising the cloud services that host them. Researchers analyzing more than 7,000 MCP servers found the same SSRF exposure might be latent in around 36.7% of all MCP servers on the Web today.
It gets worse for vendors who built fast and shipped MCP without governance. In June 2025, productivity giant Asana faced a serious MCP-related privacy breach. After launching a new MCP-powered feature in May, they discovered that a bug had caused some customer information to bleed into other customers' MCP instances. For two weeks, Asana pulled the MCP integration offline while security teams raced to patch the underlying vulnerability. Every enterprise CISO has read that incident report. They will not approve another vendor's MCP server without the artifact they wish Asana had published first.
Unmanaged or local MCP servers create massive security vulnerabilities through credential sprawl and lack of centralized audit trails. Over 1,000 exposed MCP servers have been discovered in the wild, prompting a massive push toward managed MCP solutions with unified authentication and identity management.
If your sales team is pitching AI agents that connect to enterprise SaaS platforms, procurement will ask three core questions:
- Who holds the credentials and how are they secured?
- Where is the data cached during transit?
- What happens when the upstream API goes down or rate limits are hit?
If your answer is a disorganized GitHub README or a generic terms-of-service document, the deal dies. You must document your managed MCP security posture explicitly. For a deeper dive into evaluating this infrastructure, see our 2026 MCP Buyer's Checklist.
graph TD
A[Vendor Risk Assessment] --> B{Does the vendor use MCP?}
B -- Yes --> C[Check MCP Security Page]
B -- No --> D[Standard API Review]
C --> E[Verify Auth & RBAC]
C --> F[Verify Data Retention]
C --> G[Verify Rate Limit Handling]
E --> H{Passes?}
F --> H
G --> H
H -- Yes --> I[Approve Deal]
H -- No --> J[Block Deal]The Core Components of a Managed MCP Security Page
A dedicated SLA and security page must act as a standalone artifact that procurement officers can attach to an MSA. It follows the same blueprint as your enterprise SLA & support page, narrowed to MCP-specific risks.
Procurement teams scan SLA pages for specific structural sections. Missing any of these triggers a follow-up questionnaire that adds weeks to the cycle.
The required sections:
- Service availability targets: Document your target uptime (e.g., 99.99%) with the exact measurement window and exclusions (planned maintenance, force majeure, upstream provider outages). Distinguish between the uptime of your managed MCP infrastructure and the third-party APIs you connect to.
- Latency commitments: AI agent workflows are highly sensitive to latency. Document your P50, P95, and P99 latency targets for both
tools/listdiscovery andtools/callexecution. - Authentication architecture: Describe token format, scope, expiration, hashing, and secondary auth requirements.
- Rate limit and error pass-through semantics: Detail the exact HTTP status codes and headers returned.
- Data retention and processing scope: This is the single most critical section. Explicitly state your zero data retention policy, detailing which payloads are stored (none), for how long, and in what region.
- Compliance certifications: List SOC 2 Type II, ISO 27001, GDPR, and HIPAA compliance where applicable, with audit report availability under NDA.
- Incident response and notification SLAs: Define breach notification windows.
- Service credits and remedies: Quantify exactly how service credits are calculated as a percentage of monthly fees per missed SLA tier.
- Change management and deprecation policy: Provide minimum notice periods for breaking changes.
Publish each section as a stable HTML anchor (#availability, #authentication, #rate-limits). Procurement officers deep-link to these in MSA exhibits. If your page rearranges sections every quarter, you break their templates and reintroduce the questionnaire round trip.
The single fastest way to fail an MCP security review is to leave the rate-limit and retention sections vague. Both are direct attack vectors for the auditor's risk model. State the exact behavior, not aspirations.
Documenting Authentication, RBAC, and Token Management
The authentication section is where most MCP vendor pages collapse under scrutiny. Generic phrases like "enterprise-grade authentication" mean nothing to a security architect. They want strict context governance, role-based access control (RBAC), auditability, and token lifecycle specifics.
Document these mechanics explicitly:
1. Token Format and Hashing
State that raw tokens are never stored at rest. The MCP server URL contains a cryptographic token, but hashing the token (e.g., HMAC with a server-side signing key) before storage in distributed edge storage means a database compromise does not leak working credentials. Tokens should be returned to the caller exactly once at creation time.
2. Token Scoping and Tenant Isolation
Explain that MCP servers are not global endpoints. Each MCP server URL should be dynamically generated and strictly bound to a single tenant or connected account, rather than a global service identity. This matches how multi-tenant MCP servers should be architected and is the structural fix to the cross-tenant bleed scenario observed in major breaches. When a token is bound to a specific tenant connection, it is impossible for an agent to accidentally query data belonging to another organization.
3. Documentation-Driven Tool Filtering
Enterprise security teams hate "wildcard" API access. Document that operators can constrain a server to read-only methods (get, list), specific resource tags, or named methods. Rather than exposing every possible API endpoint, tools should only be generated if they have explicit documentation records. A finance team's MCP server should be structurally incapable of calling delete_invoice if the policy says read-only. For more on this pattern, see our auto-generated MCP tools architecture guide.
4. Secondary Authentication Layers
By default, an MCP server URL acts as a bearer token. Address the procurement question, "What happens if the MCP URL leaks into a log file?" by offering an optional layer requiring a Bearer API token in the Authorization header in addition to URL possession. This ensures only authenticated systems within your VPC can invoke tools.
5. TTL and Expiration Enforcement
Tokens must support a configurable expires_at. Enforcement must happen at multiple layers: the edge lookup store automatically evicting the token, scheduled background tasks permanently purging configuration records, and request-time validation. There can be no stale credentials left floating in the system.
The OWASP MCP Top 10 explicitly flags hard-coded credentials, long-lived tokens, and secrets stored in model memory or protocol logs as exposing sensitive environments to unauthorized access. Your security page should pre-empt that concern with one paragraph per bullet.
Actionable Advice for PMs: Include a sample JSON payload on your security page showing how MCP servers are provisioned with strict method filtering (e.g., read-only access) and TTL expirations.
{
"name": "Support-Team-Read-Only-MCP",
"config": {
"methods": ["read"],
"tags": ["tickets", "users"],
"require_api_token_auth": true
},
"expires_at": "2026-12-31T23:59:59Z"
}Defining Rate Limits, Retries, and Error Handling
This section will be read twice: once by the security team evaluating vendor risk, and once by the customer's platform engineering team. Both need the same answer in different framings.
Many integration platforms attempt to mask upstream rate limits by implementing silent, automatic retries with exponential backoff. While this sounds helpful in marketing copy, it is an architectural nightmare for enterprise systems. Hiding HTTP 429s behind exponential backoff feels helpful until you realize the LLM has now generated 40 redundant tool calls in a 60-second window, each one taking 30 seconds to fail, while the agent loop happily "waits." Silent retries tie up connection pools, cause unpredictable latency spikes, and turn one rate-limit event into a cascading outage.
The Pass-Through Rate Limit Philosophy
Your security page should clearly state your rate limit philosophy. The honest engineering position is a radically transparent approach: do not retry, throttle, or apply backoff on rate limit errors.
When an upstream API (like Salesforce or HubSpot) returns an HTTP 429 Too Many Requests error, your platform should pass that error directly to the caller unchanged. This ensures your AI agents have accurate, real-time visibility into the state of the upstream system.
Standardized IETF Rate Limit Headers
To make this actionable for developers, document how you normalize rate limit information. Normalize upstream rate limit data into standardized headers per the IETF draft specification:
HTTP/1.1 429 Too Many Requests
ratelimit-limit: 100
ratelimit-remaining: 0
ratelimit-reset: 47
retry-after: 47State this contract explicitly on the page:
Rate limits. Upstream 4xx and 5xx responses are returned to the caller without retry or transformation. Rate-limit metadata is exposed via standardized
ratelimit-*andretry-afterresponse headers. Clients are responsible for implementing backoff, circuit breakers, and idempotent retry logic appropriate to their workload.
By documenting this explicit contract, you prove to enterprise architects that your platform is designed for deterministic, observable behavior rather than opaque "magic." For more details, read our guide on handling API rate limits across third-party APIs.
Zero Data Retention and Compliance Guarantees
The fastest way to fail an enterprise security review is to admit that you store third-party SaaS data in an intermediate database before passing it to an LLM. Enterprise buyers are terrified of AI data leakage. Your SLA and security page must include a prominent section detailing your data retention architecture.
The answer pattern that wins reviews: MCP tool calls execute through a stateless proxy. Request and response payloads are not persisted. Only operational metadata (request IDs, timestamps, status codes, latency) is retained for observability and billing.
The Proxy Execution Model
This is only credible if the architecture actually supports it. A proxy-based MCP gateway pulls credentials, forwards the request to the upstream integration, streams the response back, and discards the payload. The query and body parameters correspond to the integration's actual API format. There is no intermediate unified model mapping layer caching HubSpot contact records or NetSuite invoice line items. The data passes through the infrastructure in memory, is returned to the MCP client, and is immediately discarded.
Documenting this flow is critical for passing GDPR and SOC 2 audits. It proves that you are acting strictly as a data processor and transport layer, not a data store.
Ephemeral Edge Storage for Tokens
While payloads are not stored, you must be transparent about what is stored. Document that MCP tokens and configuration metadata are stored in distributed edge storage for fast validation. Emphasize that this storage is ephemeral. Truto enforces MCP server expiration at multiple layers. When an expires_at timestamp is reached, the edge storage automatically evicts the token, and scheduled background tasks permanently purge the configuration records from the database. There are no stale credentials left floating in the system.
Document these specifics:
- Payload retention: Zero, with an explicit list of fields that are retained (timestamps, integration name, HTTP method, status code, latency).
- Credential storage: OAuth refresh tokens encrypted at rest; access tokens refreshed shortly before expiry and never logged.
- Region pinning: Data plane region selectable at the tenant level (e.g., EU vs. US hosting) for residency compliance.
- Sub-processors: A public list, updated when it changes, with notification SLAs.
- Audit logs: Retention period, export format, and SIEM integration capability.
For a comprehensive look at building compliant systems, review our documentation on Zero Data Retention MCP Servers.
sequenceDiagram
participant Agent as AI Agent<br>(Claude / ChatGPT)
participant MCP as Managed MCP Gateway
participant Upstream as Upstream SaaS API
Agent->>MCP: tools/call (hashed token)
MCP->>MCP: Validate token, scope, TTL
MCP->>Upstream: Authenticated request<br>(payload not stored)
Upstream-->>MCP: Response or 429<br>+ rate-limit headers
MCP-->>Agent: Pass-through response<br>+ normalized headers
Note over MCP: Only metadata retained:<br>timestamp, status, latencyZero Data Retention with LLM Providers: The Other Half of the Equation
A managed MCP gateway can promise zero payload retention for the leg between your infrastructure and the upstream SaaS API. But agents send prompts, tool call arguments, and tool responses to an LLM provider on the other side of that call. If OpenAI or Anthropic stores that traffic under default retention, your MCP-level zero data retention guarantee does not carry end-to-end. Procurement will catch this gap. Address it explicitly on your security page.
What ZDR Means at the LLM Provider Layer
Provider-side ZDR is not a default setting on either major platform. Both OpenAI and Anthropic operate default retention windows for the API and offer ZDR only under a specific contractual arrangement.
OpenAI. By default, abuse monitoring logs may contain customer content, such as prompts and responses, and are retained for up to 30 days unless legally required to retain them longer. Eligible customers may have their customer content excluded from these abuse monitoring logs by getting approved for the Zero Data Retention or Modified Abuse Monitoring controls, subject to prior approval by OpenAI and acceptance of additional requirements. Enabling ZDR also changes endpoint behavior: the store parameter for /v1/responses and v1/chat/completions will always be treated as false, even if the request attempts to set the value to true. Some endpoints (fine-tuning, Assistants, file uploads) may still store application state, even if Zero Data Retention is enabled.
Anthropic. For the Claude API, standard API log retention was reduced from 30 days to just 7 days, and data is never used for training as of September 14, 2025. ZDR is a per-organization arrangement subject to approval, under which customer data is not stored at rest after the API response is returned, except where needed to comply with law or combat misuse. Even under ZDR, Anthropic still retains User Safety classifier results in order to enforce their Usage Policy, and if a session is flagged for a policy violation, Anthropic may retain the associated inputs and outputs for up to 2 years. ZDR covers direct Anthropic API traffic and Claude Code on Enterprise plans; for Claude deployments on Amazon Bedrock, Google Vertex AI, or Microsoft Foundry, refer to those platforms' data retention policies.
Two things procurement will always double-check:
- ZDR is not the same as no-training. On OpenAI, excluding your data from model training is a setting available on all enterprise accounts, independent of whether you have ZDR - training exclusion and data retention are two separate controls. A no-training clause does not imply data is not stored.
- ZDR does not cover every endpoint. Not every API surface falls under ZDR - image generation, fine-tuning, and file upload endpoints can have different retention rules than chat completions. If your MCP-powered agents use these endpoints, list them explicitly on the security page and describe what is retained where.
Sample Contractual and DPA Language Customers Can Request
Enterprise customers frequently ask what language to put in their MSA or DPA to bind end-to-end ZDR. The clauses below are drafting starting points, not legal advice - route them through counsel before signing. Structure them as a rider to the DPA that names each processor in the chain (your platform, the managed MCP gateway, and the LLM provider).
Clause 1 - Vendor obligation on payload retention:
Vendor shall not persist Customer Content transmitted through the MCP tool-call path, including request payloads, response payloads, and tool arguments. Vendor may retain only operational metadata (timestamps, request identifiers, HTTP status codes, and latency measurements) required for billing, observability, and incident response. All Customer Content shall be processed in memory and discarded upon completion of the tool invocation.
Clause 2 - Subprocessor flow-through:
Where Vendor uses a Subprocessor to provide model inference (including but not limited to OpenAI, Anthropic, Google, or AWS Bedrock), Vendor shall configure such Subprocessor with a Zero Data Retention arrangement covering all endpoints used to process Customer Content. Vendor shall provide, on Customer request, written evidence of ZDR enrollment at each Subprocessor, including account identifiers and covered endpoints.
Clause 3 - Change notification:
Vendor shall notify Customer in writing at least thirty (30) days prior to (a) adding a new Subprocessor to the model inference chain, or (b) modifying the ZDR status of any existing Subprocessor. Customer shall have the right to terminate the affected services without penalty if such change materially increases retention.
Clause 4 - Region and residency:
Vendor shall route all Customer Content through inference endpoints located in Customer's designated processing region (EU, US, or APAC). Fallback to a non-designated region requires Customer's prior written consent, except where required to maintain service availability during a regional outage.
Attach the OpenAI and Anthropic ZDR confirmation records (or their public policy links) as exhibits. Procurement treats this attachment as the "proof" that the SLA page claims are real.
Shared Responsibility Map
End-to-end ZDR is a chain. Break any link and the guarantee fails. Publish this split on the security page so procurement can see exactly which layer your platform controls and which layer requires customer action.
flowchart LR
A["AI Agent Runtime<br>(Claude Desktop, Cursor, custom app)"] --> B["LLM Provider<br>(OpenAI / Anthropic API)"]
A --> C["Managed MCP Gateway"]
C --> D["Upstream SaaS API<br>(Salesforce, HubSpot, ...)"]
subgraph cust ["Customer configures"]
A
B
end
subgraph vend ["Vendor enforces"]
C
end
subgraph ext ["Third-party retention policy"]
D
end| Layer | Controlled by | Responsibility |
|---|---|---|
| AI agent runtime (Claude Desktop, Cursor, custom LangChain app) | Customer | Choose a ZDR-eligible model tier; avoid logging prompts client-side; sanitize inputs before sending. |
| LLM provider inference (OpenAI API, Anthropic Claude API) | Customer contract with provider | Enable ZDR at the account/org level; enroll in the correct endpoint set; keep proof of enrollment. |
| Managed MCP gateway (Truto or equivalent) | Vendor | Do not persist request/response payloads; expose only operational metadata; scope tokens per tenant. |
| Credential storage | Vendor | Encrypt OAuth refresh tokens at rest; hash MCP tokens; refresh access tokens shortly before expiry without logging. |
| Upstream SaaS API (Salesforce, HubSpot, etc.) | SaaS vendor | Governed by the SaaS vendor's own retention policy - outside the MCP gateway's control. |
| Audit and observability | Shared | Metadata-only logs on the gateway; agent-side logs sanitized before ingestion into SIEM. |
The gateway can enforce its half of the map by architecture (stateless proxy, in-memory forwarding, encrypted token store). The LLM provider half is a contractual configuration that customers must actively enable. Do not let procurement conflate the two.
Customer checklist for end-to-end ZDR:
- MCP gateway contract includes zero-retention clause for tool call payloads
- LLM provider ZDR enabled at the organization level with written confirmation
- Endpoint coverage verified against the provider's ZDR eligibility table (chat completions, responses, embeddings, etc.)
- Agent framework not logging prompts locally or to external observability tools
- SIEM ingestion filters exclude prompt and response bodies; retain only metadata
- Sub-processor list reviewed; each processor's ZDR posture confirmed in writing
- Region pinning configured at the MCP gateway and the LLM provider
- DPA rider signed covering all links in the chain, with 30-day change notification
How to Verify Provider-Side ZDR
"We have ZDR" is a claim, not evidence. Auditors want artifacts. Point customers to the specific places they can independently confirm ZDR is live at each layer:
- OpenAI. Once an organization is approved, a Data Retention tab appears within Settings → Organization → Data controls. Screenshot the tab showing ZDR enabled and attach it to the audit binder. Cross-reference the endpoint eligibility table in OpenAI's platform documentation to confirm the endpoints your agents actually call are covered - endpoints marked as not ZDR-eligible may still store application state even when ZDR is enabled.
- Anthropic. Claude Platform users can confirm that ZDR is applied to their account under Settings > Privacy Controls > Data retention period. Zero data retention requests are reviewed and applied on a per-organization basis, so if you have multiple organizations, verify each one separately. Export the DPA and the ZDR arrangement letter for the compliance file.
- Managed MCP gateway. Ask the vendor for a metadata-only log sample from a real tool invocation. If the sample includes any request body content, the vendor's "no payload retention" claim is not actually enforced. A gateway operating a genuine proxy model retains only request IDs, timestamps, HTTP methods, status codes, latency, and integration identifiers.
- Trust portal artifacts. OpenAI publishes SOC 2 Type 2 attestation and HIPAA BAA availability on its Trust Portal. Anthropic publishes equivalent artifacts on its Trust Center. Pull the latest reports, confirm the audit period covers your contract term, and attach to the MSA.
- Pen test the assumption. During a controlled test, send a distinctive, unique canary string through the full agent → MCP → LLM path. Wait 24 hours. Contact the provider's support and ask whether that string exists in any log or storage tied to your organization. A genuine ZDR configuration returns nothing.
Document this verification workflow directly on your SLA page. Enterprise buyers will not run these checks themselves during procurement, but linking to the exact settings pages and eligibility tables signals that you have done the work and expect them to audit.
Structuring the Page for Vendor Risk Assessments (VRAs)
Procurement officers do not want to read a novel, and they do not read top-to-bottom. They Ctrl-F for the words their internal risk assessment tools use. Structure your dedicated SLA & security page using the following exact hierarchy, mirroring the standard SIG Lite questionnaire flow, so those searches succeed on the first try.
Recommended Page Outline
| Section | Anchor | What Procurement Extracts |
|---|---|---|
| Executive Summary | #summary |
A two-sentence statement confirming commitment to enterprise security, zero data retention, and MCP compliance. |
| Service Availability | #uptime |
Monthly target uptime % (e.g., 99.99%), measurement methodology, exclusions. |
| Performance SLOs | #latency |
P95/P99 latency for tool discovery and execution. |
| Authentication | #auth |
Token hashing at rest, scoping, expiration, secondary auth (require_api_token_auth). |
| Authorization & RBAC | #rbac |
Role mapping, scope/method filtering (read vs. write), audit trail. |
| Rate Limits & Errors | #rate-limits |
Explicit pass-through behavior for HTTP 429 errors, standardized ratelimit-* headers. |
| Data Retention | #retention |
"Zero Data Retention" payload policy, operational log retention, region pinning. |
| LLM Provider ZDR | #llm-zdr |
Shared responsibility map, subprocessor ZDR status, verification steps. |
| Compliance | #compliance |
SOC 2 Type II, ISO 27001, GDPR DPA link, HIPAA status. |
| Incident Response | #incidents |
Notification SLA, status page, postmortem policy. |
| Service Credits | #credits |
Service credit calculation matrix per missed SLA tier. |
| Change Management | #changes |
Deprecation notice period, breaking change policy. |
End with a downloadable PDF version under NDA that includes the SOC 2 Type II report and pen test summary. The PDF is what gets attached to the MSA. The HTML page is what your champion forwards before the procurement call.
Version the page in the footer (e.g., Last updated: 2026-05-15 · v3.2). Procurement teams compare versions during renewal cycles. A page that has not changed in 18 months reads as either stable or abandoned. Frequent updates with a visible changelog read as a vendor under active security investment.
Truto vs Arcade.dev: How Platform Architecture Shapes Your SLA Commitments
When teams evaluate managed MCP server platforms for enterprise AI agent integrations, the platform's architecture directly dictates what you can promise on your SLA page. This is not an abstract comparison - it determines whether your procurement artifact holds up under scrutiny.
Arcade.dev positions itself as an MCP runtime built around per-user OAuth delegation. Its core thesis is that authorization is the hardest problem in agentic AI. Arcade manages OAuth 2.0 flows so agents can act on behalf of specific users, and co-authored the URL Elicitation SEP with Anthropic - a genuine contribution that standardizes how MCP servers trigger browser-based OAuth flows from within an agent conversation. This makes Arcade a strong fit for user-in-the-loop consumer applications and internal productivity tools where the end user is actively present. Arcade lists around 112 first-party OAuth providers and charges usage-based pricing with separate rates for "standard" and "pro" tool executions.
Truto starts from the opposite premise: the hardest problem is data normalization across hundreds of SaaS APIs with zero integration-specific code. MCP tools are auto-generated from integration documentation at runtime, rate limits are passed through transparently with IETF-standard headers, and API payloads never touch persistent storage. Each MCP server is cryptographically scoped to a single tenant connection with configurable method filtering, tag-based grouping, and TTL-based expiration.
The SLA page implications are concrete:
| SLA Section | Arcade.dev Implications | Truto Implications |
|---|---|---|
| Data Retention | Platform-managed credential and token storage; audit trail specifics vary by tier | Zero data retention for API payloads; only operational metadata retained |
| Rate Limit Behavior | Runtime provides automatic failover for rate limits and transient errors | Pass-through: upstream 429s returned immediately with standardized ratelimit-* headers |
| Authentication | Per-user OAuth delegation with URL Elicitation | Per-tenant cryptographic token with optional secondary Bearer token auth |
| Tool Scoping | Per-toolkit granularity | Method filtering (read/write/custom) + tag-based groups + TTL expiration |
| Pricing Predictability | Usage-based with separate "standard" ($0.01) and "pro" ($0.50) tool call rates, plus per-challenge fees | Contact for current pricing |
| Integration Coverage | ~112 first-party OAuth providers; community servers for broader coverage | 100+ integrations with zero integration-specific code; tools auto-generated from documentation |
If your agents operate autonomously in B2B SaaS workflows - syncing CRM data, running compliance audits, managing ticketing pipelines - the zero-retention, pass-through architecture lets you write stronger SLA commitments because there is less to defend. If your primary use case is user-present, consumer-facing agent interactions where per-user OAuth delegation is non-negotiable, Arcade's authorization-first model deserves evaluation.
For a full architectural comparison covering tool generation, rate-limit handling, and security models in depth, see our Truto vs Arcade.dev deep dive.
Enterprise Case Study: Multi-CRM Agent Workflow Under Rate-Limit Pressure
Abstract SLA commitments mean nothing without production evidence. Here is a representative scenario illustrating how managed MCP infrastructure behaves under real-world conditions - rate-limit handling, latency, and TTL enforcement.
Scenario: A compliance automation platform deploys AI agents that audit contact records across three CRMs (Salesforce, HubSpot, and Pipedrive) for a financial services client. The agent runs nightly, pulling contact lists to verify data completeness against regulatory requirements. The MCP server is provisioned with read-only access (methods: ["read"]) and a 30-day TTL tied to the audit engagement period.
Rate-limit event at 2:14 AM:
The agent's Salesforce connection hits a 429 after listing 4,800 contacts in rapid succession. With transparent rate-limit pass-through, the agent receives the error immediately - not after a hidden 60-second retry cycle - along with normalized headers:
HTTP/1.1 429 Too Many Requests
ratelimit-limit: 5000
ratelimit-remaining: 0
ratelimit-reset: 38
retry-after: 38The agent framework reads ratelimit-reset: 38, logs the event, and pivots to auditing HubSpot contacts while the Salesforce rate window resets. Total time lost to the rate-limit event: zero. With an automatic-retry platform, the same event would have frozen the agent's context for 38 seconds with no explanation, potentially triggering a framework-level timeout and aborting the entire audit run.
Latency profile:
For this type of workflow, representative production latency breaks down as:
| Metric | tools/list (discovery) |
tools/call (execution) |
|---|---|---|
| P50 | ~45 ms | ~180 ms |
| P95 | ~95 ms | ~420 ms |
| P99 | ~150 ms | ~850 ms |
The managed MCP gateway overhead (token validation, scope checks, header normalization) accounts for low single-digit milliseconds per request. The dominant latency factor is the upstream CRM API response time, which varies by provider and query complexity. A list call returning 100 Salesforce contacts will inherently take longer than a get call for a single HubSpot deal. Your SLA page should commit to the overhead your platform adds, not to end-to-end latency controlled by a third party.
TTL enforcement at day 30:
When the audit engagement ends, the MCP server's expires_at timestamp triggers cleanup at three layers simultaneously: the edge token lookup automatically stops returning the credential, a scheduled background task permanently deletes the configuration record from the database, and any subsequent tool calls fail immediately with an authentication error. The compliance team's auditor can confirm in their report that access was automatically terminated - no manual intervention, no stale credentials lingering in distributed storage.
This is the kind of production behavior your SLA page must describe. Generic uptime percentages are necessary but insufficient. Procurement teams want to know what happens at 2:14 AM when the rate limit hits, and whether expired tokens are cleaned up or forgotten.
Performance Benchmarks and Best Practices for Production MCP
When documenting performance SLOs on your SLA page, ground your targets in real MCP server behavior rather than aspirational numbers.
What drives MCP tool call latency:
Managed MCP gateway overhead on cache-hit paths (token lookup, RBAC check, scope validation) typically adds only a few milliseconds per request. Against the surrounding LLM inference call (hundreds of milliseconds to seconds) and the upstream API response, gateway overhead is rarely the bottleneck. General-purpose tools/call latency is dominated by three factors:
- Upstream API response time - the largest variable, ranging from 50ms to 2s+ depending on provider, payload size, and query complexity
- Authentication overhead - token hashing and edge lookup, typically low single-digit milliseconds
- Schema generation for
tools/list- dependent on the number of tools exposed; auto-generated tool lists that reflect live schemas may be marginally slower than static catalogs, but they eliminate the stale-schema problem
Best practices for SLA page performance commitments:
- Separate your infrastructure latency from upstream latency. Commit to the overhead your platform adds, not end-to-end numbers you cannot control. A statement like "Platform overhead P99 < 50ms; end-to-end latency depends on the upstream provider" is honest and defensible.
- Instrument
tools/listseparately fromtools/call. Discovery requests and execution requests have very different profiles. Document both. - Publish rate-limit response time, not just rate-limit policy. Enterprise teams care about how fast a 429 is surfaced. If your platform passes rate-limit errors through immediately, quantify "immediately" (sub-100ms including header normalization). If it retries, state the maximum retry window.
- Report latency at P95 and P99, not just averages. P50 numbers look good in marketing. P99 numbers predict the worst experience your most active customers will have. Procurement teams increasingly ask for P99 specifically.
Deployment Options, Security, and Procurement Checklist
Before finalizing your SLA page, align it with the deployment model and security posture your enterprise customers actually require. Different managed MCP platforms offer different options, and procurement teams will probe these specifics.
Deployment Models
| Model | Description | Compliance Implications |
|---|---|---|
| Managed cloud | Vendor hosts the MCP infrastructure; you receive a URL | Simplest to operate; requires vendor SOC 2 + DPA in place |
| VPC deployment | Vendor infrastructure runs in your cloud account | Data never leaves your network; higher operational burden |
| On-premises | Self-hosted within your data center | Maximum control; requires internal team to manage, patch, and monitor |
Most B2B SaaS companies building AI agent features will start with managed cloud. VPC and on-premises options matter for regulated industries (healthcare, financial services) where data residency is a contractual requirement, not a preference.
Procurement Questions to Ask Any MCP Platform Vendor
Use these questions during vendor evaluation to stress-test the claims on any SLA page - whether you are comparing Truto, Arcade.dev, or another managed MCP platform:
- Pricing model: Is pricing usage-based (per tool call), per connection, or flat-rate? Are there separate tiers for different tool types? Unpredictable pricing models are a procurement red flag - some platforms charge different rates for "standard" vs "pro" tool executions, which makes cost forecasting difficult at scale.
- Data residency: Can the data plane be pinned to a specific region (EU, US, APAC)? Is this configurable per tenant or only at the account level?
- Audit log export: Can logs be streamed to your SIEM? What format (JSON, CEF)? What retention period?
- Credential management: Who holds the OAuth refresh tokens? Are they encrypted at rest? How are access tokens refreshed - on a schedule or just-in-time?
- Incident response: What is the breach notification window? Is there a public status page? What is the postmortem commitment?
- Integration coverage: How many first-party integrations exist vs. community-maintained servers? Community servers have variable quality and maintenance timelines.
- Lock-in and portability: If you switch platforms, can you export your integration configurations, or do you rebuild from scratch?
- Rate-limit transparency: Does the platform absorb upstream rate-limit errors, or pass them through? If it absorbs them, what is the maximum retry window, and how does that affect agent context and reasoning?
- TTL and access revocation: Can MCP server access be time-limited? When access expires, is cleanup immediate and multi-layered (edge storage, database, audit log), or does it depend on a single mechanism?
- Compliance certifications: SOC 2 Type II, ISO 27001, GDPR DPA, HIPAA BAA - which are current, and are audit reports available under NDA?
- LLM subprocessor ZDR: Does the platform document its LLM subprocessor list, and can it show written evidence of ZDR enrollment at each subprocessor (OpenAI, Anthropic, or equivalent)?
Bring this checklist to the procurement call and cross-reference the vendor's SLA page against their live answers. Discrepancies between the two are the highest-signal risk indicator you will find.
The Final Review and Sales Motion
The SLA & security page is not a marketing exercise. It is the second-most-trafficked page in your enterprise sales cycle, after pricing. Treat it as product surface area: owned by a PM, reviewed quarterly by security and legal, and instrumented for which sections cause drop-off in deal cycles.
Before publishing this page, run it past your own engineering and legal teams. Every commitment on this page is a legal liability. Do not promise automated retries if your system does not support them. Do not promise 100% uptime when you rely on third-party APIs that regularly go down. Radical honesty about system boundaries, rate limits, and error handling builds far more trust with enterprise architects than impossible guarantees.
If you are still building MCP servers for AI agents and working toward this, take these three concrete next moves:
- Audit your current MCP implementation against the section list above. Anything you cannot answer in one paragraph today is a deal blocker waiting to happen.
- Publish the page even if some sections start as "in progress." A versioned commitment to ship by Q3 is worth more than silence.
- If your MCP infrastructure cannot back the commitments (per-tenant token scoping, zero retention, pass-through rate limits, signed audit logs), the gap is architectural, not editorial. Fix it before you publish, or pick a managed MCP platform that already encodes those guarantees so you can ship the page next quarter instead of next year.
Stop letting your six-figure AI deals die in procurement. Build the artifact they need, prove your architectural rigor, and close the contract.
FAQ
- Why do enterprise procurement teams block MCP server integrations?
- Enterprise procurement teams assign liability based on documented security posture. The base MCP specification defines how clients talk to servers but says nothing about uptime commitments, audit logging, rate-limit handling, or data retention. Without a dedicated SLA and security page addressing these gaps, procurement treats your MCP integration as unsigned liability and blocks the deal.
- What is the difference between Truto and Arcade.dev for MCP server AI agent integrations?
- Arcade.dev is an MCP runtime focused on per-user OAuth delegation and authorization-first design, making it strong for user-in-the-loop consumer applications. Truto is a unified API engine that auto-generates MCP tools from integration documentation with zero data retention and transparent rate-limit pass-through, making it a better fit for autonomous B2B agent workflows and strict enterprise compliance requirements. The two platforms solve fundamentally different problems.
- What should an enterprise MCP security page include?
- At minimum: service availability targets with measurement methodology, P95/P99 latency SLOs for tool discovery and execution, authentication architecture (token hashing, scoping, expiration), rate-limit pass-through behavior, zero data retention policy, compliance certifications (SOC 2, ISO 27001, GDPR, HIPAA), incident response SLAs, service credit calculations, and change management policies. Each section should have a stable HTML anchor for deep-linking into MSA exhibits.
- How should managed MCP platforms handle upstream API rate limits?
- The most defensible approach for enterprise deployments is transparent pass-through: when an upstream API returns HTTP 429, the platform passes that error directly to the caller with normalized IETF-standard ratelimit-* headers. This lets the AI agent reason about backoff, switch tasks, or inform users. Automatic silent retries destroy agent context and cause unpredictable latency spikes.
- What procurement questions should teams ask when evaluating MCP platform vendors?
- Key questions include: Is pricing usage-based or flat-rate? Can the data plane be pinned to a specific region? Are audit logs exportable to a SIEM? Who holds OAuth refresh tokens and how are they encrypted? Does the platform absorb or pass through rate-limit errors? Can MCP server access be time-limited with automatic multi-layer cleanup? Which compliance certifications (SOC 2 Type II, ISO 27001, GDPR DPA) are current?