CuratedMCP splits MCP governance into two layers: a control plane that manages policies, users, and audit logs — and a data plane where MCP servers and AI assistants actually run. Your data never leaves your infrastructure.
The separation of control plane and data plane is a proven pattern in enterprise infrastructure (Kubernetes, cloud platforms, service meshes). CuratedMCP applies the same pattern to MCP governance:
Runs on CuratedMCP infrastructure (curatedmcp.com). Manages policies, deployment configs, user access, and audit logs.
Stateless policy engine
Runs in your infrastructure (AWS, Azure, GCP, on-premises). Hosts MCP servers, AI assistants, and your internal APIs.
Stateful execution engine
You configure an approval policy in the CuratedMCP dashboard (e.g., "Only database servers can read production databases"). This policy is immediately pushed to all your data planes.
POST /sync-policies Content-Type: application/json Authorization: Bearer...
An engineer runs a tool in Claude or Cursor (running in your data plane). The MCP gateway checks the local policy cache and either allows, denies, or requires human approval.
✓ Tool execution (policy allows) ✗ Denied (policy rejects) 🔔 Approval needed (e.g., delete_user)
After execution, metadata (tool name, user, timestamp, status) is logged back to CuratedMCP for audit and compliance. Tool arguments and API responses are NOT logged to CuratedMCP.
tool: "query_database" user: "alice@example.com" timestamp: "2024-01-15T14:32:05Z" status: "success"
CuratedMCP is a governance and compliance layer, not a data proxy. Your MCP servers talk directly to your internal APIs and databases with your credentials. CuratedMCP never sees any actual data — only policy decisions and audit facts.
CuratedMCP hosts the MCP gateway for you. You give us a list of servers you approve. Engineers download a config and get access instantly. Audit logs stream back to your dashboard.
Deploy the MCP gateway as a Docker container inside your own AWS, Azure, or GCP account. The gateway enforces policies, runs servers, and logs metadata — all in your network. Only policy summaries sync back to CuratedMCP.
No sensitive data ever transits through CuratedMCP. Your CISO can audit exactly what we see.
Audit logs stay in your infrastructure by default. Export to CuratedMCP dashboard for analysis and SOC 2 reporting.
Change a policy in the dashboard, it syncs to all data planes in seconds. No deployments, no downtime.
Data planes can work offline. If CuratedMCP goes down, your MCP servers keep running with cached policies.
Add data planes for each region, team, or customer without re-architecting the control plane.
Self-hosted gateway means you can eventually run MCP governance entirely independently of CuratedMCP.
CuratedMCP hosts the MCP gateway. Engineers download a config. Policy decisions and audit logs flow through our infrastructure.
Deploy the gateway as a Docker container in your VPC. All tool execution and policy enforcement happens in your infrastructure. Metadata aggregation syncs back to CuratedMCP.
Data planes can operate entirely independently. CuratedMCP becomes optional for policy version control and compliance reporting, not required for execution.
Start with our hosted gateway, or request a briefing to discuss self-hosted deployment for your org.