Skip to main content
Context7 takes security and privacy seriously. This page outlines our security practices, data handling, and compliance measures.

Highlights

  • Your original prompts stay with your AI assistant; Context7 only receives search queries formulated by the MCP client, which is instructed to strip sensitive data before sending
  • Documentation is indexed inside SOC 2 compliant infrastructure operated by Upstash
  • API keys are encrypted, rate limited, and easy to rotate from your dashboard
  • Enterprise customers can enable SSO (SAML, OAuth, OIDC) and receive dedicated audit trails
  • The Context7 Addendum, Upstash Terms and Privacy Policy applies to all users; see trust.upstash.com for full infrastructure compliance details, certifications

Privacy-First Architecture

Query Privacy

Your original prompts and code stay with your AI assistant. When you use Context7 through an MCP client, the AI assistant (not the user directly) formulates search queries to retrieve relevant documentation. Here is what happens:
  1. Your prompt is processed locally by your AI assistant (e.g., Cursor, Claude Code)
  2. The AI assistant formulates a search query and library name based on your request
  3. Only these formulated queries are sent to the Context7 API — your full prompt, source code, and conversation history are never transmitted
  4. The MCP tool descriptions explicitly instruct the AI assistant to strip sensitive information (API keys, passwords, credentials, personal data, and proprietary code) from queries before sending
What is sent to the Context7 API:
  • query — a search query formulated by the MCP client (not your original prompt)
  • libraryName or libraryId — the library to look up
  • API key (if provided, for authentication)
  • MCP client name and version (e.g., IDE info, for analytics)
  • Transport type (stdio or http)
  • Client IP address, encrypted with AES-256-CBC (HTTP transport only, for rate limiting)
The MCP client formulates search queries on your behalf and is instructed not to include sensitive or confidential information. Your full prompts, code, and conversation context remain with your AI assistant and are never sent to Context7.

Use of MCP Queries

The search queries formulated by the MCP client (not your original prompts) are used server-side in two ways: Documentation Reranking MCP-formulated queries are passed to LLMs to rerank and select the most relevant documentation for your request. Context7 uses well-known, trusted LLM providers for this purpose — including OpenAI, Google Gemini, and Anthropic. Benchmarking and Quality Improvement MCP-formulated queries are anonymously stored and used to benchmark retrieval accuracy and improve the documentation matching pipeline over time. Enterprise Controls
  • On-premise Enterprise plans can use their own LLM provider for code extraction and private library ranking
  • On-premise Enterprise plans can disable public documentation usage, limiting context retrieval to privately indexed documentation only
  • Enterprise plans can disable query storage for benchmarking — however, this may affect the quality of context retrieval over time
Contact our sales team at context7.com for Enterprise and on-premise plan details.

Customizing What Is Shared

The Context7 MCP server is open source. If you want full control over what is sent as the query parameter, you can:
  1. Fork the Context7 MCP repository
  2. Edit the tool input descriptions in packages/mcp/src/index.ts — these descriptions instruct the AI assistant on how to formulate the query
  3. Build and run your custom MCP server locally
The query parameter is used server-side for LLM-based reranking of documentation results. Modifying, redacting, or omitting the query can significantly reduce the relevance and quality of returned documentation.

Data Storage

Context7 does not store your source files.
  • We only index and store documentation and code examples from repositories
  • Your code, and source files are not stored or shared
  • All indexed content is stored in a secure vector database optimized for retrieval
What we store:
  • Library documentation
  • Code examples from documentation
  • Metadata about indexed libraries
  • Queries formulated by the MCP client
What we don’t store:
  • Your source code
  • Your original prompts or conversations
  • Your conversations with AI assistants

Infrastructure Security

SOC 2 Compliance

Context7 runs on SOC 2 compliant infrastructure provided by Upstash.
  • Type II SOC 2 certified infrastructure
  • Regular security audits and assessments
  • Continuous monitoring and compliance checks
  • Industry-standard security controls

Managed by Upstash

Context7’s infrastructure is managed by the experienced Upstash team:
  • 24/7 infrastructure monitoring
  • Automated security patching
  • DDoS protection and mitigation
  • Redundant backups and disaster recovery
  • Enterprise-grade reliability and uptime

Upstash Security Practices

All security practices and certificates of Upstash apply to Context7 products:
  • Data Encryption: Encryption at rest and in transit (TLS 1.2+)
  • Network Security: VPC isolation, firewall rules, and network segmentation
  • Access Control: Role-based access control (RBAC) and least privilege principles
  • Audit Logging: Comprehensive logging of all system activities
  • Incident Response: Documented incident response procedures
  • Vulnerability Management: Regular security scanning and penetration testing
Learn more about Upstash security: trust.upstash.com

Authentication and Access Control

API Key Security

  • API keys use cryptographic random generation
  • Keys are hashed and encrypted in our database
  • Keys can be rotated at any time from your dashboard
  • Rate limiting prevents abuse and unauthorized access

Enterprise SSO

Single Sign-On (SSO) is available for Enterprise plans. Supported SSO providers:
  • SAML 2.0
  • OAuth 2.0
  • OpenID Connect (OIDC)
Enterprise features include:
  • Centralized user management
  • Team access controls
  • Audit logs for compliance
  • Custom authentication policies
Contact our sales team at context7.com for Enterprise plan details.

Data Protection

Privacy by Design

  • Data Minimization: We only collect and store what’s necessary
  • Purpose Limitation: Documentation data is used only for documentation retrieval
  • Storage Limitation: Automated cleanup of outdated data
  • Transparency: Clear documentation of what we collect and why

GDPR Compliance

Context7 provides:
  • The right to access your data
  • The right to delete your data
  • Data portability options
  • Clear consent mechanisms
  • Privacy-first data processing

Data Residency

All indexed documentation and metadata are stored within Upstash’s SOC 2 compliant infrastructure in the United States and the European Union. Cross-border data transfers comply with the EU General Data Protection Regulation (GDPR) and the EU-U.S. Data Privacy Framework (DPF), and enterprise customers can request region-specific data residency to meet local regulatory requirements.

Rate Limiting and Abuse Prevention

  • IP-based rate limiting for anonymous requests
  • API key-based rate limiting with tiered limits
  • Automatic detection and blocking of abusive patterns
  • Protection against DDoS and scraping attacks

Secure Development Practices

  • Regular security code reviews
  • Automated dependency scanning
  • Secure CI/CD pipelines
  • Principle of least privilege for all systems
  • Security testing in development lifecycle

Reporting Security Issues

If you discover a security vulnerability:
  1. Do not publicly disclose the issue
  2. Report via GitHub Security
  3. Include detailed steps to reproduce the issue
  4. Allow reasonable time for us to address the issue
We take all security reports seriously and will respond promptly.

Transparency and Compliance

Open Source

The Context7 MCP server is open source:
  • Code is publicly available on GitHub
  • Community can audit and contribute
  • Transparent implementation and practices
Repository: github.com/upstash/context7

Compliance Certifications

Context7 benefits from Upstash’s compliance certifications:
  • SOC 2 Type II
  • GDPR compliant
  • ISO 27001 (in progress)

Best Practices for Users

Secure Your API Keys

  • Never commit API keys to version control
  • Use environment variables for key storage
  • Rotate keys regularly
  • Use different keys for different environments
  • Revoke unused or compromised keys immediately

Private Repositories

For private repository access:
  • Only grant minimum required permissions
  • Use dedicated API keys for private repos
  • Regularly audit access permissions
  • Consider using GitHub Apps with fine-grained permissions

Network Security

  • Use HTTPS for all API communications (enforced)
  • Configure proxy settings securely if behind a firewall
  • Monitor API usage for unusual patterns
  • Implement request timeouts and retries

Data Retention

  • Library Documentation: Retained while the library is active and public
  • API Logs: Retained for 30 days for debugging and analytics
  • User Data: Retained according to your account status
  • Deleted Data: Permanently removed within 30 days of deletion request

Questions and Support

For security-related questions: For privacy policy details, visit: context7.com/privacy
Last Updated: February 2026 We continuously improve our security practices. Check this page regularly for updates.