Security
How MarcoPolo keeps your data and credentials secure while giving AI the access it needs.
When you give an AI agent access to your databases and CRMs, two questions come up fast: Can it see my credentials? and Can I see what it's doing?
MarcoPolo is built around these questions.
The short version
The AI never sees credentials. Database passwords, API tokens, and connection strings are stored encrypted and injected by a privileged layer the AI can't reach. This is an architectural boundary, not a policy.
Every user is isolated. A dedicated Kubernetes container per user. No shared state, no cross-tenant access.
Data passes through, it doesn't stay. MarcoPolo doesn't replicate or warehouse your data. Queries execute against your systems. Results are cached in your workspace for iteration, but your source data stays where it is.
Everything is visible. Every query, command, and tool call is logged and visible in the conversation. Every query file, downloaded dataset, and generated artifact is saved to your workspace filesystem. Nothing runs in the dark.
No training on your data. Customer data never enters any AI training pipeline.
Architecture
The system has three layers:
AI Assistants (Claude, ChatGPT, Cursor, etc.) connect via MCP to your workspace. They operate in user mode. They can write queries and process results, but they cannot access credentials or connection configurations.
Your MarcoPolo Workspace is an isolated container with DuckDB, Python, shell, and persistent filesystem. This is where all data processing happens.
Your Data Sources (databases, warehouses, storage, SaaS apps) are connected via 50+ connectors. Between the workspace and your data sources sits the privileged execution layer: the component that injects credentials and executes queries. Credentials flow from secure storage to the execution layer, never to the workspace.
Transparency
A common concern with AI agents: "What is it actually doing?"
Everything the AI does is visible and auditable. The AI surfaces the exact SQL, API calls, and commands it runs. You see every operation in the conversation.
Beyond the conversation, your workspace filesystem is a persistent record of all work done:
queries/contains every query the AI wrotedownloads/contains files pulled from your data sources- Scripts, analysis outputs, and generated artifacts are all saved
Browse these files through the web app or ask your AI to list them. Combined with conversation history, you have a complete audit trail of what happened and when.
Deep dives
- Credential Isolation: How the privilege boundary prevents credential exposure.
- Workspace Isolation: How per-user containers enforce tenant separation.
- Compliance & Audit: Audit trails, data handling policies, and data residency.
Download the security brief (PDF)
For security questions or compliance documentation, contact support@marcopolo.dev.