Security Overview
AI models that call your production APIs need guardrails that traditional API gateways were never designed for. An LLM doesn't read documentation, doesn't respect rate limits, and can make dozens of tool calls per second. Vinkius Cloud provides the security and governance layer built specifically for this reality.
Security capabilities
Vinkius Cloud provides five security and governance layers that work together to protect your production APIs from unrestricted AI access. Each capability is designed for a specific threat vector in MCP infrastructure.
FinOps Guard
Prevents runaway token consumption by enforcing payload size limits. When an API returns arrays with hundreds or thousands of items, FinOps Guard shrinks them automatically. The AI gets the same intelligence with fewer tokens.
| Control | Default | What it does |
|---|---|---|
| Max Array Items | 50 items | Truncates list responses beyond this threshold |
| Max Payload Size | Configurable | Absolute byte ceiling — prevents context overflow |
Configuration:
- Per-server — Toggle FinOps and set limits from the server's Edit modal
- Global — Set account-wide defaults under Settings → FinOps Guard
Server-level governance
Every server has governance controls adjustable from the Edit modal:
| Setting | Description |
|---|---|
| DLP | Enable or disable Data Loss Prevention |
| FinOps | Enable or disable FinOps Guard |
| Custom patterns | Regex for organization-specific sensitive data |
| Max Array Items | Maximum items in list responses |
| Max Payload Size | Absolute byte ceiling |
| Tool grouping | Flat, grouped, or auto |
Next steps
Frequently Asked Questions
What security layers does Vinkius Cloud provide for MCP servers?
Every MCP server automatically gets five layers of protection: V8 Isolate sandboxing (no filesystem, no process injection), SSRF protection (blocks all private networks and cloud metadata), DLP / PII redaction (transport-layer data masking), a Credential Vault (AES-256 encrypted API secrets), and an immutable Audit Log.
Is DLP enabled by default on new servers?
Yes. When you enable DLP in your global Settings → Data Shielding, every new server inherits those default patterns. You can override or extend patterns on a per-server basis. Free plans include DLP with built-in patterns.
How fast can I revoke an AI agent's access?
One click, 40 milliseconds. Token revocation propagates globally across all edge nodes. Active SSE connections using the revoked token are terminated immediately. There is no grace period or cache TTL.
Do I need to configure security for each server individually?
No. Security features (V8 sandbox, SSRF protection, HMAC-authenticated tokens) are enabled by default for every server. DLP patterns and FinOps Guard limits can be configured globally and overridden per-server when needed.
Are Vinkius Cloud servers compliant with GDPR and SOC 2?
Vinkius Cloud provides the technical controls required for GDPR compliance (DLP data minimization, audit trails) and SOC 2 Type II evidence (immutable logs, processing integrity). The architecture is designed around the principle that sensitive data should never reach the AI model.
How does Vinkius Cloud compare to self-hosted MCP server security?
Self-hosted MCP servers typically run with full filesystem and network access, store credentials in environment variables, and have no built-in DLP or audit logging. Vinkius Cloud provides V8 Isolate sandboxing, SSRF lockdown, encrypted credentials, transport-layer PII redaction, and immutable audit trails — none of which exist in standard MCP server deployments.