Sheaf · Security

Your Sheaf is yours.

Sheaf hosts a folder of plain markdown files on your behalf and exposes it to Claude through an authenticated MCP server. We treat that folder like your inbox — read it, sync it, but never share it.

The data plane.

• Per-workspace isolation. Each Sheaf is its own folder, owned by your tenant. There is no shared schema, no cross-tenant joins, no cross-tenant queries.
• Encrypted file storage. Markdown files are encrypted at rest in Neon Postgres (AES-256). The Postgres index that powers run_sql is per-tenant, with a SELECT-only database role scoped to your schema.
• Encrypted source tokens. Salesforce, HubSpot, and Blackbaud refresh tokens are wrapped in AES-256-GCM with a per-tenant key derived from TOKEN_ENCRYPTION_KEY.
• Statement timeouts. 30-second cap on run_sql; 5-minute cap on imports before they back off and resume.

The MCP plane.

• OAuth 2.1 with PKCE. Your Sheaf is exposed at /api/mcp/<workspace-slug>, gated by claude.ai’s Dynamic Client Registration. Tokens are bearer, scoped to the workspace, and revocable.
• Tools are read-and-write per workspace, not global. A token issued for acme can never read or write foo.
• One-click revoke. Disconnect any source or revoke any MCP token from your account settings.

What gets sent to Anthropic.

• Schema metadata. Object names, column names, file structure — when the schema-design and tool-design agents run.
• The contents of the files Claude is reading. When you ask Claude a question, the specific markdown files involved are sent through the model — same as any other Claude conversation.
• Never: all of your files at once, full database dumps, files outside your active query.

Operational hygiene.

• Hosted on Vercel + Neon. SOC 2 Type II from both upstream providers.
• Cron secret. Sync workers authenticate with CRON_SECRET; only Vercel cron can trigger them.
• No third-party trackers on the marketing pages. No analytics in your workspace.
• Audit log on disk. Every file edit is recorded, with an option to mirror your Sheaf into a private git repo for full history.

If something happens.

Reach security@sheaf.so for any incident, vulnerability, or question. We respond within one business day.

Last updated: April 2026