1. Nature and Scope of Service
The Model Context Protocol ("MCP") constitutes a technical framework enabling seamless communication between Bitrix24 and external data sources or services. MCP facilitates the transmission of data, execution of commands, and performance of operations across connected systems through server-based integrations. Depending on the scenario and/or third-party applications and databases (“Sources”) you plan to use, this protocol (i) permits your Bitrix24 Customer Account to access, retrieve and interact with information from third-party Sources in real-time and (ii) that the information from your Bitrix24 Customer Account can also be accessed, retrieved from, and interacted with in such third-party Sources.
Alaio provides functionality enabling users to connect MCP servers, whether provided by Alaio or by third parties, to their Bitrix24 Customer Account. Alaio does not control, monitor, or guarantee the security and compliance practices of any third-party Sources you choose to integrate. We recommend reviewing the security policies and data processing practices of all third-party Sources before integration.
By enabling any MCP integration, you acknowledge and agree that you are solely responsible for connecting and integrating any third-party Sources to your Bitrix24 Customer Account including processing of your data between your Bitrix24 Customer Account and such third-party Sources. You also bear sole responsibility for evaluating the suitability of any MCP server connection and must independently assess all risks enumerated herein prior to enabling integration.
2. Acknowledged Risks
2.1 Data Exposure and Collection
MCP servers (both third-party and provided by Alaio) can see all queries, responses, and operational data that pass through them. These servers may record, collect, and keep information including sensitive business data and private communications.
2.2 Manipulation and Context Forgery
Attackers may use prompt injection methods or create fake authentication contexts to trick AI systems into revealing confidential information or performing unauthorized actions. Attackers may create false context metadata to bypass security controls and gain higher-level access. You understand the system is vulnerable to social engineering attacks that exploit how AI follows instructions.
2.3 Harmful Actions and Over-Permissions
MCP servers with write access may make permanent changes, deletions, or system modifications. If the AI misunderstands commands or makes logic errors, this can lead to serious problems including data loss and system failures. Users understand that many implementations are given too many permissions, violating the principle of least privilege.
2.4 API Exposure and Discovery Vulnerabilities
MCP implementations may expose too many internal endpoints or lack proper access separation, allowing discovery of sensitive APIs that were never meant to be publicly visible or accessible to AI agents. Without proper endpoint filtering and access controls, attackers may list available APIs and find exploitable weaknesses. You understand the risks of unintended API exposure.
2.5 Inconsistent Security Standards
Security implementation differs greatly across MCP servers. Some implementations may lack encryption, authentication, access logging, or payload signature verification, allowing tampering without detection.
2.6 Security Breaches and System Access
MCP servers are targets for credential theft, account takeovers, and data breaches. If successfully compromised, attackers may move laterally into other connected systems.
2.7 Regulatory Compliance Issues
MCP operations happen with limited visibility into how data is handled, where it's processed, or how long it's stored. Users may be unable to meet regulatory requirements including access requests or deletion requirements without cooperation from third parties.
3. You are advised to connect only to MCP servers from authenticated and trusted sources.
4. Disclaimer of Liability
You acknowledge that connecting Sources through MCP is undertaken at your sole risk. You assume complete responsibility for all consequences, damages, losses, or liabilities arising from MCP integration or operation, including resource abuse, service degradation, cost escalation, or denial-of-service conditions, data breaches, unauthorized access, system compromise, or any other harm that may result from MCP usage.
Alaio makes no representations, warranties, or guarantees concerning MCP servers provided by Alaio or third-party MCP servers, their operation, security practices, data handling, or compliance with applicable laws. Alaio expressly disclaims all liability for the operation, security, reliability, availability, or performance of such MCP servers.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, ALAIO SHALL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, OR EXEMPLARY DAMAGES ARISING FROM OR RELATED TO MCP USAGE, INCLUDING BUT NOT LIMITED TO DATA LOSS, CORRUPTION, OR UNAUTHORIZED DISCLOSURE; SYSTEM DAMAGE OR MALFUNCTION; SECURITY BREACHES OR UNAUTHORIZED ACCESS; REGULATORY VIOLATIONS OR COMPLIANCE FAILURES; BUSINESS INTERRUPTION OR OPERATIONAL DISRUPTION; RESOURCE EXHAUSTION OR UNEXPECTED COSTS; OR SERVICE DEGRADATION OR UNAVAILABILITY.
You acknowledge that you have independently evaluated all security, operational, compliance, and financial risks associated with MCP integration before enabling this feature. You are solely responsible for implementing appropriate safeguards, monitoring mechanisms, and rate limiting controls to prevent abuse or service degradation.
MCP INTEGRATION IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.
.png?1763625133619)
.png?1763625133619)
.png?1763625133619)
.png?1763625133619)
