SECURITY & COMPLIANCE

Deep System Access. Disciplined Security Controls.

PartnerMCP's dedicated Forward Deployed Engineer (FDE) and specialized AI agents work inside your production systems — Salesforce, HubSpot, Microsoft Dynamics, ServiceNow, NetSuite, Slack, and the other platforms you rely on. Operating that close to core business systems means security cannot be an afterthought bolted onto a delivery model. It has to be the model.

Every engagement is governed by three rules that don't bend: access is scoped to the minimum required and time-boxed to the engagement, every recommendation — especially anything touching licensing — is checked against your actual vendor agreement before it's proposed, and every capability we build (portals, integrations, automation) uses only what the platform vendor has published and approved. Nothing here relies on the FDE or an AI agent behaving well by choice. It's built into how access is granted, how changes ship, and how they're reviewed.

Key takeaways

  • Access is scoped, least-privilege, and time-boxed to the engagement — no standing admin rights left behind.
  • License and cost recommendations are checked against your actual vendor agreement before they're proposed or implemented.
  • Portals, integrations, and automation use only vendor-approved capabilities — never workarounds that bypass authentication or platform rules.
  • Every agent action is logged and reviewed by your dedicated FDE before it reaches production, with a full audit trail available on demand.

Least-Privilege Access, By Default

Access is provisioned per engagement, not per relationship. There is no standing admin access left behind after a project phase closes, and no credential is ever reused across customers or shared between team members.

  • Scoped roles: your admin grants the FDE and any active AI agent the specific permission sets, profiles, or API scopes a task requires — Configuration and Integration agents get sandbox and change-set access; Cost Analysis and User Utilization agents get read-only reporting access, not the ability to modify records.
  • Time-boxed: access tied to a migration, integration build, or audit is reviewed and revoked at the end of that phase — it does not silently persist into steady-state operations.
  • Named identities only: no shared logins, no generic service accounts used to mask who (or which agent) made a change. Every action traces back to an individual identity.

No Prohibited License Workarounds

Cost optimization is a core part of what PartnerMCP does — but it is done inside vendor rules, not around them. The License Optimization and Cost Analysis agents are built to find waste, not to find loopholes.

  • We right-size licenses to actual usage patterns, optimize the license mix across tiers your vendor already offers, and remove unused access sitting on inactive or over-provisioned seats.
  • We do not recommend sharing logins, pooling seats across users to avoid a license count, or any configuration designed to obscure usage from the platform vendor.
  • Every license change is checked against the specific terms of your vendor agreement before it's proposed — not assumed from general product knowledge. If a savings idea can't be validated against your contract, it doesn't ship as a recommendation.

Approved Platform Capabilities Only

Portals, integrations, and workflow automation are built entirely on capabilities the platform vendor has published and licensed for that purpose — never on workarounds that bypass authentication or platform rules.

  • External-facing portals are built on the vendor's own approved external-user experiences (for example, licensed Experience Cloud or guest-access models), not unlicensed internal accounts repurposed for outside users.
  • Integrations run through documented, supported APIs and connectors — not screen-scraping, credential replay, or undocumented endpoints.
  • Automation operates within each platform's governance model (sharing rules, permission sets, approval processes) rather than routing around them for speed.

AI Agents Operate Inside Defined Guardrails

The specialized agents behind your engagement — Discovery, Architecture, Configuration, Integration, Workflow, Migration, Testing, Documentation, Monitoring, Cost Analysis, User Utilization, License Optimization, and Savings Verification — each have a scoped mandate and a scoped access level to match.

  • Agents that analyze (Cost Analysis, User Utilization, Discovery) operate read-only against your data and metadata.
  • Agents that build or change systems (Configuration, Integration, Workflow, Migration) work in sandbox and staging environments first; nothing reaches production without your dedicated FDE reviewing and approving the change.
  • Testing and Monitoring agents validate changes before and after they ship, and Savings Verification checks that a license or cost change actually produced the expected result — rather than taking the estimate on faith.

Audit Trail: Nothing Changes in the Dark

Every access grant, configuration change, integration deployment, and license adjustment is logged and attributable to a specific agent action or FDE decision. Your security and compliance stakeholders get visibility into what changed, when, why, and who (or which agent) approved it — not a summary after the fact, but a running record they can pull at any time.

This is also what makes the cost and savings numbers credible: an estimate produced by the Cost Analysis or License Optimization agent is a starting hypothesis, not a claim. It's confirmed against your actual contract terms and technical environment, implemented, and then checked again by the Savings Verification agent — with that whole chain visible in the audit log.

PartnerMCP recommendations are designed to comply with applicable vendor terms, product limitations, security requirements, and customer agreements. Final licensing decisions should be validated against the relevant contract and vendor documentation.

Frequently asked questions

Does PartnerMCP require standing admin access to our systems?
No. Access is scoped to what a specific engagement phase requires and reviewed for revocation once that phase closes. We don't hold blanket admin rights across your Salesforce, ServiceNow, NetSuite, or other environments as a default operating condition.
Will PartnerMCP ever recommend sharing logins or pooling licenses to cut costs?
No. License recommendations focus on right-sizing licenses, optimizing the license mix, and removing unused access — never on sharing credentials, pooling seats, or any approach designed to obscure usage from your platform vendor.
How do you make sure a license change won't violate our vendor agreement?
Every license or configuration recommendation is checked against your actual vendor terms and the specifics of your contract before it's proposed as a recommendation, and again before it's implemented. Final licensing decisions should still be validated by your team against the relevant agreement and vendor documentation.
Who reviews what the AI agents propose before it touches production?
Your dedicated Forward Deployed Engineer. Agents that build or change configuration work in sandbox or staging first; the FDE reviews and approves before anything is promoted to your production environment.
Do you build portals or integrations that bypass our platform's authentication?
No. Portals are built on the vendor's own approved external-user experiences, and integrations run through documented, supported APIs — never through workarounds that bypass authentication or platform governance rules.

Related reading

Cost & Architecture Review

See what this looks like for your stack

Run the numbers on your own users, licenses, and workflows, or talk to a Forward Deployed Engineer about where the cost is actually coming from.