Buyer Diligence

Buyer diligence for MCP approval

Use registry scores, scan depth, certification status, and linked research as inputs to approval across security review, procurement, engineering, and platform teams.

Security reviewers Procurement Engineering Platform teams Cautious technical buyers
Open Registry Docs & Trust

CraftedTrust is an input to approval, not a substitute for it.

Start in the registry. Use the score, scan depth, certification status, and linked research to decide whether a server looks ready for approval, needs deeper review, or should wait. CraftedTrust helps teams evaluate what is visible and documented. It does not replace internal security review, vendor diligence, or environment-specific controls.
Score

What a CraftedTrust score means

The score is a point-in-time result across 12 public categories. It helps you compare posture quickly, but it is only as strong as the evidence behind it.

Scan depth

What scan depth means

Scan depth shows how much was actually observed: metadata only, package verified, live endpoint reached, or manual review performed. Low-confidence results usually reflect lighter evidence; deeper coverage should carry more weight in buyer decisions.

Certification

What certification adds

Standard Certified adds earned public certification status, monthly rescans, and a standard report. Premium Certified adds deeper review depth, stronger buyer-facing evidence, and a more active monitoring cadence.

Evidence

What public evidence is available

Use the public server profile, score, scan depth, confidence, review age, linked Touchstone research, and proof artifacts when available to support a better decision.

Public evidence

What you can review before approval

  • Public server profile with score, grade, and certification status.
  • Scan depth, confidence, review age, and last successful live scan.
  • Linked Touchstone advisories and methodology references.
  • Trust manifest and proof bundle artifacts when available.
Buyer responsibility

What CraftedTrust does not decide for you

  • Confirm permissions, data flows, and change control in your own environment.
  • Review findings against your internal approval standards and risk tolerance.
  • Validate vendor, legal, privacy, and platform requirements that public scans cannot prove.
  • Re-check point-in-time signals when a server changes or review evidence gets stale.
Data handling

Data handling and privacy summary

  • Public scans, scores, and certification status are public by design.
  • Stripe handles self-serve card payments for Assisted Review and certification.
  • Privacy and tracking are minimal: no ad tech, no third-party analytics services, and no tracking or advertising cookies.
  • Canonical details live in the privacy policy and data-handling documentation.
Privacy policy Data handling
Support paths

When to use custom scope, Sponsor a Scan, or enterprise support

  • Use Sponsor a Scan when you need coverage accelerated for a category, ecosystem, or high-priority set of servers.
  • Use custom enterprise scope for multiple servers, private environments, buyer-diligence support, or custom commercial terms.
  • Enterprise scope is packaging and support on top of the core workflow, not a separate public certification state.
Sponsor a Scan Enterprise support Contact for custom scope

Next step

Use the registry for first-pass evaluation. Use For Publishers when a server owner is ready to prove what is true. Use buyer-diligence support when your team needs help prioritizing scans, reviewing evidence, or packaging a larger adoption decision.
Search the Registry For Publishers Email CraftedTrust
Decision note Scores are point-in-time signals. Certification adds evidence, not certainty. Buyers still have to exercise judgment.