# Clanker Cloud security and trust boundary

Clanker Cloud is designed so cloud credentials, cluster contexts, and operator control stay on the machine running the app instead of moving into a hosted copilot layer.

## What stays under operator control

- Cloud credentials and kubeconfig contexts stay on the local machine.
- AI provider usage runs through bring-your-own keys instead of a reseller token layer.
- The app gathers live evidence before generating answers or plans.
- Changes require explicit maker-mode approval before execution.
- Other agents connect through a local MCP endpoint.

## Why the boundary matters

- It preserves existing provider access patterns.
- It reduces the need for a second hosted trust boundary.
- It keeps model-provider billing and choice under team control.
- It makes review-before-apply part of the normal workflow.

## Related pages

- [How Clanker Cloud works](https://clankercloud.ai/how-clanker-cloud-works)
- [For AI agents](https://clankercloud.ai/for-ai-agents)
- [Pricing](https://clankercloud.ai/pricing)
- [MCP command reference](https://docs.clankercloud.ai/cli/commands/mcp)