Menu
Documentationbreadcrumb arrow Grafana Cloudbreadcrumb arrow AI and machine learningbreadcrumb arrow Grafana Assistantbreadcrumb arrow Manage privacy and securitybreadcrumb arrow Data security
Grafana Cloud

Your data and security

Grafana Assistant is an AI-powered observability companion available in Grafana Cloud. It helps you manage dashboards, troubleshoot issues, and run investigations across your observability data. It inherits Grafana’s existing security model while adding protections specific to AI-powered features. This page explains the security measures in place, how access controls work, and what you can do to use the Assistant securely.

Security architecture

Grafana Assistant operates inside Grafana Cloud’s secure infrastructure and follows a defense-in-depth model. Several core principles guide how Grafana Cloud protects data:

  • Permission inheritance: The Assistant can only access dashboards, data sources, and features that you already have permission to use.
  • Backend proxying: Grafana Cloud routes all communication with external AI providers through its infrastructure. Your browser never connects directly to third parties.
  • Encrypted handling: Grafana Cloud encrypts all data in transit with HTTPS/TLS and at rest within its systems.
  • Least privilege: The Assistant requests only the minimal permissions required to complete a task.

Authentication and authorization

You sign in to the Assistant the same way you sign in to Grafana Cloud. It uses your existing authentication setup, including single sign-on, multi-factor authentication, and Grafana’s session management policies. You don’t need an extra login.

Grafana’s role-based access control (RBAC) manages access. Administrators can grant or restrict permissions through standard Grafana roles or custom roles with fine-grained Assistant privileges such as reading, writing, running investigations, or managing MCP servers. Grafana Cloud also enforces data source permissions: the Assistant can only query sources you already have access to, and it cannot bypass existing restrictions.

Network security

Your browser, Grafana Cloud, and external services exchange data using encrypted connections that follow industry-standard protocols. Backend-to-backend traffic also uses secure connections with strict certificate validation and perfect forward secrecy.

Authentication tokens, rate limiting, and input validation protect Assistant API endpoints from abuse or injection attacks. CORS policies restrict cross-origin requests. Grafana Cloud always proxies connections to external services and monitors them for anomalies.

Data security

Grafana Cloud encrypts your data at rest and in transit. It uses strong encryption standards (AES-256 for storage, HTTPS/TLS for network traffic) and manages keys with industry-standard key management systems. Grafana Cloud isolates data by tenant and personal conversations by user. Each Assistant session maintains its own context so information does not leak between sessions.

The Assistant also applies data minimization. It sends only the conversation context relevant to a request to external AI models, scopes queries narrowly, and never shares credentials unnecessarily. Retention policies automatically clean up temporary or cached data.

MCP server security

Model Context Protocol (MCP) servers extend the Assistant with additional tools. To keep them secure:

  • All connections use HTTPS/TLS with certificate validation.
  • The Assistant stores and manages authentication tokens securely.
  • Administrators and users scope access to only the permissions they configure.
  • Logs and monitoring track usage for compliance and anomaly detection.

When you connect an MCP server, you are responsible for the security and behavior of that server. Grafana Cloud cannot control what third-party or custom MCP servers might do with the data you choose to send them. This means that the risk of connecting, configuring, and using an MCP server rests with you or your organization. To reduce exposure, only connect trusted servers, carefully scope permissions, and review access regularly.

OAuth integration security

When you connect services like GitHub, Google, or Microsoft, the Assistant uses standard OAuth 2.0 flows with PKCE for added security. Grafana Cloud encrypts and stores access tokens securely, refreshes them automatically where possible, and removes them when they expire. Grafana Cloud also limits OAuth scopes to the minimum required for functionality.

Before connecting, you can review the requested scopes, validate the provider’s authentication flow, and confirm the service follows best practices.

Monitoring and incident response

Grafana Cloud logs all Assistant activities, including user interactions, API calls, and configuration changes. Automated monitoring detects unusual patterns or potential threats, and performance is continuously tracked.

If a security incident occurs, Grafana’s security team can immediately restrict access, investigate using audit logs, notify affected users, and remediate issues. Grafana also runs a bug bounty program to strengthen protections.

Compliance and certifications

Grafana Cloud, and by extension Grafana Assistant, meets industry security standards and compliance requirements. Certifications include:

  • SOC 2 Type II
  • ISO 27001
  • Compliance with major cloud security frameworks

Grafana Cloud includes security assessments, penetration tests, dependency scans, and regular patching in its ongoing vulnerability management program.

Best practices

You can strengthen security when using Grafana Assistant by following a few best practices:

  • Use strong authentication and enable multi-factor authentication.
  • Regularly review your connected MCP servers and OAuth integrations.
  • Avoid including unnecessary sensitive data in Assistant conversations.
  • Administrators should configure RBAC appropriately, monitor access logs, and set clear policies for MCP usage.
  • Organizations should conduct regular security reviews and establish clear incident response procedures.

For related guidance on protecting your information, see the best practices section in the privacy documentation.

Getting help

If you have security questions or need to report an issue:

For details on data handling and privacy, refer to the Privacy and data handling documentation. Grafana Cloud updates security protections regularly, including those for Grafana Assistant.