Role of ShiftCare. In the context of the MCP (Model Context Protocol) Server, ShiftCare acts strictly as a data provider. The MCP server is an interface that allows an AI agent — operated and controlled by the customer — to request data from the customer's own ShiftCare account on the customer's behalf.
What ShiftCare does not do. ShiftCare does not operate, host, or control the AI agent. ShiftCare cannot see the customer's conversations with the customer’s AI, cannot view the agent's context, and does not interact with the customer’s AI beyond fulfilling the specific data requests the agent makes. The MCP server by itself uses no AI and performs no model inference.
Data flow and boundary of responsibility. Data requested via the MCP server is transmitted from ShiftCare's managed infrastructure to the AI environment chosen and controlled by the customer. Once data leaves ShiftCare's infrastructure, it is governed by the customer's own systems, contracts, and policies (for example, the customer's agreement with their AI provider). This is analogous to exporting data via ShiftCare's API or a CSV export: ShiftCare provides a controlled means of access, while responsibility for the subsequent processing, storage, and protection of that data — including any Personally Identifiable Information (PII) or Protected Health Information (PHI) — rests with the customer.
What is and isn't shared / anonymised. The data returned by the MCP server is the customer's own operational data, scoped to the access permissions of the authenticated user. The MCP server does not selectively anonymise this data; it returns the records the agent requests, within the requesting user's authorisation. Customers connecting the MCP therefore accept responsibility for managing how their AI processes that data to meet their organisation's specific compliance obligations (e.g. HIPAA, NDIS, GDPR).
In-app AI features (for completeness). Separately from the MCP server, AI features built into the ShiftCare application operate entirely within ShiftCare's existing AWS infrastructure, subject to our standard data-residency and security controls. ShiftCare does not transmit data to an external AI provider for these features; the underlying models are run within our own infrastructure.