Zero Telemetry: What It Actually Means

"Zero telemetry" gets thrown around a lot. Usually it means "we collect less data than Google." That's a low bar.

PRISM's zero telemetry means something specific: there is no code in the application that sends data anywhere except the Gmail API endpoints you explicitly invoke.

Why this matters for MCP servers

An MCP server sits between your AI assistant and your data. For a Gmail MCP server, that means it handles your email content, contact list, filter rules, forwarding config, OAuth tokens, and usage patterns.

This is sensitive data. The server that handles it should be auditable.

How to verify it yourself

1. Search for outbound connections:

grep -r "fetch\|axios\|http\.request" src/ --include="*.ts"

Every match is a Gmail API call. No other outbound connections exist.

2. Check dependencies:

cat package.json | jq '.dependencies'

Three production dependencies: @modelcontextprotocol/sdk, googleapis, zod. No analytics libraries.

3. Monitor network traffic:

Every outbound request goes to googleapis.com or accounts.google.com. Nothing else.

What we do instead

• Local audit logging: Every tool execution logged locally. Never leaves your machine.
• GitHub Issues: When something breaks, users tell us directly.
• Test coverage: 97.9% coverage catches most issues before they reach users.

The credential encryption angle

Every other Gmail MCP server stores tokens as plaintext JSON:

{ "access_token": "ya29.a0AfH6SM...", "refresh_token": "1//0dx..." }

Anyone with file read access has full Gmail access. PRISM uses AES-256-GCM with a machine-derived key (scrypt). Decryptable only on the machine that created it.

The tradeoff

Zero telemetry has real costs. We don't know our active user count. We can't detect regressions automatically. We learn about bugs slower. We accept these tradeoffs because silently sending data about your email usage to our servers is worse.

The standard MCP servers should meet

1. Transparent — open source, auditable
2. Minimal — only required dependencies
3. Encrypted — credentials at rest, not plaintext
4. Silent — no outbound traffic except what you request

---

PRISM is open source: github.com/synthprism/prism

Read the code. That's the whole point.