Does MTC Skopos have SOC 2 or ISO 27001 certification?

No, and for an offline desktop tool those frameworks audit the wrong layer. SOC 2 attests to a service organisation's controls over customer data it holds, and MTC Skopos holds none of your data. ISO 27001 certifies a vendor's internal security management system, which your data never enters. MTC Skopos runs entirely on your machine, so the relevant assurance is binary integrity and data-flow transparency: a code-signed binary, an embedded SBOM, reproducible dependency scans, and an architecture whitepaper.

Does MTC Skopos send my SAP data to MTC?

No. All analysis runs locally on your machine, and no customer business data, user identities, roles, permissions, HR attributes, usage statistics, or risk findings are ever transmitted to MTC. The only connection that reaches MTC is a license check that exchanges entitlement metadata, not your data.

Can MTC Skopos run in an air-gapped or restricted network?

Yes. File-based analysis needs no connectivity. The license check fails gracefully, so the application keeps working within a grace period of about three days if the license service is blocked, which makes restricted-network and air-gapped use practical.

How do I verify the MTC Skopos binary is genuine?

The Windows executable is code-signed with a DigiCert Authenticode certificate, so you can confirm the publisher and that the binary is unaltered via the Windows signature dialog or Get-AuthenticodeSignature. A SHA-256 checksum is published for the download, and the binary embeds a Software Bill of Materials you can audit with cargo audit bin mtc-skopos.exe against the RustSec advisory database.

Does the AI assistant send my data to MTC?

No. The optional AI assistant sends requests only to the AI provider you configure, such as your own Anthropic, OpenAI, Azure OpenAI, or a self-hosted gateway. Sensitive entities are anonymised locally by default before anything is sent, and no AI traffic goes to MTC.

MTC Skopos Security & Architecture: Offline Processing, No Data Egress

MTC Skopos is an offline desktop application: it runs entirely on your machine and never sends your ERP data to MTC. All ingestion, analysis, remediation, and reporting happen locally. The only connection that reaches us is a license check that carries entitlement metadata, never your data. Because MTC operates no service that holds your data, the assurance that matters for an offline tool is binary integrity and data-flow transparency, not SaaS-style certifications.

Most access risk and GRC tools are hosted services: you ship a copy of your SAP authorization data to a vendor and trust their controls. MTC Skopos works the other way. The analysis runs where your data already lives, so the question "what happens to our data at the vendor" has a short answer: nothing leaves.

Offline by design

MTC Skopos is a self-contained desktop application. There is no MTC-hosted server, no cloud tenancy, and no background service that keeps running after you close it. Whatever data you load is read, analysed, and reported on entirely on your machine, and every output is written only to the local or network location you choose. File-based analysis needs no connectivity at all, so the product runs in restricted-network and air-gapped environments.

This is the same data-ownership argument behind the SaaS trap: the most reliable way to keep sensitive access data private is to never send it anywhere.

The only three network connections

MTC Skopos opens outbound connections in just three situations, and none sends your ERP data to MTC.

Connection	Destination	Controlled by	Carries your ERP data?
License and version check	MTC license service (`licence.mtcskopos.com`)	MTC	No, entitlement metadata only
Optional AI assistant	The AI provider you configure (Anthropic, OpenAI, Azure OpenAI, self-hosted)	You	Only if you enable it; anonymised by default, sent to your provider, never MTC
Optional live SAP extraction	Your own SAP system	You	Read from your system, stored locally, never forwarded

The single connection to MTC is the license service. It exchanges a signed entitlement, a machine fingerprint for seat enforcement, and a version query. It is given no business data and has no access to anything you analyse. If it is unreachable, the application keeps working against its local license for a grace period of about three days.

What is demonstrably absent

The product contains no telemetry, no usage analytics, no crash or error reporting, no automatic update download, and no MTC data-collection endpoint of any kind. Credentials for SAP or AI are held in memory only for the session and are never written to disk.

SOC 2, ISO 27001, and pen testing: the right assurance for an offline tool

Security reviewers reasonably ask for SOC 2, ISO 27001, or a third-party penetration test. For MTC Skopos those frameworks audit a layer that is not in your data path:

SOC 2 attests to a service organisation's controls over customer data held in its environment. MTC operates no service and holds none of your data, so a SOC 2 report would describe controls that do not exist in how Skopos handles your information.
ISO 27001 certifies MTC's own information security management system, not the product. For an offline tool the security of your data does not depend on MTC's internal ISMS, because your data never enters it.
Penetration testing (VAPT) exercises a running, network-exposed system. With Skopos deployed offline there is no exposed service or network ingress to test. The real question, whether the local binary is genuine and behaves correctly, is answered by software-supply-chain controls rather than a network pentest.

So instead of certifications that audit the wrong layer, we provide assurance matched to the risks that actually apply to an offline binary.

The assurance we provide

Signed release binary and published checksum. The Windows executable is code-signed with a DigiCert Authenticode certificate, so you can confirm the publisher and that the binary is unaltered through the Windows signature dialog or Get-AuthenticodeSignature. A SHA-256 checksum is published for each release. See the per-release verification workflow.
Embedded Software Bill of Materials. Releases are built with cargo auditable, which embeds the full dependency inventory inside the signed binary. Its integrity is inherited from the code signature, so there is no separate SBOM file whose provenance you have to trust.
Reproducible dependency audit. You do not rely on a scan output from us. Run cargo audit bin mtc-skopos.exe against the binary you received to produce your own authoritative result against the RustSec advisory database.
Architecture and data-flow whitepaper. A document for your security, data-protection, and audit teams that inventories every network connection, confirms there is no egress of business data to MTC, and lists runtime checks your team can run on their own network. Download the whitepaper.

The AI assistant keeps your data on your side

The AI features are optional, and the core product works fully with AI disabled, including air-gapped. When enabled, requests go only to the AI provider you configure (your own Anthropic, OpenAI, Azure OpenAI, or self-hosted gateway), never to an MTC endpoint. Sensitive entities such as user IDs, role names, system names, and HR attributes are replaced locally with non-reversible placeholders before anything is sent, and restored locally on the response. MTC never brokers or receives this traffic. For tamper-evident output, Skopos can also sign its reports with keys you control: see BYOK and non-repudiation.

The company behind MTC Skopos

MTC Skopos is built by Meylan Technologies & Consulting Sàrl, a company registered in Geneva, Switzerland. The subscription agreement is governed by Swiss law, Canton of Geneva. See the full terms for licensing, warranty, and data-privacy commitments. You can download the architecture whitepaper; to request the full assurance package or book a walkthrough with your security team, contact us.

Reporting a security issue

If you believe you have found a vulnerability in MTC Skopos or in mtcskopos.com, please tell us. Our responsible disclosure policy explains what is in scope, how fast we respond, and the safe-harbor protection for good-faith research.

Security & Trust