← Back to search

io.github.KevinRabun/GDPRShiftLeftMCP

KevinRabun MIT 2 stars Scanned 48d ago

GDPR compliance MCP server - article lookup, DPIA, ROPA, DSR, IaC analysis, Bicep templates.

C
60.4 / 100

Versions

0.4.0 latest
May 19, 2026
0.3.0
Feb 10, 2026
0.2.0
Feb 9, 2026
0.1.3
Feb 6, 2026
0.1.2
Feb 6, 2026
+ show 1 more show less
0.1.1
Feb 6, 2026
PermissionsTool SafetyAuthAnnotationsCode QualityStabilitySpecVuln HistoryAuthorTransparencyCommunity

Tools 34

get_article
annotations: none low

Get the full text and context of a specific GDPR article.

article_id str
list_chapter_articles
annotations: none low

List all articles within a specific GDPR chapter.

chapter str
search_gdpr
annotations: none low

Search across GDPR articles and recitals by keywords.

keywords str
get_recital
annotations: none low

Get the text of a specific GDPR recital.

recital_number str
get_azure_mapping
annotations: none low

Get Azure service recommendations mapped to a specific GDPR article.

article_id str
get_definition
annotations: none low

Get the GDPR definition for a specific term (Art. 4).

term str
list_definitions
annotations: none low

List all GDPR definitions from Article 4.

search_definitions
annotations: none low

Search GDPR definitions by keywords.

keywords str
assess_dpia_need
annotations: none low

Assess whether a DPIA is required for a described processing activity. Args: processing_description: Free-text description of the data processing

processing_description str
generate_dpia_template
annotations: none low

Generate a DPIA template pre-filled with guidance for the described processing activity, including risk assessment and mitigation measures. Args: processing_description: Free-text description of the data processing

processing_description str
get_dpia_guidance
annotations: none low

Get detailed DPIA guidance for a specific topic or processing type. Args: topic: Topic area (e.g., 'profiling', 'large-scale monitoring', 'special categories', 'children')

topic str
generate_ropa_template
annotations: none low

Generate a Records of Processing Activities (ROPA) template per Art. 30. Args: organization_context: Description of the organization, its role (controller/processor), and main processing activities

organization_context str
validate_ropa
annotations: none low

Validate a ROPA document against Art. 30 mandatory fields. Args: ropa_content: The ROPA content to validate (text/JSON/markdown)

ropa_content str
get_ropa_requirements
annotations: none low

Get the mandatory ROPA fields for a given organizational role. Args: role: 'controller' or 'processor' — determines required fields

role str
get_dsr_guidance
annotations: none low

Get guidance on handling a specific data-subject request. Args: request_type: Type of DSR — 'access', 'rectification', 'erasure', 'restriction', 'portability', 'objection', 'automated_decision'

request_type str
generate_dsr_workflow
annotations: none low

Generate a step-by-step DSR fulfilment workflow with Azure implementation notes. Args: request_type: Type of DSR system_context: Optional description of the system architecture

request_type str system_context str
get_dsr_timeline
annotations: none low

Get GDPR-mandated response timelines and extension rules for a DSR type. Args: request_type: Type of DSR

request_type str
analyze_infrastructure_code
annotations: none low

Analyze Bicep/Terraform/ARM code for GDPR compliance issues. Checks data residency, encryption, access control, logging, retention, and privacy-by-design patterns. Args: code: The IaC code content file_type: 'bicep', 'terraform', or 'arm' file_path: Optional file path for reporting context: Optional additional context

code str context string file_path string file_type str
analyze_application_code
annotations: none low

Analyze application code for GDPR compliance issues such as missing consent checks, PII logging, insecure data handling, and missing encryption. Args: code: The application code content language: 'python', 'csharp', 'java', 'typescript', or 'javascript' file_path: Optional file path for reporting

code str language str file_path string
validate_gdpr_config
annotations: none low

Validate IaC configuration against GDPR mandatory requirements BEFORE deploying. Checks for: missing encryption at rest/in transit, public endpoints without justification, insufficient log retention, missing data classification tags, non-EU data residency. Args: code: The IaC code content file_type: 'bicep', 'terraform', or 'arm' strict_mode: If True, fail on any GDPR violation

code str file_type str strict_mode bool
analyze_dsr_capabilities
annotations: none low

Analyze code for Data Subject Rights (DSR) implementation capabilities. Detects patterns indicating support for GDPR rights: - Art. 15: Right of access - Art. 16: Right to rectification - Art. 17: Right to erasure - Art. 18: Right to restriction - Art. 20: Right to data portability - Art. 21: Right to object - Art. 22: Automated decision-making safeguards Args: code: The application code content language: Programming language ('python', 'typescript', 'csharp', etc.) file_path: Optional file path for reporting

code str language str file_path string
analyze_cross_border_transfers
annotations: none low

Analyze code for potential cross-border data transfers under GDPR Chapter V. Detects: - Third-party API calls to non-EU services (OpenAI, Stripe, Twilio, etc.) - SDK imports for US-based services - Webhook/integration patterns that may involve data export Provides guidance on SCCs, DPAs, and Transfer Impact Assessments. Args: code: The application code content language: Programming language ('python', 'typescript', 'csharp', etc.) file_path: Optional file path for reporting

code str language str file_path string
analyze_breach_readiness
annotations: none low

Analyze code for breach notification readiness under GDPR Art. 33-34. Assesses: - Security logging capabilities - Alerting mechanisms - Incident tracking systems - 72-hour notification process references - Data subject notification capabilities Args: code: The application code content language: Programming language ('python', 'typescript', 'csharp', etc.) file_path: Optional file path for reporting

code str language str file_path string
analyze_data_flow
annotations: none low

Analyze code for personal data flow patterns to support ROPA documentation. Maps the data lifecycle: - Collection: Where PII enters the system - Storage: Where PII is persisted - Transmission: Where PII is sent externally - Deletion: Where PII is removed Helps identify GDPR compliance touchpoints for Art. 30 ROPA. Args: code: The application code content language: Programming language ('python', 'typescript', 'csharp', etc.) file_path: Optional file path for reporting

code str language str file_path string
assess_retention_policy
annotations: none low

Assess a data-retention policy against GDPR storage-limitation principle (Art. 5(1)(e)) and right to erasure (Art. 17). Args: policy_description: Description of the retention policy

policy_description str
get_retention_guidance
annotations: none low

Get GDPR-aligned retention guidance for a specific data category. Args: data_category: Category of data (e.g., 'employee records', 'customer data', 'marketing consent', 'health data', 'financial transactions')

data_category str
check_deletion_requirements
annotations: none low

Check what deletion/anonymization capabilities a system must support per GDPR. Args: system_context: Description of the system and data it holds

system_context str
assess_controller_processor_role
annotations: none low

Assess whether a service/system acts as data controller, processor, joint controller, or has a mixed role under GDPR. Analyzes the service description against GDPR definitions and EDPB guidance to determine the likely role and associated obligations. Args: service_description: Description of the service, data flows, business relationships, and processing activities

service_description str
get_role_obligations
annotations: none low

Get GDPR obligations specific to a controller/processor role. Returns detailed obligations from relevant GDPR articles with optional Azure implementation guidance. Args: role: 'controller', 'processor', 'joint_controller', or 'sub_processor' include_azure: Include Azure-specific implementation guidance

role str include_azure bool
analyze_code_for_role_indicators
annotations: none low

Analyze source code for patterns indicating controller vs processor role. Detects patterns like: direct user data collection, consent mechanisms, multi-tenant isolation, webhook receivers, data forwarding, etc. Args: code: The source code to analyze language: Programming language ('python', 'typescript', 'csharp', etc.)

code str language str
generate_dpa_checklist
annotations: none low

Generate an Article 28 Data Processing Agreement (DPA) checklist. Provides a comprehensive checklist of mandatory and recommended DPA clauses with Azure-specific considerations. Args: context: Description of the processing relationship and context

context str
get_role_scenarios
annotations: none low

Get common controller/processor scenarios and role determinations. Returns typical scenarios (SaaS, API services, cloud infrastructure, etc.) with guidance on typical role classification and exceptions. Args: scenario_type: Filter scenarios by type (e.g., 'saas', 'api', 'cloud') or 'all' for all scenarios

scenario_type str
analyze_code_ast
annotations: none low

Analyze code using AST for GDPR compliance (Python, JavaScript, TypeScript). AST analysis provides higher accuracy than regex by: - Filtering out comments and string literals (reducing false positives) - Tracking variable assignments and data flow - Identifying function definitions and call sites - Verifying semantic intent of GDPR-related code Detects: - Cross-border data transfers (third-party API imports) - PII handling in function parameters - PII logging violations - DSR implementation patterns (Art. 15-22) Args: code: Source code to analyze file_path: Optional file path for automatic language detection language: Override language (python, javascript, typescript) deep_analysis: Include detailed function, import, and data flow info

code str language string file_path string deep_analysis bool
get_ast_capabilities
annotations: none low

Get information about AST analysis capabilities. Returns supported languages, analysis categories, detected patterns, and configuration options for the AST-based code analyzer.

Permissions 5

network medium
Server uses network capabilities via: httpx
filesystem low
Server uses filesystem capabilities via: open(), os, pathlib, shutil, tempfile
shell high
Server uses shell capabilities via: os.system(), subprocess
database medium
Server uses database capabilities via: sqlite3
env_vars low
Server uses env_vars capabilities via: os.environ

Scan Findings 86

info
Could not connect to MCP server for behavioral verification behavioral_verifier · 100%
info
No dependency files found for SBOM generation sbom_generator · 100%
info
MITRE ATLAS technique coverage summary atlas_annotator · 100%
info
pyproject.toml metadata manifest_parser · 100%
info
Tool: get_article manifest_parser · 90%
info
Tool: list_chapter_articles manifest_parser · 90%
info
Tool: search_gdpr manifest_parser · 90%
info
Tool: get_recital manifest_parser · 90%
info
Tool: get_azure_mapping manifest_parser · 90%
info
Tool: get_definition manifest_parser · 90%
info
Tool: list_definitions manifest_parser · 90%
info
Tool: search_definitions manifest_parser · 90%
info
Tool: assess_dpia_need manifest_parser · 90%
info
Tool: generate_dpia_template manifest_parser · 90%
info
Tool: get_dpia_guidance manifest_parser · 90%
info
Tool: generate_ropa_template manifest_parser · 90%
info
Tool: validate_ropa manifest_parser · 90%
info
Tool: get_ropa_requirements manifest_parser · 90%
info
Tool: get_dsr_guidance manifest_parser · 90%
info
Tool: generate_dsr_workflow manifest_parser · 90%
info
Tool: get_dsr_timeline manifest_parser · 90%
low
Tool 'get_azure_mapping' has no annotations annotation_checker · 100%
info
Tool: analyze_infrastructure_code manifest_parser · 90%
info
Tool: analyze_application_code manifest_parser · 90%
info
Tool: validate_gdpr_config manifest_parser · 90%
info
Tool: analyze_dsr_capabilities manifest_parser · 90%
info
Tool: analyze_cross_border_transfers manifest_parser · 90%
info
Tool: analyze_breach_readiness manifest_parser · 90%
info
Tool: analyze_data_flow manifest_parser · 90%
info
Tool: assess_retention_policy manifest_parser · 90%
info
Tool: get_retention_guidance manifest_parser · 90%
low
Tool 'get_definition' has no annotations annotation_checker · 100%
info
Tool: check_deletion_requirements manifest_parser · 90%
info
Tool: assess_controller_processor_role manifest_parser · 90%
info
Tool: get_role_obligations manifest_parser · 90%
info
Tool: analyze_code_for_role_indicators manifest_parser · 90%
info
Tool: generate_dpa_checklist manifest_parser · 90%
info
Tool: get_role_scenarios manifest_parser · 90%
info
Tool: analyze_code_ast manifest_parser · 90%
info
Tool: get_ast_capabilities manifest_parser · 90%
info
Required env vars (1) manifest_parser · 80%
low
Tool 'get_article' has no annotations annotation_checker · 100%
low
Tool 'list_chapter_articles' has no annotations annotation_checker · 100%
low
Tool 'search_gdpr' has no annotations annotation_checker · 100%
low
Tool 'get_recital' has no annotations annotation_checker · 100%
low
Tool 'list_definitions' has no annotations annotation_checker · 100%
low
Tool 'search_definitions' has no annotations annotation_checker · 100%
low
Tool 'assess_dpia_need' has no annotations annotation_checker · 100%
low
Tool 'generate_dpia_template' has no annotations annotation_checker · 100%
low
Tool 'get_dpia_guidance' has no annotations annotation_checker · 100%
low
Tool 'generate_ropa_template' has no annotations annotation_checker · 100%
low
Tool 'validate_ropa' has no annotations annotation_checker · 100%
low
Tool 'get_ropa_requirements' has no annotations annotation_checker · 100%
low
Tool 'get_dsr_guidance' has no annotations annotation_checker · 100%
low
Tool 'generate_dsr_workflow' has no annotations annotation_checker · 100%
low
Tool 'get_dsr_timeline' has no annotations annotation_checker · 100%
low
Tool 'analyze_infrastructure_code' has no annotations annotation_checker · 100%
low
Tool 'analyze_application_code' has no annotations annotation_checker · 100%
low
Tool 'validate_gdpr_config' has no annotations annotation_checker · 100%
low
Tool 'analyze_dsr_capabilities' has no annotations annotation_checker · 100%
low
Tool 'analyze_cross_border_transfers' has no annotations annotation_checker · 100%
low
Tool 'analyze_breach_readiness' has no annotations annotation_checker · 100%
low
Tool 'analyze_data_flow' has no annotations annotation_checker · 100%
low
Tool 'assess_retention_policy' has no annotations annotation_checker · 100%
info
Could not connect to MCP server for output poisoning scan output_poisoning · 100%
low
Tool 'get_retention_guidance' has no annotations annotation_checker · 100%
low
Tool 'check_deletion_requirements' has no annotations annotation_checker · 100%
low
Tool 'assess_controller_processor_role' has no annotations annotation_checker · 100%
low
Tool 'get_role_obligations' has no annotations annotation_checker · 100%
low
Tool 'analyze_code_for_role_indicators' has no annotations annotation_checker · 100%
low
Tool 'generate_dpa_checklist' has no annotations annotation_checker · 100%
low
Tool 'get_role_scenarios' has no annotations annotation_checker · 100%
low
Tool 'analyze_code_ast' has no annotations annotation_checker · 100%
low
Tool 'get_ast_capabilities' has no annotations annotation_checker · 100%
medium
OAuth implementation without PKCE auth_checker · 75%
medium
Permission: network access detected permission_analyzer · 90%
low
Permission: filesystem access detected permission_analyzer · 90%
high
Permission: shell access detected permission_analyzer · 95%
medium
Permission: database access detected permission_analyzer · 90%
low
Permission: env_vars access detected permission_analyzer · 90%
medium
Vulnerable dependency: mcp@1.2.0 (GHSA-3qhf-m339-9g5v) dependency_analyzer · 95%
medium
Vulnerable dependency: mcp@1.2.0 (GHSA-9h52-p55h-vw2f) dependency_analyzer · 95%
medium
Vulnerable dependency: mcp@1.2.0 (GHSA-j975-95f5-7wqh) dependency_analyzer · 95%
info
SLSA Build Level 2 detected slsa_assessor · 85%
info
ATLAS: Adversarial ML Supply Chain (AML.T0043) atlas_annotator · 100%
info
ATLAS: Poison Training Data (AML.T0020) atlas_annotator · 100%