io.github.KevinRabun/GDPRShiftLeftMCP
GDPR compliance MCP server - article lookup, DPIA, ROPA, DSR, IaC analysis, Bicep templates.
Versions
0.4.0 latest 0.3.0 0.2.0 0.1.3 0.1.2 + show 1 more show less
0.1.1 Tools 34
get_article Get the full text and context of a specific GDPR article.
list_chapter_articles List all articles within a specific GDPR chapter.
search_gdpr Search across GDPR articles and recitals by keywords.
get_recital Get the text of a specific GDPR recital.
get_azure_mapping Get Azure service recommendations mapped to a specific GDPR article.
get_definition Get the GDPR definition for a specific term (Art. 4).
list_definitions List all GDPR definitions from Article 4.
search_definitions Search GDPR definitions by keywords.
assess_dpia_need Assess whether a DPIA is required for a described processing activity. Args: processing_description: Free-text description of the data processing
generate_dpia_template Generate a DPIA template pre-filled with guidance for the described processing activity, including risk assessment and mitigation measures. Args: processing_description: Free-text description of the data processing
get_dpia_guidance Get detailed DPIA guidance for a specific topic or processing type. Args: topic: Topic area (e.g., 'profiling', 'large-scale monitoring', 'special categories', 'children')
generate_ropa_template Generate a Records of Processing Activities (ROPA) template per Art. 30. Args: organization_context: Description of the organization, its role (controller/processor), and main processing activities
validate_ropa Validate a ROPA document against Art. 30 mandatory fields. Args: ropa_content: The ROPA content to validate (text/JSON/markdown)
get_ropa_requirements Get the mandatory ROPA fields for a given organizational role. Args: role: 'controller' or 'processor' — determines required fields
get_dsr_guidance Get guidance on handling a specific data-subject request. Args: request_type: Type of DSR — 'access', 'rectification', 'erasure', 'restriction', 'portability', 'objection', 'automated_decision'
generate_dsr_workflow Generate a step-by-step DSR fulfilment workflow with Azure implementation notes. Args: request_type: Type of DSR system_context: Optional description of the system architecture
get_dsr_timeline Get GDPR-mandated response timelines and extension rules for a DSR type. Args: request_type: Type of DSR
analyze_infrastructure_code Analyze Bicep/Terraform/ARM code for GDPR compliance issues. Checks data residency, encryption, access control, logging, retention, and privacy-by-design patterns. Args: code: The IaC code content file_type: 'bicep', 'terraform', or 'arm' file_path: Optional file path for reporting context: Optional additional context
analyze_application_code Analyze application code for GDPR compliance issues such as missing consent checks, PII logging, insecure data handling, and missing encryption. Args: code: The application code content language: 'python', 'csharp', 'java', 'typescript', or 'javascript' file_path: Optional file path for reporting
validate_gdpr_config Validate IaC configuration against GDPR mandatory requirements BEFORE deploying. Checks for: missing encryption at rest/in transit, public endpoints without justification, insufficient log retention, missing data classification tags, non-EU data residency. Args: code: The IaC code content file_type: 'bicep', 'terraform', or 'arm' strict_mode: If True, fail on any GDPR violation
analyze_dsr_capabilities Analyze code for Data Subject Rights (DSR) implementation capabilities. Detects patterns indicating support for GDPR rights: - Art. 15: Right of access - Art. 16: Right to rectification - Art. 17: Right to erasure - Art. 18: Right to restriction - Art. 20: Right to data portability - Art. 21: Right to object - Art. 22: Automated decision-making safeguards Args: code: The application code content language: Programming language ('python', 'typescript', 'csharp', etc.) file_path: Optional file path for reporting
analyze_cross_border_transfers Analyze code for potential cross-border data transfers under GDPR Chapter V. Detects: - Third-party API calls to non-EU services (OpenAI, Stripe, Twilio, etc.) - SDK imports for US-based services - Webhook/integration patterns that may involve data export Provides guidance on SCCs, DPAs, and Transfer Impact Assessments. Args: code: The application code content language: Programming language ('python', 'typescript', 'csharp', etc.) file_path: Optional file path for reporting
analyze_breach_readiness Analyze code for breach notification readiness under GDPR Art. 33-34. Assesses: - Security logging capabilities - Alerting mechanisms - Incident tracking systems - 72-hour notification process references - Data subject notification capabilities Args: code: The application code content language: Programming language ('python', 'typescript', 'csharp', etc.) file_path: Optional file path for reporting
analyze_data_flow Analyze code for personal data flow patterns to support ROPA documentation. Maps the data lifecycle: - Collection: Where PII enters the system - Storage: Where PII is persisted - Transmission: Where PII is sent externally - Deletion: Where PII is removed Helps identify GDPR compliance touchpoints for Art. 30 ROPA. Args: code: The application code content language: Programming language ('python', 'typescript', 'csharp', etc.) file_path: Optional file path for reporting
assess_retention_policy Assess a data-retention policy against GDPR storage-limitation principle (Art. 5(1)(e)) and right to erasure (Art. 17). Args: policy_description: Description of the retention policy
get_retention_guidance Get GDPR-aligned retention guidance for a specific data category. Args: data_category: Category of data (e.g., 'employee records', 'customer data', 'marketing consent', 'health data', 'financial transactions')
check_deletion_requirements Check what deletion/anonymization capabilities a system must support per GDPR. Args: system_context: Description of the system and data it holds
assess_controller_processor_role Assess whether a service/system acts as data controller, processor, joint controller, or has a mixed role under GDPR. Analyzes the service description against GDPR definitions and EDPB guidance to determine the likely role and associated obligations. Args: service_description: Description of the service, data flows, business relationships, and processing activities
get_role_obligations Get GDPR obligations specific to a controller/processor role. Returns detailed obligations from relevant GDPR articles with optional Azure implementation guidance. Args: role: 'controller', 'processor', 'joint_controller', or 'sub_processor' include_azure: Include Azure-specific implementation guidance
analyze_code_for_role_indicators Analyze source code for patterns indicating controller vs processor role. Detects patterns like: direct user data collection, consent mechanisms, multi-tenant isolation, webhook receivers, data forwarding, etc. Args: code: The source code to analyze language: Programming language ('python', 'typescript', 'csharp', etc.)
generate_dpa_checklist Generate an Article 28 Data Processing Agreement (DPA) checklist. Provides a comprehensive checklist of mandatory and recommended DPA clauses with Azure-specific considerations. Args: context: Description of the processing relationship and context
get_role_scenarios Get common controller/processor scenarios and role determinations. Returns typical scenarios (SaaS, API services, cloud infrastructure, etc.) with guidance on typical role classification and exceptions. Args: scenario_type: Filter scenarios by type (e.g., 'saas', 'api', 'cloud') or 'all' for all scenarios
analyze_code_ast Analyze code using AST for GDPR compliance (Python, JavaScript, TypeScript). AST analysis provides higher accuracy than regex by: - Filtering out comments and string literals (reducing false positives) - Tracking variable assignments and data flow - Identifying function definitions and call sites - Verifying semantic intent of GDPR-related code Detects: - Cross-border data transfers (third-party API imports) - PII handling in function parameters - PII logging violations - DSR implementation patterns (Art. 15-22) Args: code: Source code to analyze file_path: Optional file path for automatic language detection language: Override language (python, javascript, typescript) deep_analysis: Include detailed function, import, and data flow info
get_ast_capabilities Get information about AST analysis capabilities. Returns supported languages, analysis categories, detected patterns, and configuration options for the AST-based code analyzer.
Permissions 5
network medium filesystem low shell high database medium env_vars low