mcp-compliance 1.0.0

MCP server for regulatory compliance — policies, controls, audits, findings, evidence, risk assessments, GDPR/SOX/HIPAA/ISO27001/PCI-DSS frameworks
Documentation

Compliance MCP Server

Crates.io Docs.rs License ADK-Rust Enterprise Registry Ready

Regulatory compliance engine for ADK-Rust Enterprise agents. Provides 27 MCP tools covering the full compliance lifecycle — frameworks, policies, controls, audits, findings, evidence collection, risk assessments, gap analysis, training tracking, GDPR DSARs, and incident management. Supports GDPR, SOX, HIPAA, ISO 27001, PCI-DSS, SOC2, and NIST out of the box.

Key Principles

  • Framework-driven — map policies and controls to any regulatory framework
  • Audit lifecycle — plan, execute, find, remediate, close
  • Evidence-based — collect and link evidence to controls for audit readiness
  • Risk matrix — likelihood x impact scoring with auto-classification
  • Gap analysis — identify missing controls, untested controls, missing evidence
  • GDPR built-in — DSAR management with 30-day SLA tracking
  • Incident response — report, investigate, contain, resolve
  • Zero configuration — starts immediately with no external dependencies

Tools (27)

Frameworks (2)

Tool Description
framework_create Register framework (GDPR, SOX, HIPAA, ISO27001, PCI-DSS, SOC2, NIST, custom)
framework_list List all registered frameworks

Policies (2)

Tool Description
policy_create Create policy (data protection, access control, incident response, etc)
policy_list List policies with review status

Controls (3)

Tool Description
control_create Create control (preventive, detective, corrective) linked to policy
control_list List controls with testing status
control_test Mark control as tested

Audits (2)

Tool Description
audit_create Create audit (internal, external, certification)
audit_list List audits with findings count

Findings (3)

Tool Description
finding_create Record finding (critical, high, medium, low)
finding_update Update status (open, in_progress, remediated, accepted, closed)
finding_list List findings with open count

Evidence (2)

Tool Description
evidence_collect Collect evidence (screenshot, log, report, attestation, config)
evidence_list List evidence for a control

Risk Assessment (2)

Tool Description
risk_create Create risk (likelihood 1-5 x impact 1-5 = auto score and level)
risk_list List risks sorted by score, with critical/high counts

Gap Analysis (1)

Tool Description
gap_analysis Framework gap analysis: missing controls, missing evidence, untested controls

Training (3)

Tool Description
training_create Create training requirement, assign to users
training_complete Mark training completed by user
training_list List trainings with completion rates

GDPR - DSARs (3)

Tool Description
dsar_create Create DSAR (access, erasure, portability, rectification, restriction)
dsar_update Update DSAR status
dsar_list List DSARs with overdue count (30-day SLA)

Incidents (3)

Tool Description
incident_create Report incident (data breach, unauthorized access, policy violation)
incident_update Update status (reported, investigating, contained, resolved, closed)
incident_list List incidents with open count

Dashboard (1)

Tool Description
dashboard Compliance summary: frameworks, policies, findings, risks, DSARs, incidents

Installation

cargo install mcp-compliance

Client Configuration

{
  "mcpServers": {
    "compliance": { "command": "mcp-compliance" }
  }
}

Quick Start

1. Set up framework and policies

{"name": "framework_create", "arguments": {"name": "GDPR", "version": "2018", "description": "EU General Data Protection Regulation"}}
{"name": "policy_create", "arguments": {"title": "Data Protection Policy", "framework_id": "fw_abc", "category": "data_protection", "description": "Controls for personal data handling", "owner": "DPO"}}

2. Define controls and collect evidence

{"name": "control_create", "arguments": {"title": "Encryption at Rest", "policy_id": "pol_abc", "control_type": "preventive", "frequency": "continuous", "description": "All PII encrypted with AES-256", "owner": "security_team"}}
{"name": "evidence_collect", "arguments": {"control_id": "ctrl_abc", "title": "AWS KMS Config Export", "evidence_type": "config", "url": "s3://evidence/kms-config.json", "collected_by": "james"}}

3. Run audit and record findings

{"name": "audit_create", "arguments": {"title": "Q2 GDPR Audit", "framework_id": "fw_abc", "scope": "All EU data processing", "auditor": "External Auditor Ltd", "due_date": "2026-06-30"}}
{"name": "finding_create", "arguments": {"audit_id": "aud_abc", "title": "Missing consent records", "severity": "high", "description": "No consent audit trail for marketing emails"}}

4. Risk assessment

{"name": "risk_create", "arguments": {"title": "Third-party data breach", "category": "vendor", "likelihood": 3, "impact": 5, "description": "Vendor with access to PII has weak security", "owner": "CISO", "mitigation": "Require SOC2 from all vendors"}}

5. GDPR DSAR

{"name": "dsar_create", "arguments": {"request_type": "erasure", "subject_name": "John Doe", "subject_email": "john@example.com", "details": "Delete all my data"}}

Competitive Comparison

Feature OneTrust Vanta Drata ServiceNow GRC Us
Framework management
Policy management
Controls
Audit management
Findings tracking
Evidence collection
Risk assessment
Gap analysis
Training tracking
GDPR DSARs
Incident management
Zero config
Open source
MCP native

Error Codes

Code Meaning
CONTROL_NOT_FOUND Control ID does not exist
FINDING_NOT_FOUND Finding ID does not exist
TRAINING_NOT_FOUND Training ID does not exist
DSAR_NOT_FOUND DSAR ID does not exist
INCIDENT_NOT_FOUND Incident ID does not exist

License

Apache-2.0

Part of the ADK-Rust Enterprise MCP server ecosystem.

Built with ❤️ by Zavora AI