Remote OpenClaw
Menu

GDPR Shift-Left Compliance

KevinRabun/GDPRShiftLeftMCP
2 starsMITCommunity

Install to Claude Code

This server doesn't publish a one-line install command. Follow the setup in the source repository.

Summary

GDPR compliance MCP server - article lookup, DPIA, ROPA, DSR, IaC analysis, Bicep templates.

README.md

GDPR Shift-Left MCP Server

<!-- mcp-name: io.github.KevinRabun/GDPRShiftLeftMCP -->

![Tests & Judges](https://github.com/KevinRabun/GDPRShiftLeftMCP/actions/workflows/test.yml) ![PyPI version](https://pypi.org/project/gdpr-shift-left-mcp/) ![Python versions](https://pypi.org/project/gdpr-shift-left-mcp/) ![License: MIT](https://opensource.org/licenses/MIT)

A Model Context Protocol (MCP) server that brings GDPR compliance knowledge directly into your IDE, enabling developers and compliance teams to "shift left" — identifying and addressing data protection requirements early in the development lifecycle.

⚠️ Disclaimer: This tool provides informational guidance only and does not constitute legal advice. Organisations should consult qualified legal counsel for binding GDPR compliance decisions.

Features

🔍 GDPR Knowledge Base (34 Tools)

  • Article Lookup — Retrieve any GDPR article by number, search across all 99 articles and 173 recitals
  • Definitions — Art. 4 term definitions with contextual explanations
  • Chapter Navigation — Browse articles by chapter with full directory
  • Azure Mappings — Map GDPR articles to Azure services and controls

📋 Compliance Workflows

  • DPIA Assessment — Assess whether a DPIA is required (EDPB 9-criteria test), generate Art. 35 templates
  • ROPA Builder — Generate and validate Art. 30 Records of Processing Activities
  • DSR Guidance — Step-by-step workflows for all 7 data subject rights (Arts. 12–23)
  • Retention Analysis — Assess retention policies against Art. 5(1)(e) storage limitation
  • Controller/Processor Role Classification — Assess data roles, get obligations, analyze code patterns, generate DPA checklists

🏗️ Infrastructure & Code Review

  • Bicep/Terraform/ARM Analyzer — Scan IaC for GDPR violations (encryption, access, network, residency, logging, retention)
  • Application Code Analyzer — Detect PII logging, hardcoded secrets, missing consent checks, data minimisation issues
  • GDPR Config Validator — Pass/fail validation in strict or advisory mode
  • DSR Capability Analyzer — Detect implementation of all 7 data subject rights (Arts. 15–22)
  • Cross-Border Transfer Analyzer — Identify third-party APIs/SDKs that may transfer data outside EEA, with risk justifications explaining why each provider has its assigned risk level (based on headquarters location, adequacy decisions, and data sensitivity)
  • Breach Readiness Analyzer — Assess breach detection, logging, and notification capabilities
  • Data Flow Analyzer — Map personal data lifecycle (collection, storage, transmission, deletion)
  • AST Code Analyzer — Deep analysis using Abstract Syntax Trees for Python, JavaScript, TypeScript, Java, C#, and Go with:
  • PII detection in function parameters and variables
  • Cross-border transfer detection via import analysis (150+ providers with risk justifications)
  • PII logging violation detection
  • DSR implementation pattern verification
  • Data flow tracking and call graph analysis

📝 Guided Prompts (8 Expert Prompts)

  • Gap Analysis, DPIA Assessment, Compliance Roadmap, Data Mapping
  • Incident Response, Azure Privacy Review, Vendor Assessment, Cross-Border Transfers

📐 Azure Bicep Templates (19 Templates)

  • Storage Account — CMK encryption, Private Endpoint, lifecycle policies (Art. 5, 25, 32, 44-49)
  • Key Vault — HSM-backed Premium, purge protection, RBAC (Art. 25, 32)
  • Azure SQL — Entra-only auth, TDE, auditing (Art. 25, 32)
  • Log Analytics — 365-day retention, saved GDPR queries for breach/access/erasure tracking (Art. 5(2), 30, 33)
  • Cosmos DB — EU-only regions, strong consistency, continuous backup, TTL-enabled ROPA container (Art. 25, 32, 44-49)
  • App Service — Managed identity, TLS 1.2, VNet integration, staging slot, full audit logging (Art. 25, 32)
  • Virtual Network — 3 subnets, NSGs with least-privilege rules, service endpoints (Art. 25, 32, 5(1)(f))
  • Container Apps — Internal ingress, mutual TLS, zone redundancy, managed identity (Art. 25, 32)
  • Monitor Alerts — DPO action group, 4 scheduled alerts for sign-in/exfiltration/escalation/Key Vault (Art. 33, 34, 32)
  • PostgreSQL Flexible Server — Zone-redundant HA, Entra ID auth, pgaudit, geo-redundant backups (Art. 25, 32, 5(1)(e))
  • Service Bus Premium — CMK encryption, GDPR queues for DSR/consent/breach/retention (Art. 25, 32, 5(1)(f))
  • AKS — Private cluster, Azure CNI, Defender for Containers, workload identity, network policies (Art. 25, 32, 5(1)(f))
  • Confidential Ledger — TEE-backed tamper-proof audit trail for GDPR accountability records (Art. 5(2), 30, 33)
  • Confidential VM — AMD SEV-SNP encrypted memory, vTPM, secure boot, ephemeral OS disk (Art. 25, 32, 5(1)(f))
  • Entra ID Configuration — Audit log routing, sign-in monitoring, Conditional Access checklist (Art. 32, 5(2))
  • Azure Policy — EU region restriction, CMK enforcement, tag requirements, HTTPS-only (Art. 25, 32, 44)
  • Defender for Cloud — All Defender plans, security contacts, auto-provisioning, GDPR compliance dashboard (Art. 32, 33)
  • API Management — Internal VNet, TLS 1.2+, rate limiting, data masking policies, audit logging (Art. 25, 32, 30)
  • Front Door with WAF — OWASP rules, EU/EEA geo-filtering, bot protection, rate limiting (Art. 25, 32, 44)

Quick Start

Prerequisites

  • Python 3.10+
  • VS Code with GitHub Copilot

Installation

Install from the MCP Registry (recommended)

The server is published to the MCP Registry. You can install it directly in VS Code:

  1. Open the Extensions view (Ctrl+Shift+X)
  2. Type @mcp GDPR in the search field
  3. Click Install on "GDPR Shift-Left Compliance"

Note: The VS Code MCP gallery shows a curated subset of servers by default. If the server doesn't appear, add this to your VS Code User Settings (Ctrl+, → Open Settings JSON): ``json "chat.mcp.gallery.serviceUrl": "https://registry.modelcontextprotocol.io" `` This points VS Code at the full MCP Registry (5,000+ servers) instead of GitHub's curated list.

Install via uvx (no clone needed)

uvx gdpr-shift-left-mcp

Install from source

# Clone the repository
git clone https://github.com/KevinRabun/GDPRShiftLeftMCP.git
cd GDPRShiftLeftMCP

# Install in development mode
pip install -e ".[dev]"

VS Code Integration

The repository includes .vscode/mcp.json for automatic MCP server registration. After installation, the GDPR tools appear in GitHub Copilot's tool list.

To configure manually, add to your VS Code settings:

{
  "mcp": {
    "servers": {
      "gdpr-shift-left-mcp": {
        "type": "stdio",
        "command": "python",
        "args": ["-m", "gdpr_shift_left_mcp"]
      }
    }
  }
}

Running the Server

# Run directly
python -m gdpr_shift_left_mcp

# Or via the installed entry point
gdpr-shift-left-mcp

Tool Reference

| Tool | Description | GDPR Articles | |------|-------------|---------------| | get_article | Retrieve a GDPR article by number | All | | list_chapter_articles | List all articles in a chapter | All | | search_gdpr | Full-text search across GDPR | All | | get_recital | Retrieve a recital by number | All | | get_azure_mapping | Azure services for a GDPR article | All | | get_definition | Art. 4 term definition | Art. 4 | | list_definitions | List all definitions | Art. 4 | | search_definitions | Search definitions | Art. 4 | | assess_dpia_need | Check if DPIA is required | Art. 35 | | generate_dpia_template | Generate DPIA document | Art. 35 | | get_dpia_guidance | DPIA area guidance | Art. 35–36 | | generate_ropa_template | Art. 30 ROPA template | Art. 30 | | validate_ropa | Validate ROPA completeness | Art. 30 | | get_ropa_requirements | ROPA field requirements | Art. 30 | | get_dsr_guidance | DSR handling guidance | Arts. 12–23 | | generate_dsr_workflow | DSR fulfilment workflow | Arts. 12–23 | | get_dsr_timeline | DSR response timelines | Art. 12(3) | | analyze_infrastructure_code | Scan IaC for GDPR issues | Art. 25, 32, 44 | | analyze_application_code | Scan app code for GDPR issues | Art. 5, 25, 32 | | validate_gdpr_config | Pass/fail GDPR validation | All | | assess_retention_policy | Assess retention policy | Art. 5(1)(e) | | get_retention_guidance | Category-specific retention | Art. 5(1)(e) | | check_deletion_requirements | Deletion capability checklist | Art. 17 | | assess_controller_processor_role | Assess data controller/processor role | Art. 4, 24, 26, 28 | | get_role_obligations | Role-specific GDPR obligations | Art. 24, 26, 28 | | analyze_code_for_role_indicators | Detect controller/processor code patterns | Art. 4, 24, 28 | | generate_dpa_checklist | Art. 28 DPA agreement checklist | Art. 28 | | get_role_scenarios | Common role classification scenarios | Art. 4, 24, 26, 28 | | analyze_dsr_capabilities | Detect DSR implementation (access, erase, portability, etc.) | Arts. 15–22 | | analyze_cross_border_transfers | Detect third-party APIs/SDKs with risk justifications | Arts. 44–49 | | analyze_breach_readiness | Assess breach detection, logging, and notification capabilities | Arts. 33–34 | | analyze_data_flow | Map personal data lifecycle (collection, storage, transmission, deletion) | Art. 30 | | analyze_code_ast | Deep AST analysis for Python/JS/TS/Java/C#/Go (PII, cross-border, DSR) | Art. 5, 25, 32, 44 | | get_ast_capabilities | Get AST analyzer supported languages and features | All |

Architecture

src/gdpr_shift_left_mcp/
├── __init__.py              # Package init
├── __main__.py              # Entry point
├── server.py                # FastMCP server + prompt registration
├── disclaimer.py            # Legal disclaimer utility
├── data_loader.py           # Online GDPR data fetching + caching
├── tools/
│   ├── __init__.py          # Tool registration (34 tools)
│   ├── articles.py          # Article/recital/search tools
│   ├── definitions.py       # Art. 4 definition tools
│   ├── dpia.py              # DPIA assessment tools
│   ├── ropa.py              # ROPA builder tools
│   ├── dsr.py               # Data subject rights tools
│   ├── analyzer.py          # IaC + app code analyzer
│   ├── ast_analyzer.py      # AST-based deep code analysis
│   ├── retention.py         # Retention/deletion tools
│   └── role_classifier.py   # Controller/processor role classification
├── prompts/
│   ├── __init__.py          # Prompt loader
│   └── *.txt                # 8 expert prompt templates
└── templates/
    ├── __init__.py           # Template loader
    └── *.bicep               # GDPR-aligned Azure Bicep templates

Testing

# Run all tests
pytest

# Run with coverage
pytest --cov=gdpr_shift_left_mcp --cov-report=html

# Run judges (end-to-end evaluators)
python -m tests.evaluator.run_judges

Online Updates

The server fetches GDPR data from a configurable online source, with local caching:

  • Source URL: Set via GDPR_SOURCE_URL environment variable
  • Cache TTL: Default 1 hour (configurable via GDPR_CACHE_TTL)
  • Cache directory: __gdpr_cache__/ (configurable via GDPR_CACHE_DIR)
  • Fallback: Built-in data if online fetch fails

Contributing

See CONTRIBUTING.md for guidelines. This project follows Git Flow branching:

  • feature/<name> for new features
  • bugfix/<name> for fixes
  • release/<version> for releases
  • hotfix/<name> for production fixes

All PRs must pass automated tests and judges before merging.

License

MIT — see LICENSE for details.

Acknowledgements

Related MCP servers

Browse all →

Apify MCP

apify/actors-mcp-server

Browser & ScrapingOpen

AWS MCP Servers

awslabs/mcp

9,330 starsOpen

Axiom MCP

axiomhq/mcp-server-axiom

61 starsOpen

Azure MCP

Azure/azure-mcp

1,219 starsOpen

Browserbase MCP

browserbase/mcp-server-browserbase

3,383 starsOpen

Chroma MCP

chroma-core/chroma-mcp

570 starsOpen

Browse

MCP servers by category

Other2643AI & ML2284Search2091Developer Tools1127Vector & Memory1121Cloud & DevOps721Files & Docs719Databases704Finance & Payments701Browser & Scraping485Communication418Productivity355