Command Palette

Search for a command to run...

UnylyUnyly
Browse all

Io.Github.KevinRabun/GDPRShiftLeftMCP

FreeNot checked

Brings GDPR compliance knowledge directly into your IDE, enabling developers to identify and address data protection requirements early in the development lifec

GitHubEmbed

About

Brings GDPR compliance knowledge directly into your IDE, enabling developers to identify and address data protection requirements early in the development lifecycle.

README

Tests & Judges PyPI version Python versions License: MIT

A Model Context Protocol (MCP) server that brings GDPR compliance knowledge directly into your IDE, enabling developers and compliance teams to "shift left" — identifying and addressing data protection requirements early in the development lifecycle.

⚠️ Disclaimer: This tool provides informational guidance only and does not constitute legal advice. Organisations should consult qualified legal counsel for binding GDPR compliance decisions.

Features

🔍 GDPR Knowledge Base (34 Tools)

  • Article Lookup — Retrieve any GDPR article by number, search across all 99 articles and 173 recitals
  • Definitions — Art. 4 term definitions with contextual explanations
  • Chapter Navigation — Browse articles by chapter with full directory
  • Azure Mappings — Map GDPR articles to Azure services and controls

📋 Compliance Workflows

  • DPIA Assessment — Assess whether a DPIA is required (EDPB 9-criteria test), generate Art. 35 templates
  • ROPA Builder — Generate and validate Art. 30 Records of Processing Activities
  • DSR Guidance — Step-by-step workflows for all 7 data subject rights (Arts. 12–23)
  • Retention Analysis — Assess retention policies against Art. 5(1)(e) storage limitation
  • Controller/Processor Role Classification — Assess data roles, get obligations, analyze code patterns, generate DPA checklists

🏗️ Infrastructure & Code Review

  • Bicep/Terraform/ARM Analyzer — Scan IaC for GDPR violations (encryption, access, network, residency, logging, retention)
  • Application Code Analyzer — Detect PII logging, hardcoded secrets, missing consent checks, data minimisation issues
  • GDPR Config Validator — Pass/fail validation in strict or advisory mode
  • DSR Capability Analyzer — Detect implementation of all 7 data subject rights (Arts. 15–22)
  • Cross-Border Transfer Analyzer — Identify third-party APIs/SDKs that may transfer data outside EEA, with risk justifications explaining why each provider has its assigned risk level (based on headquarters location, adequacy decisions, and data sensitivity)
  • Breach Readiness Analyzer — Assess breach detection, logging, and notification capabilities
  • Data Flow Analyzer — Map personal data lifecycle (collection, storage, transmission, deletion)
  • AST Code Analyzer — Deep analysis using Abstract Syntax Trees for Python, JavaScript, TypeScript, Java, C#, and Go with:
    • PII detection in function parameters and variables
    • Cross-border transfer detection via import analysis (150+ providers with risk justifications)
    • PII logging violation detection
    • DSR implementation pattern verification
    • Data flow tracking and call graph analysis

📝 Guided Prompts (8 Expert Prompts)

  • Gap Analysis, DPIA Assessment, Compliance Roadmap, Data Mapping
  • Incident Response, Azure Privacy Review, Vendor Assessment, Cross-Border Transfers

📐 Azure Bicep Templates (19 Templates)

  • Storage Account — CMK encryption, Private Endpoint, lifecycle policies (Art. 5, 25, 32, 44-49)
  • Key Vault — HSM-backed Premium, purge protection, RBAC (Art. 25, 32)
  • Azure SQL — Entra-only auth, TDE, auditing (Art. 25, 32)
  • Log Analytics — 365-day retention, saved GDPR queries for breach/access/erasure tracking (Art. 5(2), 30, 33)
  • Cosmos DB — EU-only regions, strong consistency, continuous backup, TTL-enabled ROPA container (Art. 25, 32, 44-49)
  • App Service — Managed identity, TLS 1.2, VNet integration, staging slot, full audit logging (Art. 25, 32)
  • Virtual Network — 3 subnets, NSGs with least-privilege rules, service endpoints (Art. 25, 32, 5(1)(f))
  • Container Apps — Internal ingress, mutual TLS, zone redundancy, managed identity (Art. 25, 32)
  • Monitor Alerts — DPO action group, 4 scheduled alerts for sign-in/exfiltration/escalation/Key Vault (Art. 33, 34, 32)
  • PostgreSQL Flexible Server — Zone-redundant HA, Entra ID auth, pgaudit, geo-redundant backups (Art. 25, 32, 5(1)(e))
  • Service Bus Premium — CMK encryption, GDPR queues for DSR/consent/breach/retention (Art. 25, 32, 5(1)(f))
  • AKS — Private cluster, Azure CNI, Defender for Containers, workload identity, network policies (Art. 25, 32, 5(1)(f))
  • Confidential Ledger — TEE-backed tamper-proof audit trail for GDPR accountability records (Art. 5(2), 30, 33)
  • Confidential VM — AMD SEV-SNP encrypted memory, vTPM, secure boot, ephemeral OS disk (Art. 25, 32, 5(1)(f))
  • Entra ID Configuration — Audit log routing, sign-in monitoring, Conditional Access checklist (Art. 32, 5(2))
  • Azure Policy — EU region restriction, CMK enforcement, tag requirements, HTTPS-only (Art. 25, 32, 44)
  • Defender for Cloud — All Defender plans, security contacts, auto-provisioning, GDPR compliance dashboard (Art. 32, 33)
  • API Management — Internal VNet, TLS 1.2+, rate limiting, data masking policies, audit logging (Art. 25, 32, 30)
  • Front Door with WAF — OWASP rules, EU/EEA geo-filtering, bot protection, rate limiting (Art. 25, 32, 44)

Quick Start

Prerequisites

  • Python 3.10+
  • VS Code with GitHub Copilot

Installation

Install from the MCP Registry (recommended)

The server is published to the MCP Registry. You can install it directly in VS Code:

  1. Open the Extensions view (Ctrl+Shift+X)
  2. Type @mcp GDPR in the search field
  3. Click Install on "GDPR Shift-Left Compliance"

Note: The VS Code MCP gallery shows a curated subset of servers by default. If the server doesn't appear, add this to your VS Code User Settings (Ctrl+, → Open Settings JSON):

"chat.mcp.gallery.serviceUrl": "https://registry.modelcontextprotocol.io"

This points VS Code at the full MCP Registry (5,000+ servers) instead of GitHub's curated list.

Install via uvx (no clone needed)

uvx gdpr-shift-left-mcp

Install from source

# Clone the repository
git clone https://github.com/KevinRabun/GDPRShiftLeftMCP.git
cd GDPRShiftLeftMCP

# Install in development mode
pip install -e ".[dev]"

VS Code Integration

The repository includes .vscode/mcp.json for automatic MCP server registration. After installation, the GDPR tools appear in GitHub Copilot's tool list.

To configure manually, add to your VS Code settings:

{
  "mcp": {
    "servers": {
      "gdpr-shift-left-mcp": {
        "type": "stdio",
        "command": "python",
        "args": ["-m", "gdpr_shift_left_mcp"]
      }
    }
  }
}

Running the Server

# Run directly
python -m gdpr_shift_left_mcp

# Or via the installed entry point
gdpr-shift-left-mcp

Tool Reference

Tool Description GDPR Articles
get_article Retrieve a GDPR article by number All
list_chapter_articles List all articles in a chapter All
search_gdpr Full-text search across GDPR All
get_recital Retrieve a recital by number All
get_azure_mapping Azure services for a GDPR article All
get_definition Art. 4 term definition Art. 4
list_definitions List all definitions Art. 4
search_definitions Search definitions Art. 4
assess_dpia_need Check if DPIA is required Art. 35
generate_dpia_template Generate DPIA document Art. 35
get_dpia_guidance DPIA area guidance Art. 35–36
generate_ropa_template Art. 30 ROPA template Art. 30
validate_ropa Validate ROPA completeness Art. 30
get_ropa_requirements ROPA field requirements Art. 30
get_dsr_guidance DSR handling guidance Arts. 12–23
generate_dsr_workflow DSR fulfilment workflow Arts. 12–23
get_dsr_timeline DSR response timelines Art. 12(3)
analyze_infrastructure_code Scan IaC for GDPR issues Art. 25, 32, 44
analyze_application_code Scan app code for GDPR issues Art. 5, 25, 32
validate_gdpr_config Pass/fail GDPR validation All
assess_retention_policy Assess retention policy Art. 5(1)(e)
get_retention_guidance Category-specific retention Art. 5(1)(e)
check_deletion_requirements Deletion capability checklist Art. 17
assess_controller_processor_role Assess data controller/processor role Art. 4, 24, 26, 28
get_role_obligations Role-specific GDPR obligations Art. 24, 26, 28
analyze_code_for_role_indicators Detect controller/processor code patterns Art. 4, 24, 28
generate_dpa_checklist Art. 28 DPA agreement checklist Art. 28
get_role_scenarios Common role classification scenarios Art. 4, 24, 26, 28
analyze_dsr_capabilities Detect DSR implementation (access, erase, portability, etc.) Arts. 15–22
analyze_cross_border_transfers Detect third-party APIs/SDKs with risk justifications Arts. 44–49
analyze_breach_readiness Assess breach detection, logging, and notification capabilities Arts. 33–34
analyze_data_flow Map personal data lifecycle (collection, storage, transmission, deletion) Art. 30
analyze_code_ast Deep AST analysis for Python/JS/TS/Java/C#/Go (PII, cross-border, DSR) Art. 5, 25, 32, 44
get_ast_capabilities Get AST analyzer supported languages and features All

Architecture

src/gdpr_shift_left_mcp/
├── __init__.py              # Package init
├── __main__.py              # Entry point
├── server.py                # FastMCP server + prompt registration
├── disclaimer.py            # Legal disclaimer utility
├── data_loader.py           # Online GDPR data fetching + caching
├── tools/
│   ├── __init__.py          # Tool registration (34 tools)
│   ├── articles.py          # Article/recital/search tools
│   ├── definitions.py       # Art. 4 definition tools
│   ├── dpia.py              # DPIA assessment tools
│   ├── ropa.py              # ROPA builder tools
│   ├── dsr.py               # Data subject rights tools
│   ├── analyzer.py          # IaC + app code analyzer
│   ├── ast_analyzer.py      # AST-based deep code analysis
│   ├── retention.py         # Retention/deletion tools
│   └── role_classifier.py   # Controller/processor role classification
├── prompts/
│   ├── __init__.py          # Prompt loader
│   └── *.txt                # 8 expert prompt templates
└── templates/
    ├── __init__.py           # Template loader
    └── *.bicep               # GDPR-aligned Azure Bicep templates

Testing

# Run all tests
pytest

# Run with coverage
pytest --cov=gdpr_shift_left_mcp --cov-report=html

# Run judges (end-to-end evaluators)
python -m tests.evaluator.run_judges

Online Updates

The server fetches GDPR data from a configurable online source, with local caching:

  • Source URL: Set via GDPR_SOURCE_URL environment variable
  • Cache TTL: Default 1 hour (configurable via GDPR_CACHE_TTL)
  • Cache directory: __gdpr_cache__/ (configurable via GDPR_CACHE_DIR)
  • Fallback: Built-in data if online fetch fails

Contributing

See CONTRIBUTING.md for guidelines. This project follows Git Flow branching:

  • feature/<name> for new features
  • bugfix/<name> for fixes
  • release/<version> for releases
  • hotfix/<name> for production fixes

All PRs must pass automated tests and judges before merging.

License

MIT — see LICENSE for details.

Acknowledgements

from github.com/KevinRabun/GDPRShiftLeftMCP

Install Io.Github.KevinRabun/GDPRShiftLeftMCP in Claude Desktop, Claude Code & Cursor

Recommended · one command, every IDE
unyly install io-github-kevinrabun-gdprshiftleftmcp

Installs into Claude Desktop, Claude Code, Cursor & VS Code — handles npx, uvx and build-from-source repos for you.

First time? Get the CLI: curl -fsSL https://unyly.org/install | sh

Or configure manually

Run in your terminal:

claude mcp add io-github-kevinrabun-gdprshiftleftmcp -- uvx gdpr-shift-left-mcp

FAQ

Is Io.Github.KevinRabun/GDPRShiftLeftMCP MCP free?

Yes, Io.Github.KevinRabun/GDPRShiftLeftMCP MCP is free — one-click install via Unyly at no cost.

Does Io.Github.KevinRabun/GDPRShiftLeftMCP need an API key?

No, Io.Github.KevinRabun/GDPRShiftLeftMCP runs without API keys or environment variables.

Is Io.Github.KevinRabun/GDPRShiftLeftMCP hosted or self-hosted?

Self-hosted: the server runs locally on your machine via the install command above.

How do I install Io.Github.KevinRabun/GDPRShiftLeftMCP in Claude Desktop, Claude Code or Cursor?

Open Io.Github.KevinRabun/GDPRShiftLeftMCP on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.

Related MCPs

Compare Io.Github.KevinRabun/GDPRShiftLeftMCP with

Not sure what to pick?

Find your stack in 60 seconds

Author?

Embed badge for your README

Browse similar

All development MCPs