Sovereignty Scan

MCP server for EU AI Act vendor sovereignty scanning. MIT-licensed free tier.

Know where your stack processes data before the enforcer does. Covers 55 providers across 12 categories.

Install

Add to claude_desktop_config.json and restart Claude Desktop. No account required.

{
  "mcpServers": {
    "sovereignty-scan": {
      "type": "http",
      "url": "https://sovereignty-scan.kajaril.com/mcp"
    }
  }
}

Free tier — MIT license, public endpoint, 100 req / day per IP.

Client compatibility

Client	Status
Claude Desktop	✓ Supported
Cursor / Windsurf	✓ Supported (HTTP MCP)
claude.ai web	✗ Not supported (no HTTP MCP)

Quick test

Verify the endpoint is live before installing:

curl -s https://sovereignty-scan.kajaril.com/health | jq .

Or call a tool directly:

curl -s -X POST https://sovereignty-scan.kajaril.com/mcp \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"scan_provider","arguments":{"name":"cloudflare"}}}' \
  | jq .

Tools

scan_provider — Full jurisdictional profile for a single vendor: headquarters country, data residency regions, EU residency option, US CLOUD Act exposure, GDPR DPA availability, and legal framework.

• name — string, case-insensitive

Example response:

{
  "name": "Cloudflare",
  "hq_country": "US",
  "data_residency_regions": ["US", "EU", "APAC"],
  "eu_residency_option": true,
  "us_cloud_act_subject": true,
  "gdpr_dpa_available": true,
  "legal_framework": "GDPR+SCC"
}

scan_stack — Aggregate jurisdictional summary for a list of vendors: CLOUD Act exposure count, EU residency coverage, missing DPAs. Maximum 50 providers per call.

• providers — string[], max 50

list_providers — List all tracked providers. Optional category filter.

• category? — AI · Hosting · Database · Auth · Analytics · Observability · CI/CD · Communications · Payments · Search · Sandbox · Cache

get_us_cloud_act_providers — All providers subject to US CLOUD Act compelled disclosure (18 U.S.C. § 2713). No parameters.

suggest_eu_alternatives — EU/EEA/UK/CH-based alternatives in the same category as a given provider. Deterministic ordering: EU/EEA first, then UK/CH. Capped at 10.

• provider_name — string, case-insensitive

Pricing

	Free	Paid
Price	—	€39–149 / mo
License	MIT	Subscription
Status	Live	Coming soon
Output	Jurisdiction, residency, legal framework, CLOUD Act	+ Proprietary risk score + Remediation guidance
Auth	None	API key
Rate limit	100 req / day / IP	Extended

Paid tier notifications: [email protected]

Self-hosting

Requires a Cloudflare account (Workers + D1 + KV).

1. Clone and install

git clone https://github.com/kajaril/sovereignty-scan-mcp
cd sovereignty-scan-mcp
npm install

2. Create infrastructure

npx wrangler d1 create sovereignty-db-free
npx wrangler kv:namespace create CACHE_KV
npx wrangler rate-limit:namespace create RATE_LIMITER
npx wrangler rate-limit:namespace create BURST_LIMITER

Copy the IDs printed by each command into wrangler.jsonc under d1_databases, kv_namespaces, and unsafe.bindings.

3. Apply schema and seed data

npx wrangler d1 execute sovereignty-db-free --remote --file=migrations/0001_providers.sql
node --input-type=module -e "
  import { generateSeedSQL } from './src/seed.js';
  process.stdout.write(generateSeedSQL());
" | npx wrangler d1 execute sovereignty-db-free --remote --command=-

4. Deploy

npx wrangler deploy

The custom domain (sovereignty-scan.kajaril.com) in the default config is owned by kajaril — remove or replace the routes entry with your own domain or use the default *.workers.dev URL.

Health

GET https://sovereignty-scan.kajaril.com/health

Returns a structured payload (HTTP 200):

{
  "status": "ok",
  "provider_count": 55,
  "anthropic_path_count": 3,
  "last_kv_refresh": "2026-05-11T00:00:00.000Z",
  "cache_age_seconds": 86400,
  "schema_version": "0001"
}

status is "ok" when D1 is reachable, "degraded" otherwise. cache_age_seconds is null if the KV cache has never been warmed.

License

MIT — see LICENSE.