---
title: Global Compliance Audit MCP Server
emoji: 🔒
colorFrom: blue
colorTo: indigo
sdk: docker
pinned: true
license: mit
short_description: Offline MCP server for compliance validation & risk scoring
tags:
  - building-mcp-track-enterprise
  - mcp-server
  - compliance
  - gdpr
  - hipaa
  - offline
---

# 🔒 Global Compliance Audit MCP Server

**Offline AI assistant for enterprise compliance - no cloud APIs, no data exposure**

Check if your business actions comply with GDPR, HIPAA, SOX, PCI-DSS and 9+ regulations. Query audit logs. Calculate risk scores. Simulate data breaches. Generate compliance reports.

## 🎬 Demo Video

[![Watch Demo Video](https://img.youtube.com/vi/l-2jg8LlAkw/maxresdefault.jpg)](https://youtu.be/l-2jg8LlAkw?si=dCKBBWRV-GZPRTMz)

▶️ **[Watch the full demo on YouTube](https://youtu.be/l-2jg8LlAkw?si=dCKBBWRV-GZPRTMz)** - See all 5 MCP tools in action!

## 💼 Connect With Us

[![LinkedIn](https://img.shields.io/badge/LinkedIn-Post-0077b5?style=for-the-badge&logo=linkedin)](https://www.linkedin.com/posts/deenadhayalanj_global-compliance-audit-mcp-server-demo-activity-7400072133319561216-kalD)

📝 **[View LinkedIn Announcement](https://www.linkedin.com/posts/deenadhayalanj_global-compliance-audit-mcp-server-demo-activity-7400072133319561216-kalD?utm_source=share&utm_medium=member_desktop)**

## What's Inside

- **120 Compliance Rules** - GDPR, HIPAA, PCI-DSS, SOX, CCPA, ISO27001, SOC2, NIST-CSF, FedRAMP, GLBA, FERPA, COPPA, LGPD, PIPEDA
- **60+ Risk Factors** - Encryption, authentication, backups, logging, patches, cloud deployment
- **24 Audit Log Examples** - Real data access, consent, incident, and training records
- **100% Offline** - Zero external API calls, complete data sovereignty

## Why This Matters

**The Problem:**

- Can't send sensitive data to cloud compliance APIs
- Need audit trails showing exactly which rules were applied
- Require explainable decisions with article citations

**Our Solution:**

- Works completely offline (air-gapped environments OK)
- Same input = same output every time (deterministic)
- Every decision cites specific regulatory articles
- Versioned knowledge base for full audit trail

## Five Tools

### 1. Check Compliance (`checkRegulatoryJurisdiction`)

Validates if a business action complies with regulations like GDPR, HIPAA, SOX, PCI-DSS.

**How it works:** Uses TF-IDF semantic matching to find relevant rules from our 120-rule knowledge base, then returns compliance verdict with specific article citations.

**Example:**

```
You: "Can I store patient health records in an unencrypted database under HIPAA?"

Tool Response:
- is_compliant: false
- violations: HIPAA §164.312(a)(2)(iv), §164.312(e)(2)(ii)
- required_mitigations: "Implement encryption at rest and in transit"
```

### 2. Query Audit Logs (`queryAuditTrail`)

Retrieves historical audit records filtered by date range or transaction ID.

**How it works:** Searches through 24 audit log entries with activities like DATA_ACCESS, LOGIN, CONSENT_GRANTED, INCIDENT_DETECTED.

**Example:**

```
You: "Show me all data access events in November 2025"

Tool Response:
- log_entries: [{timestamp, user_id, activity_type, resource_id, ip_address}]
- total_records: 8
```

### 3. Calculate Risk Score (`calculateRiskScore`)

Assesses risk level (0-100) for any business process or system.

**How it works:** Analyzes inputs against 60+ risk factors (encryption, authentication, backups, network exposure, vendor dependencies).

**Example:**

```
You: "Risk score for payment system with credit cards, no encryption, 4 external APIs"

Tool Response:
- risk_score: 95
- risk_rating: "Critical"
- mitigation_recommendations: ["Implement end-to-end encryption", ...]
```

### 4. Simulate Data Breach (`simulateDataBreach`)

Models breach scenarios with notification timelines and potential penalties.

**How it works:** Matches breach details against 5 regulatory frameworks to calculate notification deadlines, required actions, and penalty ranges.

**Example:**

```
You: "Simulate a ransomware breach exposing 50,000 EU users' PII and financial data"

Tool Response:
- breach_severity: "critical"
- notification_timeline: [{GDPR: 72 hours to authority, "without undue delay" to users}]
- potential_penalties: [{GDPR: "€20M or 4% annual revenue"}]
- immediate_actions: ["Isolate affected systems", "Preserve forensic evidence", ...]
```

### 5. Generate Compliance Report (`generateComplianceReport`)

Creates comprehensive compliance assessment with gap analysis and remediation plan.

**How it works:** Evaluates systems against industry-specific frameworks, identifies gaps, and prioritizes remediation actions.

**Example:**

```
You: "Generate compliance report for our healthcare patient portal handling PHI"

Tool Response:
- overall_compliance_score: 65%
- framework_compliance: {HIPAA: 70%, SOC2: 60%}
- critical_gaps: 3 (encryption, access controls, audit logging)
- priority_remediations: [{issue: "PHI encryption missing", actions: [...]}]
- estimated_remediation_timeline: "1-3 months"
```

## Quick Start

**Option 1: Docker (Easiest)**

```bash
npm run docker:build
npm run docker:run
```

**Option 2: Local**

```bash
npm install
npm run build:mcp
npm run mcp
```

**Connect to Claude Desktop:**
Add to your `claude_desktop_config.json`:

```json
{
  "mcpServers": {
    "compliance": {
      "command": "docker",
      "args": ["run", "-i", "--rm", "global-compliance-mcp"]
    }
  }
}
```

## Perfect For

- **Healthcare** - HIPAA compliance for patient data
- **Finance** - SOX/PCI-DSS for payment systems
- **Government** - FedRAMP for federal systems
- **Any air-gapped environment** - Works 100% offline Because no external API calls are made

---

**Built for MCP Hackathon** | MIT License | [Setup Guide](./DOCKER-SETUP.md)