Is GDPRShiftLeft free?

Yes, GDPRShiftLeft is free to use.

How do I install GDPRShiftLeft?

GDPRShiftLeft is a local plugin. Install it using PyPI package: gdpr-shift-left-mcp and add the generated configuration snippet to your AI app's MCP config file. Then restart your AI app.

What AI apps work with GDPRShiftLeft?

GDPRShiftLeft uses the Model Context Protocol (MCP) and works with any MCP-compatible AI app, including Claude, ChatGPT / Codex, Gemini, Copilot, Cursor, and more.

Back to Browse

GDPRShiftLeft MCP Server

by KevinRabun

Developer ToolsModerate7.0MCP RegistryLocal

Free

Server data from the Official MCP Registry

GDPR compliance MCP server - article lookup, DPIA, ROPA, DSR, IaC analysis, Bicep templates.

About

GDPR compliance MCP server - article lookup, DPIA, ROPA, DSR, IaC analysis, Bicep templates.

Security Report

7.0

Moderate7.0Low Risk

Valid MCP server (1 strong, 1 medium validity signals). 3 known CVEs in dependencies (0 critical, 3 high severity) Package registry verified. Imported from the Official MCP Registry.

3 files analyzed · 4 issues found

Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.

Permissions Required

This plugin requests these system permissions. Most are normal for its category.

file_system

Check that this permission is expected for this type of plugin.

How to Install

Add this to your MCP configuration file:

{
  "mcpServers": {
    "mcp-server": {
      "args": [
        "gdpr-shift-left-mcp"
      ],
      "command": "uvx"
    }
  }
}

Documentation

View on GitHub

From the project's GitHub README.

GDPR Shift-Left MCP Server

A Model Context Protocol (MCP) server that brings GDPR compliance knowledge directly into your IDE, enabling developers and compliance teams to "shift left" — identifying and addressing data protection requirements early in the development lifecycle.

⚠️ Disclaimer: This tool provides informational guidance only and does not constitute legal advice. Organisations should consult qualified legal counsel for binding GDPR compliance decisions.

Features

🔍 GDPR Knowledge Base (34 Tools)

Article Lookup — Retrieve any GDPR article by number, search across all 99 articles and 173 recitals
Definitions — Art. 4 term definitions with contextual explanations
Chapter Navigation — Browse articles by chapter with full directory
Azure Mappings — Map GDPR articles to Azure services and controls

📋 Compliance Workflows

DPIA Assessment — Assess whether a DPIA is required (EDPB 9-criteria test), generate Art. 35 templates
ROPA Builder — Generate and validate Art. 30 Records of Processing Activities
DSR Guidance — Step-by-step workflows for all 7 data subject rights (Arts. 12–23)
Retention Analysis — Assess retention policies against Art. 5(1)(e) storage limitation
Controller/Processor Role Classification — Assess data roles, get obligations, analyze code patterns, generate DPA checklists

🏗️ Infrastructure & Code Review

Bicep/Terraform/ARM Analyzer — Scan IaC for GDPR violations (encryption, access, network, residency, logging, retention)
Application Code Analyzer — Detect PII logging, hardcoded secrets, missing consent checks, data minimisation issues
GDPR Config Validator — Pass/fail validation in strict or advisory mode
DSR Capability Analyzer — Detect implementation of all 7 data subject rights (Arts. 15–22)
Cross-Border Transfer Analyzer — Identify third-party APIs/SDKs that may transfer data outside EEA, with risk justifications explaining why each provider has its assigned risk level (based on headquarters location, adequacy decisions, and data sensitivity)
Breach Readiness Analyzer — Assess breach detection, logging, and notification capabilities
Data Flow Analyzer — Map personal data lifecycle (collection, storage, transmission, deletion)
AST Code Analyzer — Deep analysis using Abstract Syntax Trees for Python, JavaScript, TypeScript, Java, C#, and Go with:
- PII detection in function parameters and variables
- Cross-border transfer detection via import analysis (150+ providers with risk justifications)
- PII logging violation detection
- DSR implementation pattern verification
- Data flow tracking and call graph analysis

📝 Guided Prompts (8 Expert Prompts)

Gap Analysis, DPIA Assessment, Compliance Roadmap, Data Mapping
Incident Response, Azure Privacy Review, Vendor Assessment, Cross-Border Transfers

📐 Azure Bicep Templates (19 Templates)

Storage Account — CMK encryption, Private Endpoint, lifecycle policies (Art. 5, 25, 32, 44-49)
Key Vault — HSM-backed Premium, purge protection, RBAC (Art. 25, 32)
Azure SQL — Entra-only auth, TDE, auditing (Art. 25, 32)
Log Analytics — 365-day retention, saved GDPR queries for breach/access/erasure tracking (Art. 5(2), 30, 33)
Cosmos DB — EU-only regions, strong consistency, continuous backup, TTL-enabled ROPA container (Art. 25, 32, 44-49)
App Service — Managed identity, TLS 1.2, VNet integration, staging slot, full audit logging (Art. 25, 32)
Virtual Network — 3 subnets, NSGs with least-privilege rules, service endpoints (Art. 25, 32, 5(1)(f))
Container Apps — Internal ingress, mutual TLS, zone redundancy, managed identity (Art. 25, 32)
Monitor Alerts — DPO action group, 4 scheduled alerts for sign-in/exfiltration/escalation/Key Vault (Art. 33, 34, 32)
PostgreSQL Flexible Server — Zone-redundant HA, Entra ID auth, pgaudit, geo-redundant backups (Art. 25, 32, 5(1)(e))
Service Bus Premium — CMK encryption, GDPR queues for DSR/consent/breach/retention (Art. 25, 32, 5(1)(f))
AKS — Private cluster, Azure CNI, Defender for Containers, workload identity, network policies (Art. 25, 32, 5(1)(f))
Confidential Ledger — TEE-backed tamper-proof audit trail for GDPR accountability records (Art. 5(2), 30, 33)
Confidential VM — AMD SEV-SNP encrypted memory, vTPM, secure boot, ephemeral OS disk (Art. 25, 32, 5(1)(f))
Entra ID Configuration — Audit log routing, sign-in monitoring, Conditional Access checklist (Art. 32, 5(2))
Azure Policy — EU region restriction, CMK enforcement, tag requirements, HTTPS-only (Art. 25, 32, 44)
Defender for Cloud — All Defender plans, security contacts, auto-provisioning, GDPR compliance dashboard (Art. 32, 33)
API Management — Internal VNet, TLS 1.2+, rate limiting, data masking policies, audit logging (Art. 25, 32, 30)
Front Door with WAF — OWASP rules, EU/EEA geo-filtering, bot protection, rate limiting (Art. 25, 32, 44)

Quick Start

Prerequisites

Python 3.10+
VS Code with GitHub Copilot

Installation

Install from the MCP Registry (recommended)

The server is published to the MCP Registry. You can install it directly in VS Code:

Open the Extensions view (Ctrl+Shift+X)
Type @mcp GDPR in the search field
Click Install on "GDPR Shift-Left Compliance"

Note: The VS Code MCP gallery shows a curated subset of servers by default. If the server doesn't appear, add this to your VS Code User Settings (Ctrl+, → Open Settings JSON):
"chat.mcp.gallery.serviceUrl": "https://registry.modelcontextprotocol.io"
This points VS Code at the full MCP Registry (5,000+ servers) instead of GitHub's curated list.

Install via uvx (no clone needed)

uvx gdpr-shift-left-mcp

Install from source

# Clone the repository
git clone https://github.com/KevinRabun/GDPRShiftLeftMCP.git
cd GDPRShiftLeftMCP

# Install in development mode
pip install -e ".[dev]"

VS Code Integration

The repository includes .vscode/mcp.json for automatic MCP server registration. After installation, the GDPR tools appear in GitHub Copilot's tool list.

To configure manually, add to your VS Code settings:

{
  "mcp": {
    "servers": {
      "gdpr-shift-left-mcp": {
        "type": "stdio",
        "command": "python",
        "args": ["-m", "gdpr_shift_left_mcp"]
      }
    }
  }
}

Running the Server

# Run directly
python -m gdpr_shift_left_mcp

# Or via the installed entry point
gdpr-shift-left-mcp

Tool Reference

Tool	Description	GDPR Articles
`get_article`	Retrieve a GDPR article by number	All
`list_chapter_articles`	List all articles in a chapter	All
`search_gdpr`	Full-text search across GDPR	All
`get_recital`	Retrieve a recital by number	All
`get_azure_mapping`	Azure services for a GDPR article	All
`get_definition`	Art. 4 term definition	Art. 4
`list_definitions`	List all definitions	Art. 4
`search_definitions`	Search definitions	Art. 4
`assess_dpia_need`	Check if DPIA is required	Art. 35
`generate_dpia_template`	Generate DPIA document	Art. 35
`get_dpia_guidance`	DPIA area guidance	Art. 35–36
`generate_ropa_template`	Art. 30 ROPA template	Art. 30
`validate_ropa`	Validate ROPA completeness	Art. 30
`get_ropa_requirements`	ROPA field requirements	Art. 30
`get_dsr_guidance`	DSR handling guidance	Arts. 12–23
`generate_dsr_workflow`	DSR fulfilment workflow	Arts. 12–23
`get_dsr_timeline`	DSR response timelines	Art. 12(3)
`analyze_infrastructure_code`	Scan IaC for GDPR issues	Art. 25, 32, 44
`analyze_application_code`	Scan app code for GDPR issues	Art. 5, 25, 32
`validate_gdpr_config`	Pass/fail GDPR validation	All
`assess_retention_policy`	Assess retention policy	Art. 5(1)(e)
`get_retention_guidance`	Category-specific retention	Art. 5(1)(e)
`check_deletion_requirements`	Deletion capability checklist	Art. 17
`assess_controller_processor_role`	Assess data controller/processor role	Art. 4, 24, 26, 28
`get_role_obligations`	Role-specific GDPR obligations	Art. 24, 26, 28
`analyze_code_for_role_indicators`	Detect controller/processor code patterns	Art. 4, 24, 28
`generate_dpa_checklist`	Art. 28 DPA agreement checklist	Art. 28
`get_role_scenarios`	Common role classification scenarios	Art. 4, 24, 26, 28
`analyze_dsr_capabilities`	Detect DSR implementation (access, erase, portability, etc.)	Arts. 15–22
`analyze_cross_border_transfers`	Detect third-party APIs/SDKs with risk justifications	Arts. 44–49
`analyze_breach_readiness`	Assess breach detection, logging, and notification capabilities	Arts. 33–34
`analyze_data_flow`	Map personal data lifecycle (collection, storage, transmission, deletion)	Art. 30
`analyze_code_ast`	Deep AST analysis for Python/JS/TS/Java/C#/Go (PII, cross-border, DSR)	Art. 5, 25, 32, 44
`get_ast_capabilities`	Get AST analyzer supported languages and features	All

Architecture

src/gdpr_shift_left_mcp/
├── __init__.py              # Package init
├── __main__.py              # Entry point
├── server.py                # FastMCP server + prompt registration
├── disclaimer.py            # Legal disclaimer utility
├── data_loader.py           # Online GDPR data fetching + caching
├── tools/
│   ├── __init__.py          # Tool registration (34 tools)
│   ├── articles.py          # Article/recital/search tools
│   ├── definitions.py       # Art. 4 definition tools
│   ├── dpia.py              # DPIA assessment tools
│   ├── ropa.py              # ROPA builder tools
│   ├── dsr.py               # Data subject rights tools
│   ├── analyzer.py          # IaC + app code analyzer
│   ├── ast_analyzer.py      # AST-based deep code analysis
│   ├── retention.py         # Retention/deletion tools
│   └── role_classifier.py   # Controller/processor role classification
├── prompts/
│   ├── __init__.py          # Prompt loader
│   └── *.txt                # 8 expert prompt templates
└── templates/
    ├── __init__.py           # Template loader
    └── *.bicep               # GDPR-aligned Azure Bicep templates

Testing

# Run all tests
pytest

# Run with coverage
pytest --cov=gdpr_shift_left_mcp --cov-report=html

# Run judges (end-to-end evaluators)
python -m tests.evaluator.run_judges

Online Updates

The server fetches GDPR data from a configurable online source, with local caching:

Source URL: Set via GDPR_SOURCE_URL environment variable
Cache TTL: Default 1 hour (configurable via GDPR_CACHE_TTL)
Cache directory: __gdpr_cache__/ (configurable via GDPR_CACHE_DIR)
Fallback: Built-in data if online fetch fails

Contributing

See CONTRIBUTING.md for guidelines. This project follows Git Flow branching:

feature/<name> for new features
bugfix/<name> for fixes
release/<version> for releases
hotfix/<name> for production fixes

All PRs must pass automated tests and judges before merging.

License

MIT — see LICENSE for details.

Acknowledgements

Architecture inspired by FedRAMP20xMCP
GDPR text from EUR-Lex
EDPB guidelines from edpb.europa.eu

Reviews

No reviews yet

Be the first to review this server!

More Developer Tools MCP Servers

Git

Free

by Modelcontextprotocol · Developer Tools

Read, search, and manipulate Git repositories programmatically

Toleno

Free

by Toleno · Developer Tools

Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.

mcp-creator-python

Free

by mcp-marketplace · Developer Tools

Create, build, and publish Python MCP servers to PyPI — conversationally.

MarkItDown

Free

by Microsoft · Content & Media

Convert files (PDF, Word, Excel, images, audio) to Markdown for LLM consumption

mcp-creator-typescript

Free

by mcp-marketplace · Developer Tools

Scaffold, build, and publish TypeScript MCP servers to npm — conversationally

FinAgent

Free

by mcp-marketplace · Finance

Free stock data and market news for any MCP-compatible AI assistant.

GDPRShiftLeft MCP Server

About

Security Report

Findings (4)Action required

Permissions Required

How to Install

Documentation

GDPR Shift-Left MCP Server

Features

🔍 GDPR Knowledge Base (34 Tools)

📋 Compliance Workflows

🏗️ Infrastructure & Code Review

📝 Guided Prompts (8 Expert Prompts)

📐 Azure Bicep Templates (19 Templates)

Quick Start

Prerequisites

Installation

Install from the MCP Registry (recommended)

Install via uvx (no clone needed)

Install from source

VS Code Integration

Running the Server

Tool Reference

Architecture

Testing

Online Updates

Contributing

License

Acknowledgements

Reviews

No reviews yet

More Developer Tools MCP Servers

Git

Toleno

mcp-creator-python

MarkItDown

mcp-creator-typescript

FinAgent

GDPRShiftLeft MCP Server

About

Security Report

Findings (4)Action required

Permissions Required

How to Install

Documentation

GDPR Shift-Left MCP Server

Features

🔍 GDPR Knowledge Base (34 Tools)

📋 Compliance Workflows

🏗️ Infrastructure & Code Review

📝 Guided Prompts (8 Expert Prompts)

📐 Azure Bicep Templates (19 Templates)

Quick Start

Prerequisites

Installation

Install from the MCP Registry (recommended)

Install via uvx (no clone needed)

Install from source

VS Code Integration

Running the Server

Tool Reference

Architecture

Testing

Online Updates

Contributing

License

Acknowledgements

Reviews

No reviews yet

More Developer Tools MCP Servers

Git

Toleno

mcp-creator-python

MarkItDown

mcp-creator-typescript

FinAgent