SOC2 Compliance AI MCP
OfficialServer Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
No arguments | |||
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {
"listChanged": false
} |
| prompts | {
"listChanged": false
} |
| resources | {
"subscribe": false,
"listChanged": false
} |
| experimental | {} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| assess_trust_principlesA | Audit an AI system against the 5 SOC 2 Trust Service Criteria: Security (Common Criteria), Availability, Processing Integrity, Confidentiality, and Privacy. Returns compliance status per principle with AI-specific findings. Args: system_description: Description of the AI system or service being assessed principles_in_scope: Which principles to assess (default all 5): ["CC", "A", "PI", "C", "P"] controls_implemented: Dict mapping criteria series to implemented controls, e.g. {"CC6": ["CC6.1", "CC6.2"]} caller: Caller identifier for rate limiting tier: Access tier (free/pro) Behavior: This tool is read-only and stateless — it produces analysis output without modifying any external systems, databases, or files. Safe to call repeatedly with identical inputs (idempotent). Free tier: 10/day rate limit. Pro tier: unlimited. No authentication required for basic usage. When to use: Use this tool when you need to assess, audit, or verify compliance requirements. Ideal for gap analysis, readiness checks, and generating compliance documentation. When NOT to use: Do not use as a substitute for qualified legal counsel. This tool provides technical compliance guidance, not legal advice. |
| control_gap_analysisA | Gap analysis against SOC 2 controls. Compares implemented controls to required criteria and produces a prioritized remediation plan. Args: implemented_controls: List of implemented SOC 2 criteria IDs (e.g. ["CC1.1", "CC6.1", "A1.1"]) target_type: "type1" (point-in-time) or "type2" (period of time, requires operational evidence) principles_in_scope: Filter to specific principles ["CC", "A", "PI", "C", "P"] caller: Caller identifier for rate limiting tier: Access tier (free/pro) Behavior: This tool generates structured output without modifying external systems. Output is deterministic for identical inputs. No side effects. Free tier: 10/day rate limit. Pro tier: unlimited. No authentication required for basic usage. When to use: Use this tool when you need to assess, audit, or verify compliance requirements. Ideal for gap analysis, readiness checks, and generating compliance documentation. When NOT to use: Do not use as a substitute for qualified legal counsel. This tool provides technical compliance guidance, not legal advice. |
| generate_control_matrixA | Generate a SOC 2 control matrix with control objectives, criteria, control activities, and evidence requirements. Suitable for auditor preparation and internal control documentation. Args: organization_name: Name of the organization principles_in_scope: Which principles to include (default all 5) include_evidence: Whether to include detailed evidence requirements caller: Caller identifier for rate limiting tier: Access tier (free/pro) Behavior: This tool generates structured output without modifying external systems. Output is deterministic for identical inputs. No side effects. Free tier: 10/day rate limit. Pro tier: unlimited. No authentication required for basic usage. When to use: Use this tool when you need to assess, audit, or verify compliance requirements. Ideal for gap analysis, readiness checks, and generating compliance documentation. When NOT to use: Do not use as a substitute for qualified legal counsel. This tool provides technical compliance guidance, not legal advice. Behavioral Transparency: - Side Effects: This tool is read-only and produces no side effects. It does not modify any external state, databases, or files. All output is computed in-memory and returned directly to the caller. - Authentication: No authentication required for basic usage. Pro/Enterprise tiers require a valid MEOK API key passed via the MEOK_API_KEY environment variable. - Rate Limits: Free tier: 10 calls/day. Pro tier: unlimited. Rate limit headers are included in responses (X-RateLimit-Remaining, X-RateLimit-Reset). - Error Handling: Returns structured error objects with 'error' key on failure. Never raises unhandled exceptions. Invalid inputs return descriptive validation errors. - Idempotency: Fully idempotent — calling with the same inputs always produces the same output. Safe to retry on timeout or transient failure. - Data Privacy: No input data is stored, logged, or transmitted to external services. All processing happens locally within the MCP server process. |
| risk_assessmentA | SOC 2 risk assessment per AICPA guidelines. Identifies risks to Trust Service Criteria, assesses likelihood and impact, and maps to specific SOC 2 control requirements. Args: system_description: Description of the service organization and its systems service_commitments: System Description service commitments (SLAs, security guarantees) known_risks: Already identified risks to evaluate ai_specific: Whether to include AI-specific risk factors caller: Caller identifier for rate limiting tier: Access tier (free/pro) Behavior: This tool is read-only and stateless — it produces analysis output without modifying any external systems, databases, or files. Safe to call repeatedly with identical inputs (idempotent). Free tier: 10/day rate limit. Pro tier: unlimited. No authentication required for basic usage. When to use: Use this tool when you need to assess, audit, or verify compliance requirements. Ideal for gap analysis, readiness checks, and generating compliance documentation. When NOT to use: Do not use as a substitute for qualified legal counsel. This tool provides technical compliance guidance, not legal advice. Behavioral Transparency: - Side Effects: This tool is read-only and produces no side effects. It does not modify any external state, databases, or files. All output is computed in-memory and returned directly to the caller. - Authentication: No authentication required for basic usage. Pro/Enterprise tiers require a valid MEOK API key passed via the MEOK_API_KEY environment variable. - Rate Limits: Free tier: 10 calls/day. Pro tier: unlimited. Rate limit headers are included in responses (X-RateLimit-Remaining, X-RateLimit-Reset). - Error Handling: Returns structured error objects with 'error' key on failure. Never raises unhandled exceptions. Invalid inputs return descriptive validation errors. - Idempotency: Fully idempotent — calling with the same inputs always produces the same output. Safe to retry on timeout or transient failure. - Data Privacy: No input data is stored, logged, or transmitted to external services. All processing happens locally within the MCP server process. |
| crosswalk_to_iso27001A | Map SOC 2 controls to ISO 27001 Annex A controls. Shows how SOC 2 compliance overlaps with ISO 27001 certification requirements, enabling organizations pursuing dual compliance to identify shared controls. Args: soc2_series: Specific SOC 2 series to map (e.g. ["CC6", "CC7", "A1"]) focus_principle: Filter by principle: "all", "CC", "A", "PI", "C", or "P" caller: Caller identifier for rate limiting tier: Access tier (free/pro) Behavior: This tool is read-only and stateless — it produces analysis output without modifying any external systems, databases, or files. Safe to call repeatedly with identical inputs (idempotent). Free tier: 10/day rate limit. Pro tier: unlimited. No authentication required for basic usage. When to use: Use this tool when you need to assess, audit, or verify compliance requirements. Ideal for gap analysis, readiness checks, and generating compliance documentation. When NOT to use: Do not use as a substitute for qualified legal counsel. This tool provides technical compliance guidance, not legal advice. |
| readiness_checklistA | SOC 2 Type I/II readiness assessment. Generates a comprehensive pre-audit checklist with timeline, resource requirements, and AI-specific considerations. Args: audit_type: "type1" (point-in-time design) or "type2" (operating effectiveness over time) organization_maturity: "low", "moderate", or "high" — current security maturity ai_system: Whether the service includes AI/ML components current_certifications: Existing certifications that provide head start (e.g. ["ISO27001", "GDPR"]) caller: Caller identifier for rate limiting tier: Access tier (free/pro) Behavior: This tool generates structured output without modifying external systems. Output is deterministic for identical inputs. No side effects. Free tier: 10/day rate limit. Pro tier: unlimited. No authentication required for basic usage. When to use: Use this tool when you need to assess, audit, or verify compliance requirements. Ideal for gap analysis, readiness checks, and generating compliance documentation. When NOT to use: Do not use as a substitute for qualified legal counsel. This tool provides technical compliance guidance, not legal advice. |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
No prompts | |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
No resources | |
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/CSOAI-ORG/soc2-compliance-ai-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server