Skip to main content
Glama
CSOAI-ORG

SOC2 Compliance AI MCP

Official

Server Configuration

Describes the environment variables required to run the server.

NameRequiredDescriptionDefault

No arguments

Capabilities

Features and capabilities supported by this server

CapabilityDetails
tools
{
  "listChanged": false
}
prompts
{
  "listChanged": false
}
resources
{
  "subscribe": false,
  "listChanged": false
}
experimental
{}

Tools

Functions exposed to the LLM to take actions

NameDescription
assess_trust_principlesA

Audit an AI system against the 5 SOC 2 Trust Service Criteria: Security (Common Criteria), Availability, Processing Integrity, Confidentiality, and Privacy. Returns compliance status per principle with AI-specific findings.

Args: system_description: Description of the AI system or service being assessed principles_in_scope: Which principles to assess (default all 5): ["CC", "A", "PI", "C", "P"] controls_implemented: Dict mapping criteria series to implemented controls, e.g. {"CC6": ["CC6.1", "CC6.2"]} caller: Caller identifier for rate limiting tier: Access tier (free/pro)

Behavior: This tool is read-only and stateless — it produces analysis output without modifying any external systems, databases, or files. Safe to call repeatedly with identical inputs (idempotent). Free tier: 10/day rate limit. Pro tier: unlimited. No authentication required for basic usage.

When to use: Use this tool when you need to assess, audit, or verify compliance requirements. Ideal for gap analysis, readiness checks, and generating compliance documentation.

When NOT to use: Do not use as a substitute for qualified legal counsel. This tool provides technical compliance guidance, not legal advice.

control_gap_analysisA

Gap analysis against SOC 2 controls. Compares implemented controls to required criteria and produces a prioritized remediation plan.

Args: implemented_controls: List of implemented SOC 2 criteria IDs (e.g. ["CC1.1", "CC6.1", "A1.1"]) target_type: "type1" (point-in-time) or "type2" (period of time, requires operational evidence) principles_in_scope: Filter to specific principles ["CC", "A", "PI", "C", "P"] caller: Caller identifier for rate limiting tier: Access tier (free/pro)

Behavior: This tool generates structured output without modifying external systems. Output is deterministic for identical inputs. No side effects. Free tier: 10/day rate limit. Pro tier: unlimited. No authentication required for basic usage.

When to use: Use this tool when you need to assess, audit, or verify compliance requirements. Ideal for gap analysis, readiness checks, and generating compliance documentation.

When NOT to use: Do not use as a substitute for qualified legal counsel. This tool provides technical compliance guidance, not legal advice.

generate_control_matrixA

Generate a SOC 2 control matrix with control objectives, criteria, control activities, and evidence requirements. Suitable for auditor preparation and internal control documentation.

Args: organization_name: Name of the organization principles_in_scope: Which principles to include (default all 5) include_evidence: Whether to include detailed evidence requirements caller: Caller identifier for rate limiting tier: Access tier (free/pro)

Behavior: This tool generates structured output without modifying external systems. Output is deterministic for identical inputs. No side effects. Free tier: 10/day rate limit. Pro tier: unlimited. No authentication required for basic usage.

When to use: Use this tool when you need to assess, audit, or verify compliance requirements. Ideal for gap analysis, readiness checks, and generating compliance documentation.

When NOT to use: Do not use as a substitute for qualified legal counsel. This tool provides technical compliance guidance, not legal advice. Behavioral Transparency: - Side Effects: This tool is read-only and produces no side effects. It does not modify any external state, databases, or files. All output is computed in-memory and returned directly to the caller. - Authentication: No authentication required for basic usage. Pro/Enterprise tiers require a valid MEOK API key passed via the MEOK_API_KEY environment variable. - Rate Limits: Free tier: 10 calls/day. Pro tier: unlimited. Rate limit headers are included in responses (X-RateLimit-Remaining, X-RateLimit-Reset). - Error Handling: Returns structured error objects with 'error' key on failure. Never raises unhandled exceptions. Invalid inputs return descriptive validation errors. - Idempotency: Fully idempotent — calling with the same inputs always produces the same output. Safe to retry on timeout or transient failure. - Data Privacy: No input data is stored, logged, or transmitted to external services. All processing happens locally within the MCP server process.

risk_assessmentA

SOC 2 risk assessment per AICPA guidelines. Identifies risks to Trust Service Criteria, assesses likelihood and impact, and maps to specific SOC 2 control requirements.

Args: system_description: Description of the service organization and its systems service_commitments: System Description service commitments (SLAs, security guarantees) known_risks: Already identified risks to evaluate ai_specific: Whether to include AI-specific risk factors caller: Caller identifier for rate limiting tier: Access tier (free/pro)

Behavior: This tool is read-only and stateless — it produces analysis output without modifying any external systems, databases, or files. Safe to call repeatedly with identical inputs (idempotent). Free tier: 10/day rate limit. Pro tier: unlimited. No authentication required for basic usage.

When to use: Use this tool when you need to assess, audit, or verify compliance requirements. Ideal for gap analysis, readiness checks, and generating compliance documentation.

When NOT to use: Do not use as a substitute for qualified legal counsel. This tool provides technical compliance guidance, not legal advice. Behavioral Transparency: - Side Effects: This tool is read-only and produces no side effects. It does not modify any external state, databases, or files. All output is computed in-memory and returned directly to the caller. - Authentication: No authentication required for basic usage. Pro/Enterprise tiers require a valid MEOK API key passed via the MEOK_API_KEY environment variable. - Rate Limits: Free tier: 10 calls/day. Pro tier: unlimited. Rate limit headers are included in responses (X-RateLimit-Remaining, X-RateLimit-Reset). - Error Handling: Returns structured error objects with 'error' key on failure. Never raises unhandled exceptions. Invalid inputs return descriptive validation errors. - Idempotency: Fully idempotent — calling with the same inputs always produces the same output. Safe to retry on timeout or transient failure. - Data Privacy: No input data is stored, logged, or transmitted to external services. All processing happens locally within the MCP server process.

crosswalk_to_iso27001A

Map SOC 2 controls to ISO 27001 Annex A controls. Shows how SOC 2 compliance overlaps with ISO 27001 certification requirements, enabling organizations pursuing dual compliance to identify shared controls.

Args: soc2_series: Specific SOC 2 series to map (e.g. ["CC6", "CC7", "A1"]) focus_principle: Filter by principle: "all", "CC", "A", "PI", "C", or "P" caller: Caller identifier for rate limiting tier: Access tier (free/pro)

Behavior: This tool is read-only and stateless — it produces analysis output without modifying any external systems, databases, or files. Safe to call repeatedly with identical inputs (idempotent). Free tier: 10/day rate limit. Pro tier: unlimited. No authentication required for basic usage.

When to use: Use this tool when you need to assess, audit, or verify compliance requirements. Ideal for gap analysis, readiness checks, and generating compliance documentation.

When NOT to use: Do not use as a substitute for qualified legal counsel. This tool provides technical compliance guidance, not legal advice.

readiness_checklistA

SOC 2 Type I/II readiness assessment. Generates a comprehensive pre-audit checklist with timeline, resource requirements, and AI-specific considerations.

Args: audit_type: "type1" (point-in-time design) or "type2" (operating effectiveness over time) organization_maturity: "low", "moderate", or "high" — current security maturity ai_system: Whether the service includes AI/ML components current_certifications: Existing certifications that provide head start (e.g. ["ISO27001", "GDPR"]) caller: Caller identifier for rate limiting tier: Access tier (free/pro)

Behavior: This tool generates structured output without modifying external systems. Output is deterministic for identical inputs. No side effects. Free tier: 10/day rate limit. Pro tier: unlimited. No authentication required for basic usage.

When to use: Use this tool when you need to assess, audit, or verify compliance requirements. Ideal for gap analysis, readiness checks, and generating compliance documentation.

When NOT to use: Do not use as a substitute for qualified legal counsel. This tool provides technical compliance guidance, not legal advice.

Prompts

Interactive templates invoked by user choice

NameDescription

No prompts

Resources

Contextual data attached and managed by the client

NameDescription

No resources

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/CSOAI-ORG/soc2-compliance-ai-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server