generate_control_matrix
Generate a SOC 2 control matrix mapping control objectives, criteria, activities, and evidence requirements for compliance audits and internal documentation.
Instructions
Generate a SOC 2 control matrix with control objectives, criteria, control activities, and evidence requirements. Suitable for auditor preparation and internal control documentation.
Args: organization_name: Name of the organization principles_in_scope: Which principles to include (default all 5) include_evidence: Whether to include detailed evidence requirements caller: Caller identifier for rate limiting tier: Access tier (free/pro)
Behavior: This tool generates structured output without modifying external systems. Output is deterministic for identical inputs. No side effects. Free tier: 10/day rate limit. Pro tier: unlimited. No authentication required for basic usage.
When to use: Use this tool when you need to assess, audit, or verify compliance requirements. Ideal for gap analysis, readiness checks, and generating compliance documentation.
When NOT to use: Do not use as a substitute for qualified legal counsel. This tool provides technical compliance guidance, not legal advice. Behavioral Transparency: - Side Effects: This tool is read-only and produces no side effects. It does not modify any external state, databases, or files. All output is computed in-memory and returned directly to the caller. - Authentication: No authentication required for basic usage. Pro/Enterprise tiers require a valid MEOK API key passed via the MEOK_API_KEY environment variable. - Rate Limits: Free tier: 10 calls/day. Pro tier: unlimited. Rate limit headers are included in responses (X-RateLimit-Remaining, X-RateLimit-Reset). - Error Handling: Returns structured error objects with 'error' key on failure. Never raises unhandled exceptions. Invalid inputs return descriptive validation errors. - Idempotency: Fully idempotent — calling with the same inputs always produces the same output. Safe to retry on timeout or transient failure. - Data Privacy: No input data is stored, logged, or transmitted to external services. All processing happens locally within the MCP server process.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| tier | No | free | |
| caller | No | anonymous | |
| api_key | No | ||
| include_evidence | No | ||
| organization_name | Yes | ||
| principles_in_scope | No |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
| result | Yes |