risk_assessment
Identify and assess SOC 2 risks using AICPA guidelines. Evaluates system descriptions and service commitments to map risks to control requirements.
Instructions
SOC 2 risk assessment per AICPA guidelines. Identifies risks to Trust Service Criteria, assesses likelihood and impact, and maps to specific SOC 2 control requirements.
Args: system_description: Description of the service organization and its systems service_commitments: System Description service commitments (SLAs, security guarantees) known_risks: Already identified risks to evaluate ai_specific: Whether to include AI-specific risk factors caller: Caller identifier for rate limiting tier: Access tier (free/pro)
Behavior: This tool is read-only and stateless — it produces analysis output without modifying any external systems, databases, or files. Safe to call repeatedly with identical inputs (idempotent). Free tier: 10/day rate limit. Pro tier: unlimited. No authentication required for basic usage.
When to use: Use this tool when you need to assess, audit, or verify compliance requirements. Ideal for gap analysis, readiness checks, and generating compliance documentation.
When NOT to use: Do not use as a substitute for qualified legal counsel. This tool provides technical compliance guidance, not legal advice. Behavioral Transparency: - Side Effects: This tool is read-only and produces no side effects. It does not modify any external state, databases, or files. All output is computed in-memory and returned directly to the caller. - Authentication: No authentication required for basic usage. Pro/Enterprise tiers require a valid MEOK API key passed via the MEOK_API_KEY environment variable. - Rate Limits: Free tier: 10 calls/day. Pro tier: unlimited. Rate limit headers are included in responses (X-RateLimit-Remaining, X-RateLimit-Reset). - Error Handling: Returns structured error objects with 'error' key on failure. Never raises unhandled exceptions. Invalid inputs return descriptive validation errors. - Idempotency: Fully idempotent — calling with the same inputs always produces the same output. Safe to retry on timeout or transient failure. - Data Privacy: No input data is stored, logged, or transmitted to external services. All processing happens locally within the MCP server process.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| tier | No | free | |
| caller | No | anonymous | |
| api_key | No | ||
| ai_specific | No | ||
| known_risks | No | ||
| system_description | Yes | ||
| service_commitments | Yes |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
| result | Yes |