Tamper-evident audit trail MCP server for EU AI Act and GDPR compliance
Project description
eu-audit-mcp
Tamper-evident audit trail MCP server for EU AI Act and GDPR compliance. Designed to be integrated into a local desktop application via stdio transport.
Features
- Tamper-evident logging — HMAC-SHA256 hash chain over all events
- PII scanning — Automatic detection and redaction via Microsoft Presidio (EU patterns)
- GDPR erasure — Article 17 right-to-erasure support with audit trail
- Compliance checks — Technical checklist against EU AI Act Articles 12/19 and GDPR Article 30
- Local-first — All data stays on your machine in a single SQLite file
Regulatory context
This server implements technical measures for the following EU regulations:
| Regulation | Articles | What it requires |
|---|---|---|
| EU AI Act (2024/1689) | Art. 12 | Automatic recording of events (logs) for high-risk AI systems |
| Art. 19 | Retention of automatically generated logs for at least 6 months | |
| GDPR (2016/679) | Art. 17 | Right to erasure of personal data ("right to be forgotten") |
| Art. 30 | Records of processing activities, including purposes and data categories |
The EU AI Act high-risk obligations enter into force on 2 August 2026.
See LEGAL_REFERENCES.md for the full article texts and a detailed mapping of how each tool addresses each requirement.
Disclaimer: This tool provides a technical checklist, not legal advice. Consult qualified legal counsel for compliance decisions.
Quick start
pip install -e ".[dev]"
Run the server (stdio)
python -m eu_audit_mcp.server
MCP client configuration
{
"mcpServers": {
"eu-audit": {
"command": "python",
"args": ["-m", "eu_audit_mcp.server"],
"env": {
"AUDIT_CONFIG": "./audit_config.yaml"
}
}
}
}
Run tests
pytest tests/
MCP Tools
| Tool | Description |
|---|---|
log_event |
Record an audit event with automatic PII scanning |
log_inference |
Log an LLM inference call (model, tokens, cost) |
log_data_access |
Log a document/data access event |
query_log |
Search events by time range, type, session |
get_session_trace |
Full ordered trace of a session |
get_stats |
Summary statistics over a time period |
compliance_check |
Check against EU AI Act Art. 12/19 and GDPR Art. 30 |
execute_erasure |
GDPR Article 17 right-to-erasure |
get_pii_summary |
Summary of detected PII types (counts only) |
verify_chain |
Verify hash chain integrity |
Configuration
Copy the example config and customize:
cp audit_config.example.yaml audit_config.yaml
Set the AUDIT_CONFIG environment variable to point to your config file. Do not commit audit_config.yaml if it contains a chain_secret — it is in .gitignore by default.
Security
See SECURITY.md for the threat model, security measures, and vulnerability reporting.
License
Apache-2.0
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file eu_audit_mcp-0.1.1.tar.gz.
File metadata
- Download URL: eu_audit_mcp-0.1.1.tar.gz
- Upload date:
- Size: 25.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
60ecbc0f4c82026d02a1d3490406e3811fb233643e6c24158e75ecd3af113442
|
|
| MD5 |
9a6632b421607d1a38826180a3506bf6
|
|
| BLAKE2b-256 |
a4a3eca9d4dcf32208bfe767fd9fc9c73f359d034ebbd9020f6bfe14c79bd31f
|
Provenance
The following attestation bundles were made for eu_audit_mcp-0.1.1.tar.gz:
Publisher:
publish.yml on jellewas/eu-audit-mcp
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
eu_audit_mcp-0.1.1.tar.gz -
Subject digest:
60ecbc0f4c82026d02a1d3490406e3811fb233643e6c24158e75ecd3af113442 - Sigstore transparency entry: 1004368618
- Sigstore integration time:
-
Permalink:
jellewas/eu-audit-mcp@3a22ddf0f9cd35a7940ebe0f1b0b8bc71d125561 -
Branch / Tag:
refs/tags/v0.1.1 - Owner: https://github.com/jellewas
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@3a22ddf0f9cd35a7940ebe0f1b0b8bc71d125561 -
Trigger Event:
release
-
Statement type:
File details
Details for the file eu_audit_mcp-0.1.1-py3-none-any.whl.
File metadata
- Download URL: eu_audit_mcp-0.1.1-py3-none-any.whl
- Upload date:
- Size: 18.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ec538990a8f2aa8ae65ac3236e71328d4da289ae878f8454761884aa337a709b
|
|
| MD5 |
1ae36a236b18aaaa8403a0f31a59e331
|
|
| BLAKE2b-256 |
e612418fe4363b7018ec4ad9ae8a93b42609f9c29d9c69ce2f80bc25c44af20b
|
Provenance
The following attestation bundles were made for eu_audit_mcp-0.1.1-py3-none-any.whl:
Publisher:
publish.yml on jellewas/eu-audit-mcp
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
eu_audit_mcp-0.1.1-py3-none-any.whl -
Subject digest:
ec538990a8f2aa8ae65ac3236e71328d4da289ae878f8454761884aa337a709b - Sigstore transparency entry: 1004368622
- Sigstore integration time:
-
Permalink:
jellewas/eu-audit-mcp@3a22ddf0f9cd35a7940ebe0f1b0b8bc71d125561 -
Branch / Tag:
refs/tags/v0.1.1 - Owner: https://github.com/jellewas
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@3a22ddf0f9cd35a7940ebe0f1b0b8bc71d125561 -
Trigger Event:
release
-
Statement type:
