# 🛡️ Compliance GRC MCP Server — 2026 Complete Version

## 💡 What This Unlocks

**This MCP server gives AI direct access to your entire compliance and GRC infrastructure through Vanta and Drata.** Stop clicking through dashboards—just *tell* the AI what you need to know about your compliance posture.

This server integrates with two leading compliance automation platforms:
- **Vanta**: Automated compliance for SOC2, HIPAA, GDPR, ISO 27001
- **Drata**: Continuous compliance monitoring and audit readiness

Perfect for security teams, compliance officers, and organizations managing multiple compliance frameworks.

### 🎯 Compliance Automation Power Moves

Stop context-switching between Claude and compliance dashboards. The AI can directly monitor and report on your compliance status:

1. **Real-time compliance monitoring** — "What's our current SOC2 readiness score? Show me any failing controls."
2. **Vulnerability management** — "List all critical vulnerabilities from the last 7 days across both Vanta and Drata, group by source"
3. **Audit preparation** — "Generate a summary of all evidence collected this month for HIPAA controls"
4. **Risk assessment** — "Show me all high-severity open risks and their assigned owners"
5. **Vendor risk management** — "List all high-risk vendors that haven't been reviewed in 90 days"
6. **Personnel compliance** — "Which employees haven't completed security training? Cross-reference with both platforms"
7. **Multi-framework overview** — "Compare our readiness across SOC2, HIPAA, and GDPR frameworks"

### 🔗 The Real Power: Cross-Platform Intelligence

AI can analyze data from both Vanta and Drata simultaneously:

- Compare control implementations across platforms → Identify gaps → Generate remediation plan
- Aggregate vulnerabilities from both systems → Prioritize by risk → Create action items
- Cross-reference evidence collection → Find redundancies → Optimize compliance workflows
- Monitor compliance trends → Predict audit readiness → Alert on degradation

## 📦 What's Inside

**17 powerful API tools** covering both Vanta and Drata compliance platforms:

### Vanta Tools (8 tools)
1. **list_vanta_controls** — List all compliance controls (SOC2, HIPAA, GDPR, ISO 27001)
2. **get_vanta_control** — Get detailed control information and status
3. **list_vanta_tests** — List compliance tests and their results
4. **list_vanta_vulnerabilities** — List security vulnerabilities by severity
5. **list_vanta_evidence** — List collected compliance evidence
6. **list_vanta_users** — List users and access levels
7. **list_vanta_integrations** — List active integrations (AWS, GitHub, etc.)
8. **get_vanta_compliance_status** — Get overall compliance readiness summary

### Drata Tools (9 tools)
1. **list_drata_controls** — List all compliance controls
2. **get_drata_control** — Get detailed control information
3. **list_drata_personnel** — List personnel and their compliance status
4. **list_drata_vendors** — List third-party vendors and risk levels
5. **list_drata_risks** — List identified risks by severity
6. **list_drata_assets** — List IT assets (servers, databases, applications)
7. **list_drata_frameworks** — List configured compliance frameworks
8. **list_drata_evidence** — List collected compliance evidence
9. **get_drata_compliance_summary** — Get overall compliance summary

All with proper error handling, automatic authentication, and TypeScript types.

**API Foundations:**
- [Vanta API](https://api.vanta.com) (OAuth2 client_credentials)
- [Drata API](https://public-api.drata.com) (Bearer token)

## 🚀 Quick Start

### Prerequisites

**Vanta Setup:**
1. Log into your [Vanta dashboard](https://app.vanta.com)
2. Go to **Settings → Integrations → API**
3. Create a new OAuth2 application
4. Note your **Client ID** and **Client Secret**
5. Grant appropriate permissions (read access to controls, tests, vulnerabilities, evidence)

**Drata Setup:**
1. Log into your [Drata dashboard](https://app.drata.com)
2. Go to **Settings → API Keys**
3. Create a new API key with read permissions
4. Copy the API key (shown only once)

### Option 1: Claude Desktop (Local)

1. **Clone and build:**
   ```bash
   git clone https://github.com/BusyBee3333/mcpengine.git
   cd mcpengine/servers/compliance-grc
   npm install
   npm run build
   ```

2. **Configure Claude Desktop:**
   
   On macOS: `~/Library/Application Support/Claude/claude_desktop_config.json`
   
   On Windows: `%APPDATA%\Claude\claude_desktop_config.json`

   ```json
   {
     "mcpServers": {
       "compliance-grc": {
         "command": "node",
         "args": ["/ABSOLUTE/PATH/TO/mcpengine/servers/compliance-grc/dist/index.js"],
         "env": {
           "VANTA_CLIENT_ID": "your_vanta_client_id",
           "VANTA_CLIENT_SECRET": "your_vanta_client_secret",
           "DRATA_API_KEY": "your_drata_api_key"
         }
       }
     }
   }
   ```

   **Note:** You can configure just Vanta, just Drata, or both. At least one must be configured.

3. **Restart Claude Desktop**

### Option 2: Docker

```bash
docker build -t compliance-grc-mcp .
docker run -p 3000:3000 \
  -e VANTA_CLIENT_ID=your_client_id \
  -e VANTA_CLIENT_SECRET=your_client_secret \
  -e DRATA_API_KEY=your_api_key \
  compliance-grc-mcp
```

## 🔐 Authentication

### Vanta Authentication
- **Method:** OAuth2 (client_credentials flow)
- **Environment Variables:** 
  - `VANTA_CLIENT_ID` — Your OAuth2 client ID
  - `VANTA_CLIENT_SECRET` — Your OAuth2 client secret
- **Token Management:** Automatic refresh handled by the MCP server
- **Permissions Required:** Read access to controls, tests, vulnerabilities, evidence, users, integrations

### Drata Authentication
- **Method:** Bearer token (API key)
- **Environment Variable:** `DRATA_API_KEY`
- **Format:** `drata_api_xxx...`
- **Permissions Required:** Read access to controls, personnel, vendors, risks, assets, frameworks, evidence

The MCP server handles all authentication automatically—just set the environment variables.

## 🎯 Example Prompts for Compliance Teams

Once connected to Claude, use natural language. Here are real compliance workflows:

### Compliance Monitoring
- *"What's our current SOC2 compliance status in Vanta? Show me any failing controls."*
- *"List all HIPAA controls in Drata that are unsatisfied, sorted by priority"*
- *"Compare our compliance readiness across SOC2, HIPAA, and GDPR frameworks"*

### Vulnerability Management
- *"Show me all critical and high-severity vulnerabilities from Vanta in the last 30 days"*
- *"List open vulnerabilities grouped by source (AWS, GitHub, GCP)"*
- *"Which vulnerabilities have been open for more than 90 days?"*

### Audit Preparation
- *"Generate a report of all evidence collected this month for SOC2 controls"*
- *"List all compliance tests that failed in the last quarter"*
- *"Show me the status of all controls required for our upcoming HIPAA audit"*

### Risk & Vendor Management
- *"List all high-risk vendors that haven't been reviewed in 6 months"*
- *"Show me all open risks with critical severity and their assigned owners"*
- *"Which vendors have access to production systems? Cross-check with Drata assets."*

### Personnel & Access
- *"List all new employees added in the last 30 days and their training status"*
- *"Show me users with admin access in Vanta"*
- *"Which personnel haven't completed required security training?"*

### Cross-Platform Analysis
- *"Compare control coverage between Vanta and Drata for SOC2"*
- *"Aggregate all evidence collected across both platforms for ISO 27001"*
- *"Show me overlapping integrations between Vanta and Drata"*

### Integration Health
- *"List all Vanta integrations and their status—flag any errors"*
- *"Show me which AWS accounts are being monitored in Vanta"*
- *"Check if GitHub integration is active and pulling vulnerability data"*

## 🛠️ Development

### Prerequisites
- Node.js 18+
- npm or yarn
- Vanta and/or Drata account with API access

### Setup

```bash
git clone https://github.com/BusyBee3333/mcpengine.git
cd mcpengine/servers/compliance-grc
npm install
cp .env.example .env
# Edit .env with your API credentials
npm run build
npm start
```

### Project Structure

```
compliance-grc/
├── src/
│   └── index.ts          # Main server with VantaClient and DrataClient
├── dist/                 # Compiled JavaScript
├── package.json
├── tsconfig.json
└── README.md
```

### Environment Variables

Create a `.env` file or set these in your environment:

```bash
# Vanta (OAuth2)
VANTA_CLIENT_ID=your_vanta_client_id
VANTA_CLIENT_SECRET=your_vanta_client_secret

# Drata (API Key)
DRATA_API_KEY=your_drata_api_key
```

**Note:** At least one service must be configured (Vanta or Drata or both).

## 🐛 Troubleshooting

### "At least one service must be configured"
- You need to set either Vanta credentials (CLIENT_ID + CLIENT_SECRET) or Drata credentials (API_KEY)
- Check that environment variables are set correctly in `claude_desktop_config.json`

### "Vanta OAuth error: 401"
- Verify your `VANTA_CLIENT_ID` and `VANTA_CLIENT_SECRET` are correct
- Check that your OAuth2 app has the required permissions in Vanta dashboard
- Ensure the OAuth2 app is enabled and not expired

### "Drata API error: 401"
- Verify your `DRATA_API_KEY` is correct and starts with `drata_api_`
- Check that the API key hasn't been revoked or expired
- Ensure the API key has read permissions for all required endpoints

### "Tools not appearing in Claude"
- Restart Claude Desktop after updating config
- Check that the path in `claude_desktop_config.json` is absolute (not relative)
- Verify the build completed: `ls dist/index.js`
- Check Claude Desktop logs: `tail -f ~/Library/Logs/Claude/mcp*.log`

### "Unknown tool: <tool_name>"
- If you only configured Vanta, Drata tools won't be available (and vice versa)
- The server automatically filters tools based on available credentials
- Configure both services to get all 17 tools

### Rate Limits
- **Vanta:** Standard rate limits apply (typically 100 requests/minute)
- **Drata:** API rate limits depend on your plan
- The server handles token refresh automatically for Vanta OAuth2

## 📖 Resources

- **[Vanta API Documentation](https://developer.vanta.com)** — Official Vanta API reference
- **[Drata API Documentation](https://docs.drata.com/api)** — Official Drata API reference
- **[MCP Protocol Spec](https://modelcontextprotocol.io/)** — How MCP servers work
- **[Claude Desktop Docs](https://claude.ai/desktop)** — Installing and configuring Claude
- **[MCPEngage Platform](https://mcpengine.pages.dev)** — Browse 30+ business MCP servers

## 🔒 Security Best Practices

1. **Never commit API keys** — Use environment variables or secure vaults
2. **Least privilege** — Grant only the read permissions needed for compliance monitoring
3. **Rotate keys regularly** — Follow your organization's key rotation policy
4. **Monitor API usage** — Check Vanta/Drata dashboards for unusual activity
5. **Audit access** — Review who has access to compliance data regularly

## 🤝 Contributing

Contributions are welcome! Please:

1. Fork the repo
2. Create a feature branch (`git checkout -b feature/control-remediation`)
3. Commit your changes (`git commit -m 'Add control remediation tool'`)
4. Push to the branch (`git push origin feature/control-remediation`)
5. Open a Pull Request

## 📄 License

MIT License - see [LICENSE](LICENSE) for details

## 🙏 Credits

Built by [MCPEngage](https://mcpengine.pages.dev) — AI infrastructure for business software.

Part of the **MCPEngine** collection covering 30+ business platforms for AI-native compliance, security, and operations.

---

**Questions?** Open an issue or join our [Discord community](https://discord.gg/mcpengage).