Summary
If you're building AI systems that need to meet EU AI Act or GDPR requirements, this gives you a local SQLite audit log with tamper detection via HMAC hash chains. It exposes MCP tools to log inference calls, data access events, and arbitrary audit entries, then query them back by session or time range. Built-in PII scanning uses Microsoft Presidio to catch and redact EU patterns automatically. You get compliance_check against AI Act Articles 12 and 19 plus GDPR Article 30, and execute_erasure for right-to-be-forgotten requests. Everything stays on disk in a single database file. Useful if you're shipping a desktop app with an LLM and need defensible logs before August 2026 when high-risk obligations kick in.
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
eu-audit-mcp
Tamper-evident audit trail MCP server for EU AI Act and GDPR compliance. Designed to be integrated into a local desktop application via stdio transport.
Features
- Tamper-evident logging — HMAC-SHA256 hash chain over all events
- PII scanning — Automatic detection and redaction via Microsoft Presidio (EU patterns)
- GDPR erasure — Article 17 right-to-erasure support with audit trail
- Compliance checks — Technical checklist against EU AI Act Articles 12/19 and GDPR Article 30
- Local-first — All data stays on your machine in a single SQLite file
Regulatory context
This server implements technical measures for the following EU regulations:
| Regulation | Articles | What it requires |
|---|---|---|
| EU AI Act (2024/1689) | Art. 12 | Automatic recording of events (logs) for high-risk AI systems |
| Art. 19 | Retention of automatically generated logs for at least 6 months | |
| GDPR (2016/679) | Art. 17 | Right to erasure of personal data ("right to be forgotten") |
| Art. 30 | Records of processing activities, including purposes and data categories |
The EU AI Act high-risk obligations enter into force on 2 August 2026.
See LEGAL_REFERENCES.md for the full article texts and a detailed mapping of how each tool addresses each requirement.
Disclaimer: This tool provides a technical checklist, not legal advice. Consult qualified legal counsel for compliance decisions.
Quick start
pip install -e ".[dev]"
Run the server (stdio)
python -m eu_audit_mcp.server
MCP client configuration
{
"mcpServers": {
"eu-audit": {
"command": "python",
"args": ["-m", "eu_audit_mcp.server"],
"env": {
"AUDIT_CONFIG": "./audit_config.yaml"
}
}
}
}
Run tests
pytest tests/
MCP Tools
| Tool | Description |
|---|---|
log_event | Record an audit event with automatic PII scanning |
log_inference | Log an LLM inference call (model, tokens, cost) |
log_data_access | Log a document/data access event |
query_log | Search events by time range, type, session |
get_session_trace | Full ordered trace of a session |
get_stats | Summary statistics over a time period |
compliance_check | Check against EU AI Act Art. 12/19 and GDPR Art. 30 |
execute_erasure | GDPR Article 17 right-to-erasure |
get_pii_summary | Summary of detected PII types (counts only) |
verify_chain | Verify hash chain integrity |
Configuration
Copy the example config and customize:
cp audit_config.example.yaml audit_config.yaml
Set the AUDIT_CONFIG environment variable to point to your config file. Do not commit audit_config.yaml if it contains a chain_secret — it is in .gitignore by default.
Security
See SECURITY.md for the threat model, security measures, and vulnerability reporting.
License
Apache-2.0
Featured
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →Configuration
AUDIT_CONFIGPath to the YAML configuration file