MCP Server
Connect any MCP-compatible AI client to your VendorTrace vendor portfolio.
What this is
The VendorTrace MCP server lets Claude Desktop, Cursor, Windsurf, and other MCP-compatible AI clients query your live vendor portfolio. Once connected, you can ask questions in plain language and the AI retrieves real data from your account.
The server exposes 7 tools covering transfer risks, infrastructure change detection, vendor scanning, and questionnaire status. It reads from your account in real time. No data is cached or stored by the MCP server itself.
Prerequisites
- A VendorTrace account on the Business, Team, or Enterprise plan.
- An API key created at Account / API Keys. Copy the key when it is shown. It will not be displayed again.
- Node.js 18 or later installed on your machine.
Claude Desktop
Open your Claude Desktop configuration file and add the VendorTrace server under mcpServers.
Config file location: ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows)
{
"mcpServers": {
"vendortrace": {
"command": "npx",
"args": ["-y", "@vendortrace/mcp"],
"env": {
"VENDORTRACE_API_KEY": "vt_your_api_key_here"
}
}
}
}Restart Claude Desktop after saving. You should see VendorTrace listed under connected tools.
Cursor
Open Cursor Settings, go to MCP, and click Add MCP Server. Add the following JSON, replacing the placeholder with your API key.
{
"name": "vendortrace",
"type": "stdio",
"command": "npx",
"args": ["-y", "@vendortrace/mcp"],
"env": {
"VENDORTRACE_API_KEY": "vt_your_api_key_here"
}
}The server will appear in the MCP panel once saved.
Windsurf
Edit ~/.codeium/windsurf/mcp_config.json and add VendorTrace under mcpServers:
{
"mcpServers": {
"vendortrace": {
"command": "npx",
"args": ["-y", "@vendortrace/mcp"],
"env": {
"VENDORTRACE_API_KEY": "vt_your_api_key_here"
}
}
}
}Restart Windsurf to load the new server configuration.
Available tools
The server exposes 7 tools. The AI selects which tools to call based on your question.
| Tool | What it does | Parameters |
|---|---|---|
get_compliance_summary | High-level briefing across your entire portfolio. Combines transfer risk totals, unreviewed infrastructure changes, and pending questionnaires. Best first tool to call. | None |
list_vendors | List all tracked vendors with their transfer risk and HQ country. | search (optional) |
get_vendor | Detailed view of a single vendor: latest scan findings, detected sub-processors, serving regions, and transfer risk. | domain (required) |
scan_vendor | Trigger a new scan for a domain. Can wait for the result or return immediately with a scan ID. | domain (required), wait (optional) |
get_vendor_changes | Infrastructure changes detected across tracked vendors: new vendors added, countries added or removed. | domain, unreviewedOnly (both optional) |
get_transfer_risks | Portfolio-wide transfer risk breakdown. Shows vendor counts by category, top HQ countries, and vendors with no transfer mechanism. | None |
list_questionnaires | List vendor questionnaires you have sent. Shows status, vendor name, and open discrepancies. | domain, status (both optional) |
Example prompts
Ask the AI anything about your vendor portfolio using natural language:
- "Give me a compliance briefing across my vendor portfolio."
- "Which vendors have no data transfer mechanism in place?"
- "Show me unreviewed infrastructure changes."
- "Scan stripe.com and summarise the sub-processors it detected."
- "Which questionnaires are still waiting for a response?"
- "List all vendors headquartered outside the EEA and explain the transfer risk for each."
- "Which vendor changes were flagged as high risk and have not been reviewed?"
Notes
- The AI reads live data from your account. Actions like scanning a domain consume scan credits.
- API keys do not expire unless you set an expiry date or revoke them manually. Treat them like passwords. Revoke unused keys from Account / API Keys.
- The MCP server is read-only for all operations except
scan_vendor, which triggers a new scan. - AI-generated interpretations of compliance data should be reviewed by a qualified DPO or legal team before acting on them.