Security at ClawProd

Data Handling

ClawProd processes skill source code, test results, security scan findings, and CI/CD pipeline artifacts. Source code is only accessed during pipeline execution and is not stored beyond the build lifecycle. Security scan results are retained for audit purposes and automatically purged after 90 days.

Encryption

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). API keys and credentials are stored using industry-standard secret management.

Infrastructure

Hosted on European infrastructure. Application containers are isolated per deployment. No shared tenancy between customers.

Access Control

CI/CD pipelines run in ephemeral, isolated containers that are destroyed after each build. Git repository access uses scoped deploy keys with read-only permissions. Pipeline secrets are injected at runtime and never written to disk. Publishing to skill registries requires signed builds.

Compliance Roadmap

• SOC 2 Type I — targeting Q3 2026
• GDPR — compliant by design (EU hosting, data minimization, right to deletion)
• SLSA Level 2 — build provenance and signed artifacts

Responsible Disclosure

Found a vulnerability? Email security@clawprod.com. We respond within 48 hours.

Questions

For security inquiries, contact security@clawprod.com.