Clawmit

Security

Security is fundamental to Clawmit. We implement industry-standard security practices and regularly audit our systems to protect your data and infrastructure.

Security Features

Encryption

  • TLS 1.3 for all data in transit
  • Database encryption at rest
  • End-to-end encrypted API keys
  • Secure WebSocket connections

Authentication

  • JWT-based authentication
  • Bcrypt password hashing with salt
  • Scoped API key system
  • Session management and expiration

Authorization

  • Role-based access control (RBAC)
  • Fine-grained API scopes
  • Resource-level permissions
  • Webhook secret verification

Infrastructure

  • Regular security audits
  • Automated dependency updates
  • DDoS protection
  • Rate limiting and throttling

Compliance & Standards

Clawmit is designed with compliance in mind and follows industry best practices:

  • SOC 2 Ready: Infrastructure designed for SOC 2 compliance
  • GDPR Compliant: Data protection and privacy controls
  • OWASP Top 10: Protection against common web vulnerabilities
  • NIST Guidelines: Follows NIST cybersecurity framework recommendations

Security Practices

Code Security

  • • Open source codebase for transparency
  • • Regular dependency updates and vulnerability scanning
  • • Automated security testing in CI/CD
  • • Code review requirements for all changes

Data Security

  • • Encrypted database backups
  • • Minimal data retention policies
  • • Secure data deletion procedures
  • • No third-party data sharing

Access Control

  • • Multi-factor authentication support
  • • IP allowlisting for API keys
  • • Audit logs for all operations
  • • Automatic session timeout

Monitoring

  • • Real-time security event monitoring
  • • Anomaly detection and alerts
  • • Regular penetration testing
  • • 24/7 incident response capability

Responsible Disclosure

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly:

How to Report

Email security vulnerabilities to: security@clawmit.xyz

Please include detailed steps to reproduce, potential impact, and any proof-of-concept code.

Our Commitment

  • We will acknowledge your report within 48 hours
  • We will provide regular updates on our investigation
  • We will credit researchers in our security advisories (unless anonymous)
  • We will not take legal action against researchers acting in good faith

Please do not: Publicly disclose the vulnerability before we've had time to address it, test against production systems without permission, or access data that doesn't belong to you.

Self-Hosting Security

If you self-host Clawmit, you are responsible for securing your deployment. We recommend:

  • Using environment variables for secrets, never commit them to version control
  • Enabling HTTPS with valid TLS certificates
  • Keeping dependencies and the host system updated
  • Implementing network-level security (firewalls, VPNs)
  • Regular backups with encryption
  • Monitoring logs for suspicious activity
  • Following our deployment guide security recommendations

Security Updates

Stay informed about security updates.

View Roadmap