Security at ClawCoil

Data Handling

ClawCoil manages OAuth tokens, API keys, and refresh tokens on behalf of your connected accounts. Tokens are encrypted at rest using per-user encryption keys. We store only the minimum token data required for authentication — no user profile data from connected services is retained.

Encryption

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). API keys and credentials are stored using industry-standard secret management.

Infrastructure

Hosted on European infrastructure. Application containers are isolated per deployment. No shared tenancy between customers.

Access Control

OAuth tokens are isolated per user and per connected service — no cross-account token access is possible. Token scopes are enforced at the proxy layer to ensure agents only access the permissions you authorized. Tokens can be revoked instantly from the dashboard, and automatic rotation is enabled by default for supported providers.

Compliance Roadmap

• SOC 2 Type I — targeting Q3 2026
• GDPR — compliant by design (EU hosting, data minimization, right to deletion)
• OAuth 2.1 — compliant with latest specification including PKCE enforcement

Responsible Disclosure

Found a vulnerability? Email security@clawcoil.com. We respond within 48 hours.

Questions

For security inquiries, contact security@clawcoil.com.