Log in Mission Control Request Early Access
Trust Center

Security Architecture Overview

Last Updated: March 24, 2026 · Security Level: Public

Draft content. Legal review required before production use.

ClawOffice is designed for teams that need governance around AI-assisted work. This overview describes intended security controls, deployment options, access management, and review gates for evaluation purposes.

1. Data Sovereignty and VPC Deployment Options

ClawOffice supports flexible deployment topologies to meet varying security requirements:

  • ClawOffice Managed SaaS: Intended for hosted workspaces with logical separation between customer environments, access controls, and reviewable API activity.
  • Customer-Managed VPC / On-Premises: For organizations evaluating stricter data-boundary requirements. Subject to implementation scope, ClawOffice can be evaluated for deployment inside customer-managed cloud or local infrastructure.

2. Authentication and Authorization Controls

We support industry-standard protocols to manage identity and access control:

  1. Single Sign-On (SSO): Integration with enterprise directories using SAML 2.0 or OIDC protocols (including Okta, Microsoft Entra ID, and Google Workspace).
  2. Multi-Factor Authentication (MFA): MFA configurations for administrative accounts where supported by the selected deployment.
  3. Role-Based Access Control (RBAC): Granular permissions to restrict who can write workflow policies, approve executions, view logs, or invite new team members.

3. Execution Governance & HITL Gates

We mitigate risk by restricting the actions autonomous agents can carry out:

  • Token Spending Boundaries: Configurable limits on LLM API calls, prompt tokens, and monthly budgets help reduce compute cost escalation risk.
  • Human-in-the-Loop (HITL): Workflows that send communications, initiate payments, or update central data tables require manual authorization from an operations supervisor.
  • Sandbox Isolation: Agent execution can be configured with containerized runtime boundaries and outbound network restrictions depending on deployment design.

4. Encryption and Key Management

Production deployments should use encryption in transit and at rest based on the selected hosting environment. Customer-managed deployments can be reviewed for customer-managed key requirements and access-log handling.

5. Audit Trails and Logs

ClawOffice is designed to record workspace activity such as prompt directives, agent executions, administrative changes, and human approvals. Export options for monitoring systems depend on the selected deployment and integration scope.