[{"data":1,"prerenderedAt":1326},["ShallowReactive",2],{"help-category-\u002Fsecurity-privacy\u002Fincident-reporting-and-response":3,"help-article-\u002Fsecurity-privacy\u002Fincident-reporting-and-response":4,"related-articles-\u002Fsecurity-privacy\u002Fincident-reporting-and-response":314},[],{"id":5,"title":6,"body":7,"category":296,"description":297,"draft":298,"extension":299,"meta":300,"navigation":301,"order":302,"path":303,"relatedArticles":304,"seo":308,"slug":309,"stem":310,"updatedAt":311,"__hash__":312,"excerpt":297,"searchText":313},"help\u002Fhelp\u002Fsecurity-privacy\u002F11.incident-reporting-and-response.md","Incident reporting and response",{"type":8,"value":9,"toc":286},"minimark",[10,23,28,36,64,75,85,89,92,148,158,168,171,175,178,215,219,222,225,229,239,247,251,254,279],[11,12,13,14,22],"p",{},"To report a security vulnerability, email ",[15,16,17],"strong",{},[18,19,21],"a",{"href":20},"mailto:security@multiclaw.io","security@multiclaw.io"," with a description of the issue, steps to reproduce, and the affected MultiClaw version. MultiClaw targets acknowledgement within 24 hours and triages all reports within 72 hours. The incident management process is informed by ISO\u002FIEC 27035.",[24,25,27],"h2",{"id":26},"how-to-report-a-vulnerability","How to report a vulnerability",[11,29,30,31,35],{},"Email ",[15,32,33],{},[18,34,21],{"href":20}," with the following details:",[37,38,39,46,52,58],"ul",{},[40,41,42,45],"li",{},[15,43,44],{},"Description of the issue",": what you found, where it occurs, and what impact it may have.",[40,47,48,51],{},[15,49,50],{},"Steps to reproduce",": a clear sequence another person could follow to confirm the issue.",[40,53,54,57],{},[15,55,56],{},"Affected MultiClaw version",": the desktop app version, MultiClaw Cloud, or MultiClaw Chrome Extension version where you observed the issue.",[40,59,60,63],{},[15,61,62],{},"Proof-of-concept"," (if available): screenshots, logs, or sample code that demonstrate the vulnerability.",[11,65,66,67,70,71,74],{},"For vulnerabilities with a CVSS score of ",[15,68,69],{},"7.0 or higher"," (High or Critical severity), use the subject line ",[15,72,73],{},"\"SECURITY — Critical\"",". This routes the report to the on-call security team for immediate triage.",[76,77,79],"callout",{"type":78},"note",[11,80,81,84],{},[15,82,83],{},"CVSS"," (Common Vulnerability Scoring System) is an industry-standard framework for rating the severity of security vulnerabilities on a scale from 0.0 to 10.0. MultiClaw uses CVSS scores to prioritize response and fix timelines.",[24,86,88],{"id":87},"response-timelines","Response timelines",[11,90,91],{},"MultiClaw targets the following response and resolution timelines after a report is received.",[93,94,95,111],"table",{},[96,97,98],"thead",{},[99,100,101,105,108],"tr",{},[102,103,104],"th",{},"Severity",[102,106,107],{},"CVSS range",[102,109,110],{},"Target resolution",[112,113,114,126,137],"tbody",{},[99,115,116,120,123],{},[117,118,119],"td",{},"Critical",[117,121,122],{},"9.0–10.0",[117,124,125],{},"Patch within 7 days",[99,127,128,131,134],{},[117,129,130],{},"High",[117,132,133],{},"7.0–8.9",[117,135,136],{},"Patch within 30 days",[99,138,139,142,145],{},[117,140,141],{},"Medium \u002F Low",[117,143,144],{},"Below 7.0",[117,146,147],{},"Scheduled in the next available release",[11,149,150,153,154,157],{},[15,151,152],{},"Acknowledgement",": MultiClaw targets acknowledgement of all reports within ",[15,155,156],{},"24 hours"," of receipt.",[11,159,160,163,164,167],{},[15,161,162],{},"Triage",": severity classification is targeted for completion within ",[15,165,166],{},"72 hours",".",[11,169,170],{},"These timelines are targets, not guarantees. Complex vulnerabilities may require additional time to fix safely without introducing new issues.",[24,172,174],{"id":173},"what-happens-during-an-incident","What happens during an incident",[11,176,177],{},"When a confirmed security incident affects customer data, MultiClaw follows a structured response process:",[179,180,181,187,193,199,209],"ol",{},[40,182,183,186],{},[15,184,185],{},"Containment",": the security team identifies the scope of the incident and takes immediate steps to limit further exposure.",[40,188,189,192],{},[15,190,191],{},"Regulatory notification",": MultiClaw notifies the relevant supervisory authority (such as the UK ICO) within 72 hours of confirming a personal data breach, as required by GDPR Article 33.",[40,194,195,198],{},[15,196,197],{},"Customer notification",": where a breach is likely to result in a high risk to affected individuals, MultiClaw notifies those individuals without undue delay by email, as required by GDPR Article 34.",[40,200,201,204,205,208],{},[15,202,203],{},"Status updates",": the MultiClaw Cloud status page at ",[15,206,207],{},"status.multiclaw.io"," is updated as the incident progresses.",[40,210,211,214],{},[15,212,213],{},"Post-incident report",": for incidents with customer impact, MultiClaw publishes a post-incident report within 14 days of resolution. The report covers what happened, what data was affected, what steps were taken, and what changes were made to reduce the likelihood of recurrence.",[24,216,218],{"id":217},"responsible-disclosure","Responsible disclosure",[11,220,221],{},"MultiClaw encourages responsible disclosure from security researchers. If you discover a vulnerability, report it through the process above before sharing details publicly. MultiClaw will work with you to understand and address the issue before any public disclosure.",[11,223,224],{},"Avoid posting vulnerability details in public forums, issue trackers, or social media until a fix has been released. This protects other users while the team resolves the issue.",[24,226,228],{"id":227},"data-privacy-concerns","Data privacy concerns",[11,230,231,232,238],{},"For GDPR data subject requests, data breach reports, or questions about how MultiClaw handles your personal data, email ",[15,233,234],{},[18,235,237],{"href":236},"mailto:privacy@multiclaw.io","privacy@multiclaw.io",". MultiClaw responds to data subject requests within one calendar month, as required by GDPR.",[11,240,241,242,246],{},"See ",[18,243,245],{"href":244},"\u002Fhelp\u002Fsecurity-privacy\u002Fprivacy-and-data-handling","Privacy and data handling"," for full details on what data MultiClaw collects, retention periods, and your data rights.",[24,248,250],{"id":249},"your-responsibilities","Your responsibilities",[11,252,253],{},"Security incident response is a shared effort. While MultiClaw handles containment, regulatory notification, and resolution, you play a role in keeping your workspace secure:",[37,255,256,267,273],{},[40,257,258,261,262,266],{},[15,259,260],{},"Report promptly",": if you notice unexpected agent behaviour, unauthorized access, or suspicious activity, report it to ",[15,263,264],{},[18,265,21],{"href":20}," as soon as possible.",[40,268,269,272],{},[15,270,271],{},"Preserve evidence",": avoid making changes that could overwrite logs or configuration before the security team has a chance to investigate.",[40,274,275,278],{},[15,276,277],{},"Rotate compromised credentials",": if you suspect an API key or password has been exposed, rotate it immediately from your agent settings in MultiClaw Cloud.",[11,280,281,282,167],{},"For a full breakdown of security responsibilities, see ",[18,283,285],{"href":284},"\u002Fhelp\u002Fsecurity-privacy\u002Fshared-responsibility-model","Shared responsibility model",{"title":287,"searchDepth":288,"depth":288,"links":289},"",2,[290,291,292,293,294,295],{"id":26,"depth":288,"text":27},{"id":87,"depth":288,"text":88},{"id":173,"depth":288,"text":174},{"id":217,"depth":288,"text":218},{"id":227,"depth":288,"text":228},{"id":249,"depth":288,"text":250},"security-privacy","Report vulnerabilities to security@multiclaw.io, with target acknowledgement in 24 hours and fix timelines based on CVSS severity.",false,"md",{},true,11,"\u002Fsecurity-privacy\u002Fincident-reporting-and-response",[305,306,307],"security-privacy\u002Fshared-responsibility-model","security-privacy\u002Fprivacy-and-data-handling","security-privacy\u002Fsecurity-overview",{"title":6,"description":297},"incident-reporting-and-response","help\u002Fsecurity-privacy\u002F11.incident-reporting-and-response","2026-03-31","W43rGireM3xgJWbN0_B8wL_50R2ybN9aP0ARKqOxcr8","Incident reporting and response Report vulnerabilities to security@multiclaw.io, with target acknowledgement in 24 hours and fix timelines based on CVSS severity.",[315,649,1066],{"id":316,"title":285,"body":317,"category":296,"description":636,"draft":298,"extension":299,"meta":637,"navigation":301,"order":638,"path":639,"relatedArticles":640,"seo":643,"slug":644,"stem":645,"updatedAt":646,"__hash__":647,"excerpt":636,"searchText":648},"help\u002Fhelp\u002Fsecurity-privacy\u002F14.shared-responsibility-model.md",{"type":8,"value":318,"toc":618},[319,322,471,475,478,481,484,486,491,498,502,510,514,517,521,524,539,543,562,566,569,573,576,580,584,587,591,594,598,601],[11,320,321],{},"Security in MultiClaw follows a shared responsibility model. MultiClaw secures the cloud infrastructure and the desktop app; you secure your local environment, credentials, and workspace configuration. Understanding each party's role helps you protect your workspace effectively.",[93,323,324,334],{},[96,325,326],{},[99,327,328,331],{},[102,329,330],{},"Responsibility",[102,332,333],{},"Party",[112,335,336,344,351,358,365,372,379,386,394,401,408,415,422,429,436,443,450,457,464],{},[99,337,338,341],{},[117,339,340],{},"Infrastructure security (servers, databases, networking)",[117,342,343],{},"MultiClaw",[99,345,346,349],{},[117,347,348],{},"AES-256-GCM application-layer encryption for sensitive values in MultiClaw Cloud",[117,350,343],{},[99,352,353,356],{},[117,354,355],{},"TLS encryption between the gateway and MultiClaw Cloud",[117,357,343],{},[99,359,360,363],{},[117,361,362],{},"Desktop app update signing and verification (minisign)",[117,364,343],{},[99,366,367,370],{},[117,368,369],{},"Patching the desktop app and MultiClaw Cloud",[117,371,343],{},[99,373,374,377],{},[117,375,376],{},"Access controls and audit trail in MultiClaw Cloud",[117,378,343],{},[99,380,381,384],{},[117,382,383],{},"Security incident notification (GDPR Art. 33 and Art. 34)",[117,385,343],{},[99,387,388,391],{},[117,389,390],{},"Keeping the desktop app updated",[117,392,393],{},"You",[99,395,396,399],{},[117,397,398],{},"Keeping OpenClaw updated",[117,400,393],{},[99,402,403,406],{},[117,404,405],{},"Protecting your LLM API keys",[117,407,393],{},[99,409,410,413],{},[117,411,412],{},"Securing the local OpenClaw data directory",[117,414,393],{},[99,416,417,420],{},[117,418,419],{},"Managing workspace member access",[117,421,393],{},[99,423,424,427],{},[117,425,426],{},"Configuring agent guardrails",[117,428,393],{},[99,430,431,434],{},[117,432,433],{},"Securing the machine running the desktop app",[117,435,393],{},[99,437,438,441],{},[117,439,440],{},"Reviewing third-party MCP servers before adding them",[117,442,393],{},[99,444,445,448],{},[117,446,447],{},"Infrastructure monitoring",[117,449,343],{},[99,451,452,455],{},[117,453,454],{},"Agent activity monitoring and suspicious behaviour reporting",[117,456,393],{},[99,458,459,462],{},[117,460,461],{},"Secure default configuration",[117,463,343],{},[99,465,466,469],{},[117,467,468],{},"Configuration changes (for example, disabling auto-updates)",[117,470,393],{},[24,472,474],{"id":473},"multiclaws-responsibilities","MultiClaw's responsibilities",[11,476,477],{},"MultiClaw secures the cloud infrastructure that powers MultiClaw Cloud. This includes the physical security of data centres via AWS, server and database hardening, and network-level protections. MultiClaw Cloud stores data on AWS infrastructure, which encrypts underlying storage volumes at rest. Sensitive values including agent configuration and credentials are additionally encrypted at the application layer using AES-256-GCM before being written to the database.",[11,479,480],{},"All connections between the gateway and MultiClaw Cloud are encrypted with TLS. Desktop app updates are signed with minisign and verified before installation. MultiClaw patches and maintains the desktop app and MultiClaw Cloud on an ongoing basis.",[11,482,483],{},"MultiClaw Cloud enforces access controls and maintains an audit trail of key platform events. If a security incident is confirmed to have affected your data, MultiClaw will notify the relevant supervisory authority within 72 hours as required by GDPR Art. 33. MultiClaw will also notify you directly without undue delay if the breach poses a high risk to your rights (Art. 34).",[24,485,250],{"id":249},[487,488,490],"h3",{"id":489},"keep-the-desktop-app-updated","Keep the desktop app updated",[11,492,493,494,497],{},"Auto-updates are enabled by default. Do not disable them, as updates include security patches. If you need to verify which version you are running, check the desktop app's ",[15,495,496],{},"About"," screen.",[487,499,501],{"id":500},"keep-openclaw-updated","Keep OpenClaw updated",[11,503,504,505,509],{},"OpenClaw is installed and updated separately from MultiClaw. Keep your OpenClaw installation current by following the update instructions for your platform (for example, ",[506,507,508],"code",{},"brew upgrade openclaw"," on macOS). MultiClaw does not distribute or update the OpenClaw binary on your behalf.",[487,511,513],{"id":512},"protect-your-llm-api-keys","Protect your LLM API keys",[11,515,516],{},"Your LLM API keys are stored in MultiClaw Cloud and encrypted at rest using AES-256-GCM. You control which services receive those keys. If you suspect a key has been compromised, rotate it immediately in your LLM provider's dashboard and update it in MultiClaw Cloud. Only connect services you trust.",[487,518,520],{"id":519},"secure-the-local-openclaw-data-directory","Secure the local OpenClaw data directory",[11,522,523],{},"The local OpenClaw data directory is protected by your operating system's file-system permissions. Enable full-disk encryption on any machine running the desktop app. Keep the machine's operating system updated and apply security patches promptly.",[11,525,526,527,530,531,534,535,538],{},"On macOS, confirm FileVault is on in ",[15,528,529],{},"System Settings → Privacy & Security",". On Windows, check ",[15,532,533],{},"Settings → Privacy & security → Device encryption"," or search for ",[15,536,537],{},"BitLocker",". On Linux, verify LUKS encryption is active.",[487,540,542],{"id":541},"manage-workspace-member-access","Manage workspace member access",[11,544,545,546,549,550,553,554,557,558,561],{},"Invite only trusted users and revoke access when members leave. Two roles exist: ",[15,547,548],{},"Owner"," and ",[15,551,552],{},"Member",". Periodically review the member list by navigating to your workspace's ",[15,555,556],{},"Users"," page (",[506,559,560],{},"\u002F{your-workspace}\u002Fusers",") in MultiClaw Cloud.",[487,563,565],{"id":564},"configure-agent-guardrails","Configure agent guardrails",[11,567,568],{},"MultiClaw provides secure defaults, but you are responsible for adjusting approval flows, scope limits, and execution permissions to match your organisation's risk tolerance. Review guardrail settings whenever your security requirements change.",[487,570,572],{"id":571},"vet-third-party-mcp-servers","Vet third-party MCP servers",[11,574,575],{},"Before adding a third-party MCP server, verify its source and review its permissions. MultiClaw cannot audit or vouch for third-party servers. You are responsible for any access those servers receive.",[24,577,579],{"id":578},"shared-responsibilities","Shared responsibilities",[487,581,583],{"id":582},"incident-detection","Incident detection",[11,585,586],{},"MultiClaw monitors infrastructure for anomalies. You are responsible for monitoring your own agent activity. If you notice unexpected behaviour — agents running tasks you did not approve, unusual output, or activity at unexpected times — review the audit trail and revoke agent access if necessary.",[487,588,590],{"id":589},"configuration","Configuration",[11,592,593],{},"MultiClaw ships secure defaults for all settings. When you change a default (for example, disabling auto-updates or granting an agent broad file access), you accept responsibility for the security implications of that change. Review any configuration change against your organisation's security policies before applying it.",[24,595,597],{"id":596},"what-this-model-does-not-cover","What this model does not cover",[11,599,600],{},"This model describes the division of security responsibilities between MultiClaw and you. It does not guarantee that either party's measures will prevent every possible incident. No security programme can eliminate all risk.",[11,602,603,604,608,609,613,614,167],{},"If you are unsure where a specific responsibility falls, contact MultiClaw support. For the technical detail behind the protections described here, see ",[18,605,607],{"href":606},"\u002Fhelp\u002Fsecurity-privacy\u002Fsecurity-overview","Security overview",", ",[18,610,612],{"href":611},"\u002Fhelp\u002Fsecurity-privacy\u002Fdata-encryption","Data encryption",", and ",[18,615,617],{"href":616},"\u002Fhelp\u002Fsecurity-privacy\u002Fhow-credentials-and-secrets-are-stored","How credentials and secrets are stored",{"title":287,"searchDepth":288,"depth":288,"links":619},[620,621,631,635],{"id":473,"depth":288,"text":474},{"id":249,"depth":288,"text":250,"children":622},[623,625,626,627,628,629,630],{"id":489,"depth":624,"text":490},3,{"id":500,"depth":624,"text":501},{"id":512,"depth":624,"text":513},{"id":519,"depth":624,"text":520},{"id":541,"depth":624,"text":542},{"id":564,"depth":624,"text":565},{"id":571,"depth":624,"text":572},{"id":578,"depth":288,"text":579,"children":632},[633,634],{"id":582,"depth":624,"text":583},{"id":589,"depth":624,"text":590},{"id":596,"depth":288,"text":597},"What MultiClaw secures versus what you are responsible for as a customer.",{},14,"\u002Fsecurity-privacy\u002Fshared-responsibility-model",[307,641,642],"security-privacy\u002Fdata-encryption","security-privacy\u002Fhow-credentials-and-secrets-are-stored",{"title":285,"description":636},"shared-responsibility-model","help\u002Fsecurity-privacy\u002F14.shared-responsibility-model","2026-03-30","hIH39R_Cs9_Maa_AMfiy_aXwvGhQrYoqXAyei0o7818","Shared responsibility model What MultiClaw secures versus what you are responsible for as a customer.",{"id":650,"title":245,"body":651,"category":296,"description":1055,"draft":298,"extension":299,"meta":1056,"navigation":301,"order":1057,"path":1058,"relatedArticles":1059,"seo":1061,"slug":1062,"stem":1063,"updatedAt":311,"__hash__":1064,"excerpt":1055,"searchText":1065},"help\u002Fhelp\u002Fsecurity-privacy\u002F10.privacy-and-data-handling.md",{"type":8,"value":652,"toc":1042},[653,656,660,666,670,688,694,697,701,708,715,723,727,730,733,740,744,747,750,753,756,776,783,787,790,857,861,864,920,924,971,975,981,988,990,993,1013,1018,1021],[11,654,655],{},"MultiClaw does not collect usage telemetry. Your conversation content stays on your device unless you choose to sync it to a workspace. Below is a complete breakdown of what data MultiClaw holds, how long it is retained, and the rights you have over it.",[24,657,659],{"id":658},"no-telemetry","No telemetry",[11,661,662,665],{},[15,663,664],{},"The desktop app collects no usage analytics, feature statistics, or behavioural telemetry."," There are no third-party analytics SDKs embedded in the app, and it does not transmit usage data to MultiClaw or any third party.",[24,667,669],{"id":668},"app-logs","App logs",[11,671,672,673,676,677,680,681,684,685,167],{},"The desktop app continuously writes diagnostic and activity logs to a file on your device at ",[506,674,675],{},"~\u002F.multiclaw\u002Flogs\u002Fapp.log",". Logs record structured operational events (startup, connectivity changes, errors), not conversation content. You can open the log viewer from ",[15,678,679],{},"Settings → General",", scroll to the ",[15,682,683],{},"App Logs"," card, and click ",[15,686,687],{},"Open Logs",[11,689,690,693],{},[15,691,692],{},"App logs are not uploaded automatically."," You choose whether to share a log file with support.",[11,695,696],{},"Log files contain operational events including app version and OS identifier. They are not designed to contain conversation content or API keys.",[24,698,700],{"id":699},"conversation-content","Conversation content",[11,702,703,704,707],{},"Conversation content is stored ",[15,705,706],{},"locally on your device"," by default. MultiClaw does not use your conversation content to train, fine-tune, or evaluate AI models.",[11,709,710,711,714],{},"If you are connected to a workspace, conversations sync to ",[15,712,713],{},"MultiClaw Cloud",". Synced conversations are encrypted in transit and at rest. MultiClaw processes this data on your behalf as a data processor.",[11,716,717,718,722],{},"When you run a task, your prompts and task context are sent to the LLM provider you have configured. See ",[18,719,721],{"href":720},"#data-sharing","Data sharing"," below for details on how third parties handle your data.",[24,724,726],{"id":725},"workflow-recordings","Workflow recordings",[11,728,729],{},"The MultiClaw Chrome Extension captures browser interactions only during an active recording session that you start. The extension does not monitor your browsing activity at any other time and does not collect browsing history.",[11,731,732],{},"Recordings are stored locally on your device. If you upload a recording to MultiClaw Cloud, it is encrypted at rest.",[11,734,241,735,739],{},[18,736,738],{"href":737},"\u002Fhelp\u002Fsecurity-privacy\u002Fbrowser-extension-security","Browser extension security"," for full details on what the extension accesses and when.",[24,741,743],{"id":742},"cookies-and-tracking","Cookies and tracking",[11,745,746],{},"The desktop app does not use browser cookies. MultiClaw Cloud uses session cookies only, which are strictly necessary to keep you signed in.",[11,748,749],{},"The marketing website at multiclaw.io uses analytics cookies that require your consent before they are set. MultiClaw does not use advertising or retargeting cookies on any of its properties.",[24,751,721],{"id":752},"data-sharing",[11,754,755],{},"MultiClaw does not sell your personal data. Data is shared with third parties only in the following circumstances:",[37,757,758,764,770],{},[40,759,760,763],{},[15,761,762],{},"LLM providers",": when an agent runs a task, your prompts and task context are sent to the provider you configured (such as OpenAI, Anthropic, or Google). Those providers process data under their own terms and privacy policies.",[40,765,766,769],{},[15,767,768],{},"Infrastructure sub-processors",": MultiClaw uses a limited set of third-party infrastructure providers (cloud hosting, database, email delivery) engaged under data processing agreements that restrict them to processing data only on MultiClaw's documented instructions.",[40,771,772,775],{},[15,773,774],{},"Legal requirements",": MultiClaw may disclose personal data where required by applicable law, court order, or regulatory authority.",[11,777,778,779,167],{},"For the full list of sub-processors, see ",[18,780,782],{"href":781},"\u002Fhelp\u002Flegal-compliance\u002Fsubprocessors-and-third-parties","Subprocessors and third parties",[24,784,786],{"id":785},"personal-data-we-collect","Personal data we collect",[11,788,789],{},"MultiClaw Cloud holds the following personal data about you.",[93,791,792,808],{},[96,793,794],{},[99,795,796,799,802,805],{},[102,797,798],{},"Data type",[102,800,801],{},"Purpose",[102,803,804],{},"Legal basis",[102,806,807],{},"Retention",[112,809,810,826,841],{},[99,811,812,817,820,823],{},[117,813,814],{},[15,815,816],{},"Name and email address",[117,818,819],{},"Account creation and authentication",[117,821,822],{},"Performance of contract (GDPR Art. 6(1)(b))",[117,824,825],{},"While your account is active; purged within 30 days of account deletion request",[99,827,828,834,837,839],{},[117,829,830,833],{},[15,831,832],{},"Workspace metadata"," (member list, agent names, audit logs)",[117,835,836],{},"Workspace operation and governance",[117,838,822],{},[117,840,825],{},[99,842,843,848,851,854],{},[117,844,845],{},[15,846,847],{},"IP address and user agent",[117,849,850],{},"Server access logs",[117,852,853],{},"Legitimate interests — security and abuse prevention (GDPR Art. 6(1)(f))",[117,855,856],{},"90 days",[24,858,860],{"id":859},"your-data-rights","Your data rights",[11,862,863],{},"You have the following rights under applicable data protection law (including GDPR and UK GDPR).",[37,865,866,874,883,896,904,912],{},[40,867,868,871,872,167],{},[15,869,870],{},"Right to access",": request a copy of your data at any time by emailing ",[18,873,237],{"href":236},[40,875,876,879,880,882],{},[15,877,878],{},"Right to erasure",": request deletion of your account and associated data by emailing ",[18,881,237],{"href":236},". MultiClaw responds to deletion requests within one calendar month.",[40,884,885,888,889,891,892,895],{},[15,886,887],{},"Right to rectification",": update your name or email address in ",[15,890,679],{}," on the ",[15,893,894],{},"Account"," card.",[40,897,898,901,902,167],{},[15,899,900],{},"Right to portability",": request a machine-readable export of the personal data you have provided to MultiClaw by emailing ",[18,903,237],{"href":236},[40,905,906,909,910,167],{},[15,907,908],{},"Right to restriction",": request that MultiClaw limit processing of your data in certain circumstances (for example, while the accuracy of your data is being contested) by emailing ",[18,911,237],{"href":236},[40,913,914,917,918,167],{},[15,915,916],{},"Right to object",": object to processing of your personal data where that processing is based on legitimate interests by emailing ",[18,919,237],{"href":236},[24,921,923],{"id":922},"data-retention-summary","Data retention summary",[93,925,926,936],{},[96,927,928],{},[99,929,930,933],{},[102,931,932],{},"Data",[102,934,935],{},"Retention period",[112,937,938,946,954,960],{},[99,939,940,943],{},[117,941,942],{},"Active account data",[117,944,945],{},"While your account is active",[99,947,948,951],{},[117,949,950],{},"Deleted account data",[117,952,953],{},"Purged within 30 days of deletion request",[99,955,956,958],{},[117,957,850],{},[117,959,856],{},[99,961,962,964],{},[117,963,669],{},[117,965,966,967,970],{},"Stored locally at ",[506,968,969],{},"~\u002F.multiclaw\u002Flogs\u002F","; not uploaded unless you share them",[24,972,974],{"id":973},"delete-your-data","Delete your data",[11,976,977,978,980],{},"You can delete individual conversations from the desktop app at any time. To request deletion of all your personal data from MultiClaw Cloud, email ",[18,979,237],{"href":236},". After you close your account, you have 30 days to export your data before deletion begins.",[11,982,241,983,987],{},[18,984,986],{"href":985},"\u002Fhelp\u002Flegal-compliance\u002Fdata-portability-and-export","Data portability and export"," for export options.",[24,989,250],{"id":249},[11,991,992],{},"MultiClaw protects your data in transit and at rest, but some aspects of privacy depend on your choices:",[37,994,995,1001,1007],{},[40,996,997,1000],{},[15,998,999],{},"Workspace sync",": if you connect to a workspace, conversations sync to MultiClaw Cloud. To keep conversations entirely local, don't connect to a workspace.",[40,1002,1003,1006],{},[15,1004,1005],{},"LLM provider selection",": MultiClaw sends your prompts to the provider you choose. Review each provider's data-use policy before configuring an agent.",[40,1008,1009,1012],{},[15,1010,1011],{},"Device security",": local data (config, conversations, agent definitions) is protected by OS file permissions. Enable full-disk encryption to protect it from physical access.",[11,1014,1015,1016,167],{},"For a full breakdown of where platform protections end and yours begin, see ",[18,1017,285],{"href":284},[11,1019,1020],{},"For deeper detail on related topics:",[37,1022,1023,1028,1035],{},[40,1024,1025,1027],{},[18,1026,612],{"href":611},": the full encryption model for local and cloud data.",[40,1029,1030,1034],{},[18,1031,1033],{"href":1032},"\u002Fhelp\u002Fsecurity-privacy\u002Fdata-residency-and-storage","Data residency and storage",": where each type of data is stored.",[40,1036,1037,1041],{},[18,1038,1040],{"href":1039},"\u002Fhelp\u002Flegal-compliance\u002Fprivacy-policy","Privacy Policy",": the full legal privacy policy.",{"title":287,"searchDepth":288,"depth":288,"links":1043},[1044,1045,1046,1047,1048,1049,1050,1051,1052,1053,1054],{"id":658,"depth":288,"text":659},{"id":668,"depth":288,"text":669},{"id":699,"depth":288,"text":700},{"id":725,"depth":288,"text":726},{"id":742,"depth":288,"text":743},{"id":752,"depth":288,"text":721},{"id":785,"depth":288,"text":786},{"id":859,"depth":288,"text":860},{"id":922,"depth":288,"text":923},{"id":973,"depth":288,"text":974},{"id":249,"depth":288,"text":250},"MultiClaw collects no telemetry, keeps conversations local by default, and gives you full control over your personal data.",{},10,"\u002Fsecurity-privacy\u002Fprivacy-and-data-handling",[1060,641,642],"security-privacy\u002Fdata-residency-and-storage",{"title":245,"description":1055},"privacy-and-data-handling","help\u002Fsecurity-privacy\u002F10.privacy-and-data-handling","U_27RD9fX6Rl-0R0Bh_vHok-zaDdQn2B-bxYV-nsbaE","Privacy and data handling MultiClaw collects no telemetry, keeps conversations local by default, and gives you full control over your personal data.",{"id":1067,"title":607,"body":1068,"category":296,"description":1314,"draft":298,"extension":299,"meta":1315,"navigation":301,"order":1316,"path":1317,"relatedArticles":1318,"seo":1321,"slug":1322,"stem":1323,"updatedAt":646,"__hash__":1324,"excerpt":1314,"searchText":1325},"help\u002Fhelp\u002Fsecurity-privacy\u002F01.security-overview.md",{"type":8,"value":1069,"toc":1299},[1070,1080,1083,1087,1090,1104,1107,1114,1121,1125,1128,1134,1138,1141,1147,1151,1172,1177,1181,1184,1189,1193,1199,1204,1208,1215,1222,1226,1229,1233,1235,1238,1243,1247,1254,1261,1265,1268,1274,1278,1281,1287,1291,1294],[11,1071,1072,1073,1076,1077,167],{},"MultiClaw protects your data through multiple independent security layers: local credential storage, TLS connections, app sandboxing, and zero telemetry. Each layer works on its own, reducing the risk that a single vulnerability leads to broader exposure. The architecture follows ",[15,1074,1075],{},"defense-in-depth"," principles aligned with ",[15,1078,1079],{},"ISO\u002FIEC 27001:2022",[11,1081,1082],{},"This article gives you a high-level view of how MultiClaw handles security and privacy. Each section links to a dedicated article with full details.",[24,1084,1086],{"id":1085},"separate-trust-zones","Separate trust zones",[11,1088,1089],{},"The desktop app, the local OpenClaw gateway, and MultiClaw Cloud operate as three distinct trust zones, each with its own authentication:",[37,1091,1092,1098],{},[40,1093,1094,1097],{},[15,1095,1096],{},"Desktop app",": connects to MultiClaw Cloud over HTTPS and WSS for API calls, real-time updates, agent configuration, and session data.",[40,1099,1100,1103],{},[15,1101,1102],{},"Local OpenClaw gateway",": connects to MultiClaw Cloud separately over an authenticated WebSocket secured with short-lived signed tokens. These tokens rotate automatically, so a captured token expires before it can be reused.",[11,1105,1106],{},"Each connection enforces its own credentials. No zone shares authentication tokens with another.",[11,1108,1109],{},[1110,1111],"img",{"alt":1112,"src":1113},"MultiClaw security architecture — the four components and how they connect across trust boundaries","\u002Fimages\u002Fmulticlaw-security-architecture.png",[11,1115,241,1116,1120],{},[18,1117,1119],{"href":1118},"\u002Fhelp\u002Fsecurity-privacy\u002Fnetwork-security","Network security"," for details on how each connection is secured.",[24,1122,1124],{"id":1123},"authentication-and-login-security","Authentication and login security",[11,1126,1127],{},"All authentication is handled by MultiClaw Cloud. You can sign in with email and password or through Multiplai single sign-on (SSO). Sessions use short-lived tokens that rotate automatically, and repeated failed login attempts trigger temporary account lockouts.",[11,1129,241,1130,1133],{},[18,1131,1124],{"href":1132},"\u002Fhelp\u002Fsecurity-privacy\u002Fauthentication-and-login-security"," for details on session handling, token rotation, and lockout policies.",[24,1135,1137],{"id":1136},"roles-and-access-control","Roles and access control",[11,1139,1140],{},"MultiClaw uses role-based access control (RBAC) in workspaces. Each person is assigned exactly one role — Owner or Member — which determines what they can view, create, and manage. Permissions follow a least-privilege model: users only have access to what their role requires.",[11,1142,241,1143,1146],{},[18,1144,1137],{"href":1145},"\u002Fhelp\u002Fsecurity-privacy\u002Froles-and-access-control"," for the full permission matrix.",[24,1148,1150],{"id":1149},"encryption-at-rest-and-in-transit","Encryption at rest and in transit",[11,1152,1153,1156,1157,1160,1161,1163,1164,1167,1168,1171],{},[15,1154,1155],{},"Config values"," are stored in your local config file (",[506,1158,1159],{},"~\u002F.openclaw\u002Fopenclaw.json",") as plain JSON. The file is not encrypted at rest; it is protected by your operating system's file permissions. Credentials and API keys stored in ",[15,1162,713],{}," receive an additional application-layer encryption with ",[15,1165,1166],{},"AES-256"," on top of AWS disk encryption. All connections to external MultiClaw services use ",[15,1169,1170],{},"TLS 1.2 or higher",", covering both HTTPS and WebSocket (WSS) traffic. Communication between the desktop app and the local OpenClaw gateway uses an unencrypted connection on localhost only — this traffic never leaves your machine.",[11,1173,241,1174,1176],{},[18,1175,612],{"href":611}," for the full encryption model.",[24,1178,1180],{"id":1179},"local-first-data-storage","Local-first data storage",[11,1182,1183],{},"Your agents, conversations, and credentials are stored on your machine by default. When you're not connected to a workspace, everything stays local. When you connect to a workspace, conversation transcripts sync to MultiClaw Cloud automatically.",[11,1185,241,1186,1188],{},[18,1187,1033],{"href":1032}," for details on where your data lives.",[24,1190,1192],{"id":1191},"credential-and-secret-storage","Credential and secret storage",[11,1194,1195,1196,1198],{},"Credentials and other sensitive values are stored in your local config file (",[506,1197,1159],{},") as plain JSON, protected by operating system file permissions. The desktop app does not send stored credentials to MultiClaw Cloud. Each credential is scoped to the context that needs it.",[11,1200,241,1201,1203],{},[18,1202,617],{"href":616}," for details on how credentials are stored, scoped, and managed.",[24,1205,1207],{"id":1206},"sandboxed-desktop-app","Sandboxed desktop app",[11,1209,1210,1211,1214],{},"The desktop app is built on ",[15,1212,1213],{},"Tauri v2",", which enforces a capability-based permission model. The interface layer cannot access your filesystem or start processes on its own. Every sensitive operation goes through an explicitly declared Tauri command, limiting the potential damage from any interface-level vulnerability.",[11,1216,241,1217,1221],{},[18,1218,1220],{"href":1219},"\u002Fhelp\u002Fsecurity-privacy\u002Fdesktop-app-security","Desktop app security"," for details on the sandboxing model and capability declarations.",[24,1223,1225],{"id":1224},"browser-extension-isolation","Browser extension isolation",[11,1227,1228],{},"The MultiClaw Chrome Extension content script is loaded on all pages, but it only captures and transmits interaction data when a recording session is active. Event listeners are registered when the extension loads; they check whether recording is active before capturing anything, and no data is collected or sent between sessions.",[11,1230,241,1231,739],{},[18,1232,738],{"href":737},[24,1234,245],{"id":1062},[11,1236,1237],{},"MultiClaw Desktop does not collect usage analytics or telemetry. If the app crashes, the crash log stays on your machine. Conversation content stays on your machine unless you choose to sync it to a workspace. MultiClaw Cloud stores only the account, workspace, and session data needed to operate the service.",[11,1239,241,1240,1242],{},[18,1241,245],{"href":244}," for what data MultiClaw collects, how long it's retained, and your rights.",[24,1244,1246],{"id":1245},"signed-updates-and-supply-chain-security","Signed updates and supply chain security",[11,1248,1249,1250,1253],{},"App updates are signed with ",[15,1251,1252],{},"minisign",". Before installing an update, the updater verifies the signature against the published public key and rejects any update with an invalid or missing signature. Third-party dependencies are pinned to exact versions, scanned for vulnerabilities, and reviewed before they ship.",[11,1255,241,1256,1260],{},[18,1257,1259],{"href":1258},"\u002Fhelp\u002Fsecurity-privacy\u002Fdependency-and-supply-chain-security","Dependency and supply chain security"," for the full scanning and review process.",[24,1262,1264],{"id":1263},"allowed-external-connections","Allowed external connections",[11,1266,1267],{},"MultiClaw makes a fixed, documented set of outbound connections from your machine. Each connection has a specific purpose — API calls, real-time updates, AI execution, or update checks. No undocumented connections are made.",[11,1269,241,1270,1273],{},[18,1271,1264],{"href":1272},"\u002Fhelp\u002Fsecurity-privacy\u002Fallowed-external-connections"," for the full list of endpoints, protocols, and when each connection occurs.",[24,1275,1277],{"id":1276},"incident-reporting","Incident reporting",[11,1279,1280],{},"If you discover a security vulnerability, you can report it directly to the MultiClaw security team. Reports are acknowledged within 24 hours and follow a structured triage and resolution process.",[11,1282,241,1283,1286],{},[18,1284,6],{"href":1285},"\u002Fhelp\u002Fsecurity-privacy\u002Fincident-reporting-and-response"," for how to submit a report and what to expect.",[24,1288,1290],{"id":1289},"shared-responsibility","Shared responsibility",[11,1292,1293],{},"Security in MultiClaw is a shared effort. MultiClaw secures the infrastructure, encrypts data in transit, and hardens the app. You're responsible for protecting your credentials, managing workspace access, and configuring agents appropriately.",[11,1295,241,1296,1298],{},[18,1297,285],{"href":284}," for a clear breakdown of what each party owns.",{"title":287,"searchDepth":288,"depth":288,"links":1300},[1301,1302,1303,1304,1305,1306,1307,1308,1309,1310,1311,1312,1313],{"id":1085,"depth":288,"text":1086},{"id":1123,"depth":288,"text":1124},{"id":1136,"depth":288,"text":1137},{"id":1149,"depth":288,"text":1150},{"id":1179,"depth":288,"text":1180},{"id":1191,"depth":288,"text":1192},{"id":1206,"depth":288,"text":1207},{"id":1224,"depth":288,"text":1225},{"id":1062,"depth":288,"text":245},{"id":1245,"depth":288,"text":1246},{"id":1263,"depth":288,"text":1264},{"id":1276,"depth":288,"text":1277},{"id":1289,"depth":288,"text":1290},"MultiClaw protects your data through layered security, TLS encryption in transit, app sandboxing, and a no-telemetry policy.",{},1,"\u002Fsecurity-privacy\u002Fsecurity-overview",[641,1319,1320,642,306],"security-privacy\u002Fnetwork-security","security-privacy\u002Fbrowser-extension-security",{"title":607,"description":1314},"security-overview","help\u002Fsecurity-privacy\u002F01.security-overview","3x0_VX5XDDMQT5kwODVWQnpjsjlxJfe0Lbg5V4Kim9I","Security overview MultiClaw protects your data through layered security, TLS encryption in transit, app sandboxing, and a no-telemetry policy.",1778463888184]