Clawpilot
Back

Security

How we protect your data and our infrastructure

FR

1. Our Commitment

Protecting your data is a top priority for Clawpilot. This document describes the technical and organisational measures we have implemented to secure our infrastructure, applications, and the data entrusted to us.

We apply the principle of privacy by design: security is built into every feature from the outset, not added as an afterthought.

2. Infrastructure

2.1 Hosting & Data Location

  • Application servers: OVH SAS — data centre in France (EU)
  • Database: Supabase — EU Frankfurt region (Germany, EU)
  • Transactional email: Resend — EU infrastructure

All user data is hosted exclusively within the European Union, with no replication outside the EU.

2.2 Encryption in Transit

All communications between your browser and our servers are encrypted using TLS 1.2 minimum (Transport Layer Security). Unencrypted HTTP connections are automatically redirected to HTTPS.

2.3 Encryption at Rest

  • Data is encrypted at rest at the storage system level
  • OAuth access tokens are stored encrypted in the database
  • Passwords are hashed with a random salt (bcrypt)

2.4 Availability & Backups

  • Automatic daily encrypted database backups
  • Supabase Pro guarantees a minimum 7-day backup retention
  • Infrastructure status monitored in real time by our team

3. Application Security

3.1 Development Practices

  • Systematic code review before every production deployment
  • Regular dependency vulnerability audits
  • OWASP Top 10 guidelines followed (injection, XSS, CSRF, etc.)
  • Strict environment and secrets separation

3.2 Authentication

  • Authentication managed by Supabase Auth — no passwords stored in plain text
  • Secure sessions with short-lived JWT tokens
  • OAuth 2.0 for connecting social platforms
  • Two-factor authentication (2FA) supported for Clawpilot accounts

3.3 OAuth Token Management

  • Social API access tokens are stored encrypted, never exposed on the client side
  • Long-lived tokens are automatically refreshed
  • Revoking a connected account immediately invalidates the associated tokens on Clawpilot's side

4. Access Control

4.1 Data Access

  • Row Level Security (RLS) architecture on all sensitive tables — each organisation can only access its own data
  • Role-based access control (RBAC): admin, member, read-only — configured by the organisation
  • Production system access is restricted to authorised personnel via SSH authentication and mandatory 2FA

4.2 Organisation Isolation

Each Clawpilot organisation has an isolated data space, protected by Row Level Security (RLS) policies enforced at the database level. Every query is filtered by these policies before reaching the data, independently of the application layer.

4.3 Audit Logs

Logins and sensitive actions (account changes, invitations, revocations) are logged. Logs are retained for 30 days.

5. Incident Management

In the event of a confirmed or suspected data breach, we commit to:

  • Notifying affected users within 72 hours of detecting the incident
  • Reporting the incident to the CNIL (French data protection authority) under GDPR Article 33 when the breach is likely to pose a risk to individuals' rights and freedoms
  • Documenting corrective measures taken and communicating them to affected parties

6. Reporting a Vulnerability

If you discover a security vulnerability on Clawpilot, we encourage you to report it responsibly. Please do not disclose it publicly until we have been able to address it.

Security Report

Send an email to legal@clawpilot.com with:

  • A description of the vulnerability
  • Steps to reproduce it
  • The estimated potential impact

We will acknowledge receipt within 48 hours and work with you to resolve the issue promptly.

7. Contact

For any security-related questions about the platform:

legal@clawpilot.com

CLAWPILOT — 59 Rue de Ponthieu, Bureau 326, 75008 Paris, France