Security

MemClaw is operated by Caura Innovations Ltd (Israel). This page summarises our security program for prospective customers and procurement teams. For contractual security commitments, see Annex II of the Data Processing Addendum.

MemClaw runs on Google Cloud Platform. Compute is provided by Cloud Run; the primary database is Cloud SQL (PostgreSQL with the pgvector extension); caching and sessions use Memorystore (Redis); asynchronous events flow through a managed message queue. Production workloads currently reside in the us-central1 region.

In transit. All external and inter-service traffic is encrypted with TLS 1.2 or later.

At rest. Google Cloud encrypts all persistent storage at rest with Google-managed keys (Cloud SQL, Cloud Storage, Memorystore).

Tenant isolation. PostgreSQL Row-Level Security policies enforce per-tenant isolation on all tables containing Customer Data; the session variable is set and validated by the application layer for every authenticated request.

Credentials. End-user passwords are hashed with bcrypt and a per-user salt. API keys are stored as salted hashes; the clear-text key is shown only once at creation and cannot be retrieved later.

Production access is limited to a small number of named engineers using least-privilege IAM roles on Google Cloud. Administrative access requires two-factor authentication. Break-glass access events are logged and reviewed.

Customers can sign in with email + password (bcrypt-hashed, rate-limited) or GitHub OAuth. Session tokens are rotated on sensitive actions such as password change and API-key generation.

Structured application logs are retained centrally on Google Cloud Logging. Authentication-event IP addresses are captured for abuse detection and purged after 90 days.

Automated database backups are retained up to 90 days on a rolling basis. Backup storage is encrypted at rest. Restore procedures are tested at least quarterly. Target recovery point objective (RPO) is 24 hours; target recovery time objective (RTO) is 24 hours.

Our CI pipeline runs dependency scanning on every pull request. We welcome reports of vulnerabilities from security researchers at security@caura.ai. Please allow reasonable time for investigation and remediation before public disclosure.

Third-party services that help operate MemClaw are listed publicly at /legal/subprocessors. Sub-processor DPAs are reviewed before onboarding.

SOC 2 Type II is on our roadmap. ISO 27001 is under evaluation. We will update this page as audits are completed.

For security questionnaires, DPIA support, penetration-test summaries, or other procurement documentation, email security@caura.ai.