Back to Clawpy

Trust & Safety

Practical governance evidence, without pretending to be certified.

Clawpy is designed as a local-first AI workspace with explicit controls for high-impact actions. Our current trust and safety work focuses on practical engineering evidence: approval gates, audit logs, runtime cards, supplier and data inventories, incident review, and repeatable evidence exports.

Local-first evidence

Clawpy is built around local profiles, local runtime configuration, local audit logs, and local evidence exports by default.

Human oversight

Alfred and Lucius use authority modes and action gates to separate advice from mutations that need approval or blocking.

High-risk action matrix

Secret writes, workspace archive, autonomy changes, MCP/federation changes, communications config, browser config, and Marketplace installs are tracked in an operator action matrix.

Auditability

Evidence exports can include control mappings, test results, security baseline checks, incident reviews, runtime cards, and audit hash-chain evidence.

What we track

Evidence that can be regenerated.

Product-mode classification and intended-use boundaries
Data inventory, supplier register, and AI risk register
Approval behavior for high-risk operator actions
Runtime/model cards for local and connected execution paths
Post-market incident review workflow and review outcomes
Selected release tests and mock-audit findings

Current local result

Mock audit: WARN, not FAIL.

The latest internal local evidence review reports no local engineering blockers. The remaining warnings are intentionally limited to target-environment deployment checks and paused paid Marketplace commerce.

  • Evidence tests passed in the latest local evidence bundle.
  • The high-risk action matrix covered the sampled high-impact actions.
  • No open candidate incidents remained in the sampled review queue.
  • Audit hash-chain export was clean.
  • Runtime/model cards were present.

Important boundaries

What this page does not claim.

Clawpy is not currently ISO/IEC 42001 certified.
Clawpy is not currently EU AI Act conformity certified.
Clawpy is not currently certified by Credo AI or another GRC vendor.
This page is not legal advice and is not a guarantee that a specific deployment is compliant.
LAN, Tailscale, and public deployment security must be checked in the target environment before public-readiness claims.
Paid Marketplace commerce remains paused until prices, product IDs, and paid delivery rules are finalized.
Regulated, high-risk, or public deployments need their own review. Optional integrations such as cloud model providers, browser tools, communications providers, MCP servers, or Marketplace services may send data to third parties when configured by the operator.