Security
How SearchClaw protects your data and infrastructure.
Infrastructure
✓
Cloudflare Tunnel — No ports exposed to the public internet. All traffic routed through Cloudflare's encrypted tunnels.
✓
Encrypted at rest — PostgreSQL data encrypted at the storage layer. Redis data stored in memory with no disk persistence for sensitive payloads.
✓
TLS everywhere — All connections use TLS 1.2+. Internal services communicate over encrypted channels.
✓
Kubernetes — Deployed on isolated Kubernetes clusters with network policies, pod security standards, and automatic rolling updates.
Authentication
✓
HMAC-SHA256 API keys — Keys are hashed with HMAC-SHA256 before storage. Raw keys are never persisted.
✓
bcrypt password hashing — User passwords hashed with bcrypt and per-user salts. No plaintext passwords stored.
✓
Per-key rate limiting — Sliding window rate limits per API key prevent brute-force attacks and abuse.
Data Handling
✓
Zero data retention mode — Set
X-Data-Retention: none header to skip all caching and query logging. Only endpoint, credits, and timestamp are recorded.
✓
No query logging by default — Query content is not stored in usage records. Only metadata (endpoint, credits, timing) is tracked.
✓
Auto-expiring cache — Redis cache entries automatically expire (1-24 hours depending on content type). No indefinite data retention.
Compliance
✓
GDPR-ready — Full data deletion on account closure. Users can export or delete their data at any time.
✓
No third-party data sharing — Scraped/extracted content is never shared with third parties or used for model training.
✓
SOC 2 — Type II certification in progress. Contact us for our current security questionnaire and audit reports.
Responsible Disclosure
If you discover a security vulnerability, please report it responsibly. We appreciate your help keeping SearchClaw and our users safe.
Email: security@searchclaw.dev
We aim to acknowledge reports within 24 hours and resolve critical issues within 72 hours.