Security & Privacy Policy
Last updated: February 23, 2026
🔒 Our Guarantee
Your secrets never leave your device.
We analyze your OpenClaw config, not your API keys. You stay in control.
Two Ways to Scan
1. Local Scanner (Recommended)
100% Private. Zero data sent.
- Download our open-source scanner
- Run it on your machine
- Analysis happens locally
- Only anonymized metadata in report (optional to share)
- Your API keys never leave your device
Download: npx proofmeta-scan your-config.json
2. Web Upload (Auto-Redacted)
If you prefer web upload, we automatically remove all secrets.
- Upload your
openclaw.json
- Our system automatically detects and removes:
- API keys
- Tokens
- Passwords
- Webhook URLs
- Connection strings
- We analyze only structure and settings
- Redacted file deleted after analysis
What We Collect
Local Scanner
- Nothing. Everything stays on your machine.
Web Upload
- Email address (for sending report)
- Config structure (models, providers, settings)
- Anonymized usage patterns
- NOT collected: API keys, tokens, secrets, URLs, project names
Data Retention
- Uploaded files: Deleted within 24 hours
- Scan reports: 30 days (for your access)
- Aggregated statistics: Indefinitely (fully anonymized)
Who Has Access
- Automated analysis system (read-only)
- No human reviews your config
- Support access only with explicit permission
Security Measures
- Automatic secret redaction before storage
- Encryption in transit (HTTPS)
- No third-party analytics or tracking
- Minimal data principle: we collect only what's needed
- Regular security audits
Compliance
- GDPR compliant
- Data processing agreement available on request
- Right to deletion: contact hello@proofmeta.com
For Enterprise Customers
We offer:
- On-premise scanning solution
- Custom NDA / DPA
- Air-gapped analysis
- SOC 2 compliance documentation
Contact: hello@proofmeta.com
Questions?
Email us: hello@proofmeta.com
We respond within 24 hours.
