For security, infra, and leadership
Bringing ClawMetry to your team
A 5-minute procurement pack. Architecture, security controls, deployment options, and the eight questions security and infra teams always ask. Share the link, attach the page, or copy into a procurement ticket.
01What ClawMetry is
ClawMetry is the real-time observability and governance layer for AI agents. It installs in 30 seconds, runs on your own hardware, and shows every tool call, sub-agent spawn, token spend, runaway loop, and policy violation across OpenClaw, Claude Code, Codex, Cursor, NemoClaw, and Hermes.
Data is end-to-end encrypted before it leaves the machine. The cloud dashboard decrypts client-side in the browser using a key only your team holds. 200,000+ pip installs across 123+ countries. 350+ GitHub stars. OSS core under MIT.
02Security posture
- End-to-end encryption (AES-256-GCM)From the daemon to the browser. The cloud server cannot read your data. The key is generated at install time and never leaves your machine.
- Server-side secret redaction at ingestProvider API keys, bearer tokens, password fields, and PEM private keys are fingerprinted before they rest in DuckDB. On by default.
- Tamper-evident hash chain over the audit logEvery event is linked to the previous event by a SHA-256 chain. A
clawmetry verify-integrityCLI detects any post-write mutation. - Read-only by defaultClawMetry observes your agents, it does not modify them. The gateway token is operator.read only.
- Local-first architectureAll raw data lives on your machine in a local DuckDB store. The cloud dashboard is optional.
- SIEM exportSplunk, QRadar, ArcSight, Elastic, or any RFC 5424 collector. CEF or JSON. UDP, TCP, or TCP+TLS.
- Approval queue for high-risk tool callsThe daemon can block model calls, tool calls, and shell commands by policy.
- Open source (MIT) for the OSS coreAudit the code yourself: github.com/vivekchand/clawmetry.
03Deployment options
| Option | Where data lives | When to use |
|---|---|---|
| Free OSS | On your machine | Single engineer, 1 node, evaluating |
| Cloud Pro | Your machine; encrypted snapshot synced to ClawMetry Cloud | Small team, multiple nodes, no security review needed |
| Self-hosted Pro | Your machine; snapshot synced to your own server | Pro dashboard on your own infrastructure |
| On-prem Enterprise | Your machine; no network egress | Regulated industries, defense, banks, healthcare |
04Compliance and audit
- Security controls and compliance roadmapMapped controls list, current attestation status, and timeline available on request from security@clawmetry.com.
- Documents available on requestData flow diagram, penetration-test summary, sub-processor list, DPA template, and incident response plan.
- Incident responseCritical bugs get a same-day patch plus advisory at clawmetry.com/security. Email security@clawmetry.com.
05Procurement Q and A
Where does our data live?
On your machine, in a local DuckDB store. In Cloud Pro mode the daemon encrypts a periodic snapshot and pushes it to ClawMetry Cloud. In on-prem mode no data leaves your network.
Can ClawMetry read our prompts or our customer data?
No. The encryption key is generated on your machine at install time and never leaves it. The cloud server stores opaque ciphertext.
What is the retention policy?
Free: 7 days. Pro: 90 days. Enterprise: custom (90 days to indefinite).
Do you offer self-hosted or on-prem?
Yes. The OSS daemon is self-hosted by default. Enterprise customers get an on-prem license plus an air-gapped Pro dashboard and a Helm chart.
How do you handle secrets that an agent might echo into a tool argument?
Server-side redaction at ingest, on by default. Provider keys, bearer tokens, password fields, and PEM private keys are fingerprinted before they rest in DuckDB.
What is your incident response process?
Critical bugs get a same-day patch and advisory at clawmetry.com/security. Email security@clawmetry.com for direct contact.
What licenses are involved?
OSS daemon: MIT. Cloud Pro: commercial subscription. Enterprise: commercial annual license with on-prem rights and custom terms.
Who is behind ClawMetry?
Vivek Chand, founder. Email vivek@clawmetry.com for a 30 minute walkthrough.
Talk to us
A 30 minute call covers your architecture, your compliance requirements, and the deployment shape that fits. We come prepared.
Book a 30 min call →Or email enterprise@clawmetry.com. Security questions: security@clawmetry.com. Reply within 1 business day.