Security.
Informative description of the security posture of the FanClaw service. This document complements the Legal notice and Terms and the Privacy Policy. It does not constitute a contractual warranty of security nor an obligation of result.
Local by construction.
The FanClaw service follows a local architecture: content, conversations and audience data are stored in an encrypted local store on the user's device and do not transit through the publisher's infrastructure.
The surface exposed to the publisher is therefore reduced. The measures described below cover the components under the publisher's operational control and the principles implemented for local execution. The security of the locally stored data and of the user's computing environment is the user's responsibility under Article 4.
This document is descriptive. It does not constitute a warranty of absolute security, a service-level agreement nor an obligation of result. No information system can be guaranteed defect-free.
Components and trust boundaries.
Desktop application. Binary installed on the user's device, executing the local agent, encrypted local store and automation modules. The application runs in the user's own security context on their OS.
Licence server. Service operated by the publisher, dedicated to licence verification and activation-token issuance. It does not process user content, conversations or audience data.
Sub-processors. Each sub-processor listed in the Privacy Policy operates within its own scope, governed by a sub-processing agreement compliant with Article 28 GDPR.
Local boundary. Content, conversations and audience data do not cross the local boundary of the device. Only data strictly necessary to activation, billing and, where applicable, optional telemetry is transmitted to the publisher's infrastructure.
User responsibility. Device security, OS patching, disk-encryption configuration and integrity of third-party software remain the user's responsibility.
Measures in place.
In-transit encryption. Communications between the application and the publisher's endpoints are protected by TLS in a recent version.
At-rest encryption. The local store is encrypted using an industry-grade symmetric algorithm (AES-256). The key is derived from a user-controlled secret stored in the OS credential vault.
Binary integrity. Public releases are signed with a dedicated code-signing key. Distribution channels verify signature before installation.
Authentication. Activation tokens issued by the licence server are signed, short-lived and bound to the device identifier for which they were issued.
Isolation. The application runs within the perimeter of a notarised desktop application and does not request elevated system privileges.
Telemetry minimisation. Telemetry, when activated by the user, by design excludes user content and directly identifying information.
Evolution. The measures described may evolve to address threat-landscape changes, available techniques and state of the art.
Shared responsibility.
Publisher. Implementation of the technical and organisational measures described herein, sub-processor management, diligent handling of reports under Article 6, incident management under Article 7.
User. Under the Terms, the user is responsible for: (i) physical and logical security of the device; (ii) safe-keeping of activation credentials and of the master password protecting the local store; (iii) OS patching; (iv) vigilance regarding parallel installed software; (v) regular backups of locally stored data, the publisher providing no backup; (vi) compliance of the user's use with applicable law and third-party environment conditions.
Third-party environments. The security of third-party environments to which the user connects the service is exclusively the responsibility of their operators. The publisher cannot be held liable for vulnerability, compromise or unavailability affecting these environments, nor for actions they may take against the user.
No warranty of absolute security.Article 5
What this document does not warrant.
No absolute security warranty. The publisher warrants neither impossibility of intrusion, compromise nor data loss.
No SLA. This document creates no chiffrered undertaking on availability, support response time, remediation time or service level, save in a separately subscribed dedicated offer.
No certification. The service is not, at the date of this document, certified under any security or compliance scheme.
Force majeure. The publisher bears no liability for default or unavailability resulting from a force-majeure event as defined in the Terms, in particular generalised network outages, unforeseeable cyber-attacks, essential sub-contractor failures, administrative or judicial decisions, and exceptional weather events.
Limitation of liability. Any engagement of the publisher's liability with respect to security is governed by the Terms, in particular Article 8.
How to report a vulnerability.
Channel. Reports are sent to legal@fanclaw.ai with the subject “Security report”.
Good faith. The researcher acts in good faith, in compliance with applicable law, without extracting personal data, without disrupting the service and without harming third parties.
Out of scope. Out of the framework: denial-of-service tests without prior written authorisation, social-engineering of the publisher's perimeter, physical attacks and any test likely to cause material or personal harm.
Coordination. Where appropriate, the publisher coordinates public disclosure with remediation in liaison with the researcher. No timeline is committed.
No bounty programme. This framework does not constitute, as it stands, a bug-bounty programme and gives no right to remuneration.
Response and notification.
Notification to the authority. Where an incident constitutes a personal-data breach within the meaning of Article 4(12) GDPR, the publisher notifies the CNIL under the conditions and within the timeframes of Article 33 GDPR.
Notification to data subjects. Where the breach is likely to result in a high risk to data subjects' rights and freedoms, the publisher informs them under Article 34 GDPR.
Internal review. Every significant incident is subject to an internal review whose findings inform the evolution of the security measures.
Evolution of this document. This document is updated to reflect evolutions of the measures. The applicable version is the one published at this URL. Continued use constitutes acceptance.
Authoritative version. In case of conflict between this English version and the French version available at /security, the French version prevails.
End of document.
Back to Legal notice.
Any report or question can be sent to legal@fanclaw.ai.