Security

Security practices for AI workers that operate inside real work

Clerwell is built around roles, permissions, auditability, deployment choice, and human oversight so teams can use AI workers with clearer control.

Security approach

Clerwell treats AI workers as accountable software actors. Each worker should have a clear identity, owner, role, permissions, connected tools, memory boundary, and audit trail. Security is designed around limiting what a worker can access, recording important actions, and giving people control over approvals.

Access control

  • Role-based permissions for users, administrators, and AI workers.
  • Least-privilege access to connected tools and workspace data.
  • Separate worker identities so actions can be attributed and reviewed.
  • Support for enterprise controls such as SSO, SAML, and RBAC where included in the selected plan.

Data protection

  • Encryption in transit where supported by the service and connected infrastructure.
  • Encryption at rest where supported by the selected deployment environment and storage provider.
  • Controls for model routing, bring-your-own keys, private cloud, self-deployment, and on-premise deployment.
  • Administrative controls for worker memory, logs, connected tools, and retention settings.

Audit logs and oversight

Clerwell is designed to record important worker actions, approvals, tool calls, authentication events, and security-relevant activity. Teams can use these logs to review what happened, investigate issues, and refine worker permissions.

Human approval

Customers should configure approval rules for sensitive actions such as sending external messages, modifying records, handling regulated data, using production systems, or making decisions that affect people. Clerwell workers are intended to support human judgment, not replace it where review is required.

Deployment models

Clerwell may be used through managed, self-deployed, private cloud, or on-premise models. Security responsibilities depend on the chosen model. In self-deployed and customer-controlled environments, customers are responsible for infrastructure hardening, patching, backups, secrets management, network access, provider keys, and compliance controls.

Incident response

Clerwell monitors and investigates security issues according to the selected service model. If we determine that an incident affects personal data or customer content under our control, we will take appropriate steps to contain the issue, investigate, remediate, and notify affected customers as required by law or agreement.

Responsible disclosure

If you believe you have found a security vulnerability, contact hello@clerwell.com. Please include enough detail to reproduce the issue and avoid accessing, modifying, deleting, or disclosing data that is not yours.

Customer responsibilities

  • Use strong authentication and restrict administrator access.
  • Review worker permissions before connecting production tools.
  • Use separate provider keys and rotate secrets when needed.
  • Set retention, approval, logging, and escalation rules that match your risk profile.
  • Train users to review AI outputs before relying on them for important decisions.

Company contact

CLERWELL PRIVATE LIMITED

CIN: U62099KA2026PTC220395

Registered Office: NO A 52, RPR COMPLEX, FIFTH FLOOR 1ST MAIN ROAD, Ramamurthy Nagar, Bangalore North, Bangalore – 560016, Karnataka, India

Email: hello@clerwell.com