4.8 KiB
4.8 KiB
| title | summary | permalink |
|---|---|---|
| Compliance Overview | SOC2 and ISO 27001 compliance documentation and readiness resources for Moltbot deployments. | /compliance/ |
Compliance Overview
This section provides governance and procedure documentation to support SOC2 Type II and ISO 27001 compliance for Moltbot enterprise deployments.
Technical Controls Foundation
Moltbot includes built-in security controls that form the technical foundation for compliance:
| Control | Implementation | Documentation |
|---|---|---|
| Audit logging | ~/.clawdbot/audit.jsonl with 7-day retention |
Security Hardening |
| Role-based access control | 4 built-in roles with granular permissions | RBAC Guide |
| Authentication | Token, password, and Tailscale modes | Gateway Authentication |
| Rate limiting | Token bucket with per-client tracking | Rate Limiting |
| Security audit CLI | Automated checks for misconfigurations | Security Audit |
Compliance Documents
Policies and Procedures
| Document | Purpose | SOC2 Mapping | ISO 27001 Mapping |
|---|---|---|---|
| Incident Response | Security incident detection, triage, and recovery | CC7.2, CC7.3, CC7.4 | A.16.1 |
| Access Control Policy | User access management and RBAC governance | CC6.1, CC6.2, CC6.3 | A.9.1, A.9.2, A.9.4 |
| Change Management | Configuration and version change procedures | CC8.1 | A.12.1, A.14.2 |
| Vulnerability Disclosure | Responsible disclosure and security reporting | CC7.1 | A.12.6 |
Measurement and Readiness
| Document | Purpose | SOC2 Mapping | ISO 27001 Mapping |
|---|---|---|---|
| Security Metrics | KPIs and continuous monitoring guidance | CC4.1, CC4.2 | A.18.2 |
| Readiness Checklist | Self-assessment for audit preparation | All TSC | Clause 9, 10 |
SOC2 Trust Services Criteria Coverage
| Category | Criteria | Primary Documents |
|---|---|---|
| CC1: Control Environment | Governance and oversight | Readiness Checklist |
| CC2: Communication | Internal security communication | Incident Response |
| CC3: Risk Assessment | Risk identification | Threat Model |
| CC4: Monitoring | Ongoing monitoring activities | Security Metrics |
| CC5: Control Activities | Policy implementation | Access Control Policy |
| CC6: Logical Access | Access management | Access Control Policy |
| CC7: System Operations | Incident management | Incident Response, Vulnerability Disclosure |
| CC8: Change Management | Change control | Change Management |
| CC9: Risk Mitigation | Recovery planning | Incident Response |
ISO 27001 Annex A Coverage
| Control Domain | Controls | Primary Documents |
|---|---|---|
| A.9 Access Control | A.9.1-A.9.4 | Access Control Policy |
| A.12 Operations Security | A.12.1, A.12.6 | Change Management, Vulnerability Disclosure |
| A.14 System Acquisition | A.14.2 | Change Management |
| A.16 Incident Management | A.16.1 | Incident Response |
| A.18 Compliance | A.18.2 | Security Metrics, Readiness Checklist |
Related Documentation
- Threat Model - Security threat analysis and mitigations
- Data Handling Policy - Data storage, retention, and privacy
- Security Hardening Guide - Technical security configuration
- Observability Guide - Metrics and monitoring setup
Automated Compliance Verification
Run the security audit to verify compliance controls:
# Full security audit with deep gateway probe
clawdbot security audit --deep
# Summary of findings by severity
clawdbot security audit --summary
The audit checks:
- Gateway authentication configuration
- RBAC policy effectiveness
- File permission hardening
- Channel security policies
- Rate limiting status
- Audit logging enablement
Getting Started
- Assess current state: Run
clawdbot security audit --deepto identify gaps - Review policies: Read each compliance document and adapt to your organization
- Implement controls: Configure RBAC, audit logging, and authentication per guidelines
- Collect evidence: Use the Readiness Checklist to gather audit artifacts
- Monitor continuously: Set up Security Metrics dashboards for ongoing compliance
Last updated: 2026-01-27