openclaw/docs/compliance/index.md

4.8 KiB

title summary permalink
Compliance Overview SOC2 and ISO 27001 compliance documentation and readiness resources for Moltbot deployments. /compliance/

Compliance Overview

This section provides governance and procedure documentation to support SOC2 Type II and ISO 27001 compliance for Moltbot enterprise deployments.

Technical Controls Foundation

Moltbot includes built-in security controls that form the technical foundation for compliance:

Control Implementation Documentation
Audit logging ~/.clawdbot/audit.jsonl with 7-day retention Security Hardening
Role-based access control 4 built-in roles with granular permissions RBAC Guide
Authentication Token, password, and Tailscale modes Gateway Authentication
Rate limiting Token bucket with per-client tracking Rate Limiting
Security audit CLI Automated checks for misconfigurations Security Audit

Compliance Documents

Policies and Procedures

Document Purpose SOC2 Mapping ISO 27001 Mapping
Incident Response Security incident detection, triage, and recovery CC7.2, CC7.3, CC7.4 A.16.1
Access Control Policy User access management and RBAC governance CC6.1, CC6.2, CC6.3 A.9.1, A.9.2, A.9.4
Change Management Configuration and version change procedures CC8.1 A.12.1, A.14.2
Vulnerability Disclosure Responsible disclosure and security reporting CC7.1 A.12.6

Measurement and Readiness

Document Purpose SOC2 Mapping ISO 27001 Mapping
Security Metrics KPIs and continuous monitoring guidance CC4.1, CC4.2 A.18.2
Readiness Checklist Self-assessment for audit preparation All TSC Clause 9, 10

SOC2 Trust Services Criteria Coverage

Category Criteria Primary Documents
CC1: Control Environment Governance and oversight Readiness Checklist
CC2: Communication Internal security communication Incident Response
CC3: Risk Assessment Risk identification Threat Model
CC4: Monitoring Ongoing monitoring activities Security Metrics
CC5: Control Activities Policy implementation Access Control Policy
CC6: Logical Access Access management Access Control Policy
CC7: System Operations Incident management Incident Response, Vulnerability Disclosure
CC8: Change Management Change control Change Management
CC9: Risk Mitigation Recovery planning Incident Response

ISO 27001 Annex A Coverage

Control Domain Controls Primary Documents
A.9 Access Control A.9.1-A.9.4 Access Control Policy
A.12 Operations Security A.12.1, A.12.6 Change Management, Vulnerability Disclosure
A.14 System Acquisition A.14.2 Change Management
A.16 Incident Management A.16.1 Incident Response
A.18 Compliance A.18.2 Security Metrics, Readiness Checklist

Automated Compliance Verification

Run the security audit to verify compliance controls:

# Full security audit with deep gateway probe
clawdbot security audit --deep

# Summary of findings by severity
clawdbot security audit --summary

The audit checks:

  • Gateway authentication configuration
  • RBAC policy effectiveness
  • File permission hardening
  • Channel security policies
  • Rate limiting status
  • Audit logging enablement

Getting Started

  1. Assess current state: Run clawdbot security audit --deep to identify gaps
  2. Review policies: Read each compliance document and adapt to your organization
  3. Implement controls: Configure RBAC, audit logging, and authentication per guidelines
  4. Collect evidence: Use the Readiness Checklist to gather audit artifacts
  5. Monitor continuously: Set up Security Metrics dashboards for ongoing compliance

Last updated: 2026-01-27