Security

Self-hosted

When you run Engram with Docker Compose on your own hardware:

API keys stay on your server — they are never sent to Engram infrastructure
memcp data is in a SQLite file you control in the volume mount directory
claw-control dashboard is only accessible from your server by default (localhost binding)
All inter-service communication happens inside the Docker network, not exposed externally

For production deployments, set a strong CLAWCONTROL_SECRET and put claw-control behind a TLS-terminating reverse proxy. Do not expose memcp or OpenClaw ports directly to the internet.

Hosted beta

For the hosted product at engram.host:

Each account gets an isolated database — no shared storage between tenants
TLS on all connections
API keys are stored encrypted at rest
You can delete all your data at any time from claw-control Settings

We do not log message content beyond what you can see in the Task Log (which you control).