Microclaw

Publisher Attestation: The information on this page is based on a self-assessment report provided by the app developer on the security, compliance, and data handling practices followed by this app. Microsoft makes no guarantees regarding the accuracy of the information.

Last updated by the developer on: May 17, 2026

General information

Information provided by to Microsoft:

Information Response
App name Microclaw
ID microclaw.microclaw
Company's website https://microclaw.app
App's Terms of Use https://microclaw.app/terms
Core functionality of the app Microclaw is an AI assistant for Microsoft 365 that lives in Microsoft Teams. It reads and writes across the user's email, calendar, tasks, files, contacts, and notes via Microsoft Graph, in plain English, in one conversation. Supports event-driven automations and scheduled tasks. Uses Azure OpenAI (GPT-4o) for natural-language understanding. Delegated OAuth: acts only as the signed-in user.
Company headquarter location United States of America
App info page https://microclaw.app
What is the hosting environment or service model used to run your app? Paas
Which hosting cloud providers does the app use? Azure
Is AI functionality part of the app�s core features or workflows? Yes

Questions

Questions or updates to any of the information you see here? Contact us!

How the app handles data

This information has been provided by about how this app collects and stores organizational data and the control that your organization will have over the data the app collects.

Information Response
Does the app or underlying infrastructure process any data relating to a Microsoft customer or their device? Yes
What data is processed by your app? Microsoft Graph delegated access to the signed-in user's M365 content (email, calendar, files, OneNote, To Do, Planner, contacts, Teams) on user request. Microclaw stores: conversation transcripts, tool invocation logs, encrypted MSAL refresh tokens (Azure Key Vault), aggregate telemetry (no content), and user identity (UPN, tenant ID). Azure OpenAI used for LLM inference; no training on customer data.
Does the app support TLS 1.2 or higher? Yes
Does the app or underlying infrastructure store any Microsoft customer data? Yes
What data is stored in your databases? Postgres database (Azure Database for PostgreSQL Flexible Server, US East 2): conversation messages (user prompts and assistant responses), tool invocation logs, scheduled tasks, reminders, automation rules, webhook subscription metadata, user preferences, aggregate token usage (counts only, no content), and user/tenant identity. OAuth refresh tokens are not stored in the database; they are encrypted in Azure Key Vault (HSM-backed, FIPS 140-2 Level 2).
If underlying infastructure processes or stores Microsoft customer data, where is this data geographically stored? United States of America
Do you have an established data rentention and disposal process? Yes
How long is data retained after account termination? Less than 30days
Do you have an established data access management process? Yes
Do you transfer customer data or customer content to third parties or sub-processors? Yes
Do you have data sharing agreements in place with any third party service you share Microsoft customer data with? Yes

Questions

Questions or updates to any of the information you see here? Contact us!

This information has been provided by Microclaw about the security practices this app employs.

Information Response
Do you perform annual penetration testing on the app? No
Does the app have a documented disaster recovery plan, including a backup and restore strategy? Yes
Does your environment use traditional anti-malware protection or application controls? ApplicationControls
Do you have an established process for indentifying and risk ranking security vulnerabilities? Yes
Do you have a policy that governs your service level agreement (SLA) for applying patches? Yes
Do you carry out patch management activities according to your patching policy SLAs? Yes
Does your enviroment have any unsupported operating systems or software? No
Do you conduct quarterly vulnerability scanning on your app and the infastructure that supports it? Yes
Do you have a firewall installed on your external network boundary? Yes
Do you have an established change management process used to review and approve change requests before they are deployed to production? Yes
Is an additional person reviewing and approving all code change requests submitted to production by the original developer? No
Do secure coding practices take into account common vulnerability classes such as OWASP Top 10? Yes
Multifactor Authentication (MFA) enabled for: CodeRepositories, DNSManagement, Credential
Do you have an established process for provisioning, modification, and deletion of employee accounts? Yes
Do you have Intrusion Detection and Prevention (IDPS) software deployed at the perimeter of the network boundary supporting your app? N/A
Do you have event logging set up on all system components supporting your app? Yes
Are all logs reviewed on a regular cadence by human or automated tooling to detect potential security events? Yes
When a security event is detected are alerts automatically sent to an employee for triage? Yes
Do you have a formal information security risk management process established? Yes
Do you have a formal security incident response process documented and established? Yes
Do you report app or service data breaches to supervisory authorities and individuals affected by the breach within 72 hours of detection? Yes

Questions

Questions or updates to any of the information you see here? Contact us!

This information has been provided by Microclaw regarding the compliance standards their app requires and has the certifications they have accomplished.

Information Response
Does the app comply with the Health Insurance Portability and Accounting Act (HIPAA)? N/A
Does the app comply with Health Information Trust Alliance, Common Security Framework (HITRUST CSF)? N/A
Has the organization achieved a Service Organization Controls (SOC 1) Certification? No
Has the organization achieved a Service Organization Controls (SOC 2) Certification? No
Has the organization achieved a Service Organization Controls (SOC 3) Certification? No
Do you carry out annual PCI DSS assessments against the app and its supporting environment? N/A
Is the app International Organization for Standardization (ISO 27001) certified? No
Does the app comply with International Organization for Standardization (ISO 27018)? N/A
Does the app comply with International Organization for Standardization (ISO 27017)? N/A
Does the app comply with International Organization for Standardization (ISO 27002)? N/A
Is the app Federal Risk and Authorization Management Program (FedRAMP) compliant? No
Does the app comply with Family Educational Rights and Privacy Act (FERPA)? N/A
Does the app comply with Children's Online Privacy Protection Act (COPPA)? N/A
Does the app comply with Sarbanes-Oxley Act (SOX)? N/A
Does the app comply with NIST 800-171? N/A
Has the app been Cloud Security Alliance (CSA Star) certified? No

Questions

Questions or updates to any of the information you see here? Contact us!

Information Response
Do you have GDPR or other privacy or data protection requirements or obligations (such as CCPA)? Yes
Does the app have an external-facing privacy notice that describes how it collects, uses, shares, and stores customer data? Yes
Privacy Policy URL https://microclaw.app/privacy
Does the app perform automated decision making, including profiling that could have a legal effect or similar impact? No
Does the app process customer data for a secondary purpose not described in the privacy notice (i.e. marketing, analytics)? No
Do you process special categories of sensitive data (i.e. racial or ethnic origin, political opinion, religious or philosophical beliefs, genetic or biometric data, health data) or categories of data subject to breach notification laws? No
Does the app collect or process data from minors (i.e., individuals under the age of 16)? No
Does the app have capabilities to delete an individual's personal data upon request? Yes
Does the app have capabilities to restrict or limit the processing of an individual's personal data upon request? Yes
Does the app provide individuals the ability to correct or update their personal data? Yes
Are regular data security and privacy reviews performed (for example, Data Protection Impact Assessments or privacy risk assessments) to identify risks related to the processing of personal data for the app? Yes

Questions

Questions or updates to any of the information you see here? Contact us!

Information Response
Does your application integrate with Microsoft identity platform (Microsoft Entra ID) for single-sign on, API access, etc.? Yes
Have you reviewed and complied with all applicable best practices outlined in the Microsoft identity platform integration checklist? Yes
Does your app use the latest version of MSAL (Microsoft Authentication Library) or Microsoft Identity Web for authentication? Yes
Does your app support Conditional Access policies? Yes
List the types of policies supported Microclaw uses MSAL OAuth; Microsoft Entra evaluates these Conditional Access policy types at sign-in: MFA, compliant device / Intune managed device, hybrid Azure AD-joined device, sign-in risk and user risk, location/network-based access, block legacy authentication, sign-in frequency and persistent browser session controls. All evaluation occurs at the Microsoft identity layer during interactive sign-in; Microclaw does not implement app-side enforcement.
Does your app support Continuous Access Evaluation (CAE) No
Does your app store any credentials in code? No
Apps and add-ins for Microsoft 365 might use additional Microsoft APIs outside of Microsoft Graph. Does your app or add-in use additional Microsoft APIs? Yes

Data access using Microsoft Graph

Graph Permission Permission Type Justification Microsoft Entra App ID
Calendars.Read delegated Required for Microclaw to read the signed-in user's calendar when they ask about their schedule (e.g., "what's on my calendar today," "when am I free Thursday"). Read-only access, scoped to the signed-in user's calendars. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2
Calendars.ReadWrite delegated Required for Microclaw to create, update, or delete calendar events on behalf of the signed-in user (e.g., "block 30 minutes tomorrow at 2pm," "cancel my 3pm meeting"). Scoped to the signed-in user's calendars. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2
ChannelMessage.Read.All delegated Required for Microclaw to read messages from Teams channels the signed-in user is a member of, when they ask the assistant to summarize or search team conversations (e.g., "what was discussed in the #ops channel this week"). Read-only, scoped to channels the user has access to. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2
ChannelMessage.Send delegated Required for Microclaw to post messages to Teams channels on behalf of the signed-in user when they ask the assistant to send a message (e.g., "post in #general that the meeting is cancelled"). Posts as the signed-in user. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2
Chat.ReadWrite delegated Required for Microclaw to read and send Teams chat messages on behalf of the signed-in user (e.g., "DM Sarah and let her know I'll be 5 minutes late"). Scoped to chats the user participates in. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2
Contacts.Read delegated Required for Microclaw to look up the signed-in user's personal contacts when they ask the assistant to find someone (e.g., "what's David Patel's email"). Read-only access to the signed-in user's personal contacts. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2
Contacts.ReadWrite delegated Required for Microclaw to create or update personal contacts on behalf of the signed-in user (e.g., "save David Patel's email as a contact"). Scoped to the signed-in user's personal contacts. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2
Files.Read delegated Required for Microclaw to read the signed-in user's OneDrive and SharePoint files when they ask the assistant to summarize, search, or report on their documents (e.g., "find the forecast doc," "what's in last month's report"). Read-only. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2
Files.ReadWrite delegated Required for Microclaw to upload, rename, or modify OneDrive files on behalf of the signed-in user (e.g., "save this attachment to OneDrive," "rename the file"). Scoped to the signed-in user's drive. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2
Group.Read.All delegated Required for Microclaw to discover the Microsoft 365 groups the signed-in user is a member of, used for SharePoint document library auto-discovery and Planner plan listing (e.g., "show me my team's Planner tasks"). Read-only access to groups the user belongs to. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2
Group.ReadWrite.All delegated Required for Microclaw to create or update Planner plans and tasks within Microsoft 365 groups the signed-in user belongs to (e.g., "create a Planner plan for Q3 launch"). Scoped to groups the user is a member of. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2
Mail.Read delegated Required for Microclaw to read the signed-in user's mailbox when they ask the assistant to summarize, search, or report on their email (e.g., "summarize my unread emails"). Read-only access, scoped to the signed-in user's mail only. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2
Mail.ReadWrite delegated Required for Microclaw to flag, move, delete, draft, or modify email on behalf of the signed-in user when they request these actions in chat (e.g., "flag this email," "move to archive," "create a draft"). Scoped to the signed-in user's mailbox only. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2
Mail.Send delegated Required for Microclaw to send email on behalf of the signed-in user when they ask the assistant to send a message (e.g., "send an email to alex@example.com saying..."). Sends as the signed-in user only; user confirms before send. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2
Notes.Read delegated Required for Microclaw to read the signed-in user's OneNote notebooks and pages when they ask the assistant to summarize or pull notes (e.g., "what did I write in last week's OneNote"). Read-only. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2
People.Read delegated Required for Microclaw to look up people the signed-in user interacts with across Microsoft 365 (relevant contacts, frequent collaborators) when they ask the assistant to find or message someone (e.g., "email the people on my project team"). Read-only. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2
Presence.Read delegated Required for Microclaw to read the signed-in user's Teams presence status (Available / Busy / Away) when the assistant uses presence for scheduling or contextual decisions. Read-only, scoped to the signed-in user. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2
Sites.Read.All delegated Required for Microclaw to read SharePoint document libraries the signed-in user has access to, used to find and read documents stored in SharePoint team sites (e.g., "find the forecast doc in the Finance site"). Read-only. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2
Tasks.Read delegated Required for Microclaw to read the signed-in user's Microsoft To Do tasks when they ask about their task list (e.g., "what tasks do I have this week"). Read-only access, scoped to the signed-in user's tasks. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2
Tasks.ReadWrite delegated Required for Microclaw to create, complete, or delete Microsoft To Do tasks on behalf of the signed-in user (e.g., "add a task to follow up with Sarah," "mark X as done"). Scoped to the signed-in user's tasks. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2
Team.ReadBasic.All delegated Required for Microclaw to enumerate the Teams the signed-in user is a member of, for context when the user asks the assistant to act on a specific team (e.g., "post in the Engineering team"). Read-only, basic team metadata. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2
User.Read delegated Required for Microclaw to read the signed-in user's basic profile (display name, UPN, tenant ID) for personalization and audit logging. Standard sign-in scope. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2
User.ReadBasic.All delegated Required for Microclaw to resolve other users' basic profile information (display name, email) when the signed-in user references colleagues in chat (e.g., "email Sarah" - Microclaw needs to look up Sarah's address). Read-only, basic profile only. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2

This application does not have Additional APIs.

Questions

Questions or updates to any of the information you see here? Contact us!