Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Last updated by the developer on: May 17, 2026
General information
Information provided by to Microsoft:
| Information | Response |
|---|---|
| App name | Microclaw |
| ID | microclaw.microclaw |
| Company's website | https://microclaw.app |
| App's Terms of Use | https://microclaw.app/terms |
| Core functionality of the app | Microclaw is an AI assistant for Microsoft 365 that lives in Microsoft Teams. It reads and writes across the user's email, calendar, tasks, files, contacts, and notes via Microsoft Graph, in plain English, in one conversation. Supports event-driven automations and scheduled tasks. Uses Azure OpenAI (GPT-4o) for natural-language understanding. Delegated OAuth: acts only as the signed-in user. |
| Company headquarter location | United States of America |
| App info page | https://microclaw.app |
| What is the hosting environment or service model used to run your app? | Paas |
| Which hosting cloud providers does the app use? | Azure |
| Is AI functionality part of the app�s core features or workflows? | Yes |
Questions
Questions or updates to any of the information you see here? Contact us!
How the app handles data
This information has been provided by about how this app collects and stores organizational data and the control that your organization will have over the data the app collects.
| Information | Response |
|---|---|
| Does the app or underlying infrastructure process any data relating to a Microsoft customer or their device? | Yes |
| What data is processed by your app? | Microsoft Graph delegated access to the signed-in user's M365 content (email, calendar, files, OneNote, To Do, Planner, contacts, Teams) on user request. Microclaw stores: conversation transcripts, tool invocation logs, encrypted MSAL refresh tokens (Azure Key Vault), aggregate telemetry (no content), and user identity (UPN, tenant ID). Azure OpenAI used for LLM inference; no training on customer data. |
| Does the app support TLS 1.2 or higher? | Yes |
| Does the app or underlying infrastructure store any Microsoft customer data? | Yes |
| What data is stored in your databases? | Postgres database (Azure Database for PostgreSQL Flexible Server, US East 2): conversation messages (user prompts and assistant responses), tool invocation logs, scheduled tasks, reminders, automation rules, webhook subscription metadata, user preferences, aggregate token usage (counts only, no content), and user/tenant identity. OAuth refresh tokens are not stored in the database; they are encrypted in Azure Key Vault (HSM-backed, FIPS 140-2 Level 2). |
| If underlying infastructure processes or stores Microsoft customer data, where is this data geographically stored? | United States of America |
| Do you have an established data rentention and disposal process? | Yes |
| How long is data retained after account termination? | Less than 30days |
| Do you have an established data access management process? | Yes |
| Do you transfer customer data or customer content to third parties or sub-processors? | Yes |
| Do you have data sharing agreements in place with any third party service you share Microsoft customer data with? | Yes |
Questions
Questions or updates to any of the information you see here? Contact us!
This information has been provided by Microclaw about the security practices this app employs.
| Information | Response |
|---|---|
| Do you perform annual penetration testing on the app? | No |
| Does the app have a documented disaster recovery plan, including a backup and restore strategy? | Yes |
| Does your environment use traditional anti-malware protection or application controls? | ApplicationControls |
| Do you have an established process for indentifying and risk ranking security vulnerabilities? | Yes |
| Do you have a policy that governs your service level agreement (SLA) for applying patches? | Yes |
| Do you carry out patch management activities according to your patching policy SLAs? | Yes |
| Does your enviroment have any unsupported operating systems or software? | No |
| Do you conduct quarterly vulnerability scanning on your app and the infastructure that supports it? | Yes |
| Do you have a firewall installed on your external network boundary? | Yes |
| Do you have an established change management process used to review and approve change requests before they are deployed to production? | Yes |
| Is an additional person reviewing and approving all code change requests submitted to production by the original developer? | No |
| Do secure coding practices take into account common vulnerability classes such as OWASP Top 10? | Yes |
| Multifactor Authentication (MFA) enabled for: | CodeRepositories, DNSManagement, Credential |
| Do you have an established process for provisioning, modification, and deletion of employee accounts? | Yes |
| Do you have Intrusion Detection and Prevention (IDPS) software deployed at the perimeter of the network boundary supporting your app? | N/A |
| Do you have event logging set up on all system components supporting your app? | Yes |
| Are all logs reviewed on a regular cadence by human or automated tooling to detect potential security events? | Yes |
| When a security event is detected are alerts automatically sent to an employee for triage? | Yes |
| Do you have a formal information security risk management process established? | Yes |
| Do you have a formal security incident response process documented and established? | Yes |
| Do you report app or service data breaches to supervisory authorities and individuals affected by the breach within 72 hours of detection? | Yes |
Questions
Questions or updates to any of the information you see here? Contact us!
This information has been provided by Microclaw regarding the compliance standards their app requires and has the certifications they have accomplished.
| Information | Response |
|---|---|
| Does the app comply with the Health Insurance Portability and Accounting Act (HIPAA)? | N/A |
| Does the app comply with Health Information Trust Alliance, Common Security Framework (HITRUST CSF)? | N/A |
| Has the organization achieved a Service Organization Controls (SOC 1) Certification? | No |
| Has the organization achieved a Service Organization Controls (SOC 2) Certification? | No |
| Has the organization achieved a Service Organization Controls (SOC 3) Certification? | No |
| Do you carry out annual PCI DSS assessments against the app and its supporting environment? | N/A |
| Is the app International Organization for Standardization (ISO 27001) certified? | No |
| Does the app comply with International Organization for Standardization (ISO 27018)? | N/A |
| Does the app comply with International Organization for Standardization (ISO 27017)? | N/A |
| Does the app comply with International Organization for Standardization (ISO 27002)? | N/A |
| Is the app Federal Risk and Authorization Management Program (FedRAMP) compliant? | No |
| Does the app comply with Family Educational Rights and Privacy Act (FERPA)? | N/A |
| Does the app comply with Children's Online Privacy Protection Act (COPPA)? | N/A |
| Does the app comply with Sarbanes-Oxley Act (SOX)? | N/A |
| Does the app comply with NIST 800-171? | N/A |
| Has the app been Cloud Security Alliance (CSA Star) certified? | No |
Questions
Questions or updates to any of the information you see here? Contact us!
| Information | Response |
|---|---|
| Do you have GDPR or other privacy or data protection requirements or obligations (such as CCPA)? | Yes |
| Does the app have an external-facing privacy notice that describes how it collects, uses, shares, and stores customer data? | Yes |
| Privacy Policy URL | https://microclaw.app/privacy |
| Does the app perform automated decision making, including profiling that could have a legal effect or similar impact? | No |
| Does the app process customer data for a secondary purpose not described in the privacy notice (i.e. marketing, analytics)? | No |
| Do you process special categories of sensitive data (i.e. racial or ethnic origin, political opinion, religious or philosophical beliefs, genetic or biometric data, health data) or categories of data subject to breach notification laws? | No |
| Does the app collect or process data from minors (i.e., individuals under the age of 16)? | No |
| Does the app have capabilities to delete an individual's personal data upon request? | Yes |
| Does the app have capabilities to restrict or limit the processing of an individual's personal data upon request? | Yes |
| Does the app provide individuals the ability to correct or update their personal data? | Yes |
| Are regular data security and privacy reviews performed (for example, Data Protection Impact Assessments or privacy risk assessments) to identify risks related to the processing of personal data for the app? | Yes |
Questions
Questions or updates to any of the information you see here? Contact us!
| Information | Response |
|---|---|
| Does your application integrate with Microsoft identity platform (Microsoft Entra ID) for single-sign on, API access, etc.? | Yes |
| Have you reviewed and complied with all applicable best practices outlined in the Microsoft identity platform integration checklist? | Yes |
| Does your app use the latest version of MSAL (Microsoft Authentication Library) or Microsoft Identity Web for authentication? | Yes |
| Does your app support Conditional Access policies? | Yes |
| List the types of policies supported | Microclaw uses MSAL OAuth; Microsoft Entra evaluates these Conditional Access policy types at sign-in: MFA, compliant device / Intune managed device, hybrid Azure AD-joined device, sign-in risk and user risk, location/network-based access, block legacy authentication, sign-in frequency and persistent browser session controls. All evaluation occurs at the Microsoft identity layer during interactive sign-in; Microclaw does not implement app-side enforcement. |
| Does your app support Continuous Access Evaluation (CAE) | No |
| Does your app store any credentials in code? | No |
| Apps and add-ins for Microsoft 365 might use additional Microsoft APIs outside of Microsoft Graph. Does your app or add-in use additional Microsoft APIs? | Yes |
Data access using Microsoft Graph
Graph Permission Permission Type Justification Microsoft Entra App ID Calendars.Read delegated Required for Microclaw to read the signed-in user's calendar when they ask about their schedule (e.g., "what's on my calendar today," "when am I free Thursday"). Read-only access, scoped to the signed-in user's calendars. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2 Calendars.ReadWrite delegated Required for Microclaw to create, update, or delete calendar events on behalf of the signed-in user (e.g., "block 30 minutes tomorrow at 2pm," "cancel my 3pm meeting"). Scoped to the signed-in user's calendars. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2 ChannelMessage.Read.All delegated Required for Microclaw to read messages from Teams channels the signed-in user is a member of, when they ask the assistant to summarize or search team conversations (e.g., "what was discussed in the #ops channel this week"). Read-only, scoped to channels the user has access to. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2 ChannelMessage.Send delegated Required for Microclaw to post messages to Teams channels on behalf of the signed-in user when they ask the assistant to send a message (e.g., "post in #general that the meeting is cancelled"). Posts as the signed-in user. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2 Chat.ReadWrite delegated Required for Microclaw to read and send Teams chat messages on behalf of the signed-in user (e.g., "DM Sarah and let her know I'll be 5 minutes late"). Scoped to chats the user participates in. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2 Contacts.Read delegated Required for Microclaw to look up the signed-in user's personal contacts when they ask the assistant to find someone (e.g., "what's David Patel's email"). Read-only access to the signed-in user's personal contacts. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2 Contacts.ReadWrite delegated Required for Microclaw to create or update personal contacts on behalf of the signed-in user (e.g., "save David Patel's email as a contact"). Scoped to the signed-in user's personal contacts. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2 Files.Read delegated Required for Microclaw to read the signed-in user's OneDrive and SharePoint files when they ask the assistant to summarize, search, or report on their documents (e.g., "find the forecast doc," "what's in last month's report"). Read-only. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2 Files.ReadWrite delegated Required for Microclaw to upload, rename, or modify OneDrive files on behalf of the signed-in user (e.g., "save this attachment to OneDrive," "rename the file"). Scoped to the signed-in user's drive. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2 Group.Read.All delegated Required for Microclaw to discover the Microsoft 365 groups the signed-in user is a member of, used for SharePoint document library auto-discovery and Planner plan listing (e.g., "show me my team's Planner tasks"). Read-only access to groups the user belongs to. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2 Group.ReadWrite.All delegated Required for Microclaw to create or update Planner plans and tasks within Microsoft 365 groups the signed-in user belongs to (e.g., "create a Planner plan for Q3 launch"). Scoped to groups the user is a member of. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2 Mail.Read delegated Required for Microclaw to read the signed-in user's mailbox when they ask the assistant to summarize, search, or report on their email (e.g., "summarize my unread emails"). Read-only access, scoped to the signed-in user's mail only. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2 Mail.ReadWrite delegated Required for Microclaw to flag, move, delete, draft, or modify email on behalf of the signed-in user when they request these actions in chat (e.g., "flag this email," "move to archive," "create a draft"). Scoped to the signed-in user's mailbox only. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2 Mail.Send delegated Required for Microclaw to send email on behalf of the signed-in user when they ask the assistant to send a message (e.g., "send an email to alex@example.com saying..."). Sends as the signed-in user only; user confirms before send. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2 Notes.Read delegated Required for Microclaw to read the signed-in user's OneNote notebooks and pages when they ask the assistant to summarize or pull notes (e.g., "what did I write in last week's OneNote"). Read-only. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2 People.Read delegated Required for Microclaw to look up people the signed-in user interacts with across Microsoft 365 (relevant contacts, frequent collaborators) when they ask the assistant to find or message someone (e.g., "email the people on my project team"). Read-only. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2 Presence.Read delegated Required for Microclaw to read the signed-in user's Teams presence status (Available / Busy / Away) when the assistant uses presence for scheduling or contextual decisions. Read-only, scoped to the signed-in user. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2 Sites.Read.All delegated Required for Microclaw to read SharePoint document libraries the signed-in user has access to, used to find and read documents stored in SharePoint team sites (e.g., "find the forecast doc in the Finance site"). Read-only. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2 Tasks.Read delegated Required for Microclaw to read the signed-in user's Microsoft To Do tasks when they ask about their task list (e.g., "what tasks do I have this week"). Read-only access, scoped to the signed-in user's tasks. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2 Tasks.ReadWrite delegated Required for Microclaw to create, complete, or delete Microsoft To Do tasks on behalf of the signed-in user (e.g., "add a task to follow up with Sarah," "mark X as done"). Scoped to the signed-in user's tasks. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2 Team.ReadBasic.All delegated Required for Microclaw to enumerate the Teams the signed-in user is a member of, for context when the user asks the assistant to act on a specific team (e.g., "post in the Engineering team"). Read-only, basic team metadata. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2 User.Read delegated Required for Microclaw to read the signed-in user's basic profile (display name, UPN, tenant ID) for personalization and audit logging. Standard sign-in scope. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2 User.ReadBasic.All delegated Required for Microclaw to resolve other users' basic profile information (display name, email) when the signed-in user references colleagues in chat (e.g., "email Sarah" - Microclaw needs to look up Sarah's address). Read-only, basic profile only. ce7c465a-5ac0-41d5-ab58-566fdd3a89d2
This application does not have Additional APIs.
Questions
Questions or updates to any of the information you see here? Contact us!