Last updated: April 2026
Section 1
Architecture
- Clawback runs as a transparent proxy on Cloudflare Workers.
- Your application sends requests to clawback.run instead of directly to the LLM provider.
- The proxy forwards requests unchanged to the original provider.
- Responses are returned to your application unmodified.
- Logging happens asynchronously and does not block the request path.
Zero Install. Zero Supply Chain Risk.
Clawback runs entirely on Cloudflare Workers. Nothing is installed on your machine. No PyPI packages, no npm modules, no Docker containers, no dependencies in your project. Your setup is one environment variable. This means there is no package to compromise, no dependency chain to poison, and no code running in your Python or Node.js process. Your credentials never touch third-party code on your infrastructure.
Section 2
Credential Handling
- API keys are stored in your local .env file. We never ask for or receive them out of band.
- Keys are read by your SDK at runtime and included in the Authorization header.
- The proxy sees the Authorization header to identify the customer via a SHA-256 hash.
- The proxy never stores, logs, or transmits the raw API key.
- Key hashes are used solely for grouping logs by customer.
Section 3
Data in Transit
- All traffic between your application and the proxy: HTTPS (TLS 1.3, Cloudflare edge).
- All traffic between the proxy and the LLM provider: HTTPS.
- Request/response bodies are logged to Cloudflare KV for the audit period (30 days).
- After the audit report is generated, log data expires automatically via KV TTL.
Section 4
Audit Replay Process
- When 150 calls are reached, the audit worker processes logs for replay.
- Replay runs on Clawback's serverless infrastructure (Cloudflare Workers).
- Call metadata is stored encrypted in Cloudflare KV (encrypted at rest, SOC 2 certified) for up to 30 days.
- All stored data is automatically purged after report generation.
- You are never billed for replay calls. Replay runs on Clawback's API accounts.
Section 5
Report Delivery
- Reports are sent via Resend (transactional email service).
- Email contains an HTML report with no external tracking pixels.
- Reports are not stored on any server after delivery.
- The operator receives a copy for support purposes.
Section 6
What We Don't Do
- We don't store raw prompts or completions long term.
- We don't sell or share customer data.
- We don't inject content into requests or responses.
- We don't modify API keys or credentials.
- We don't run any software on your machine. The only change is one environment variable.
Section 7
Infrastructure
- Proxy: Cloudflare Workers (edge compute, SOC 2 Type II certified).
- KV Storage: Cloudflare KV (encrypted at rest).
- Email: Resend (SOC 2 Type II certified).
- Webhook: Cloudflare Tunnel to operator infrastructure.
- No AWS, GCP, or Azure dependencies.
Section 8
Limitations & Roadmap
- No SOC 2 certification yet (planned).
- No formal penetration test completed yet.
- No data processing agreement template yet. Contact us to discuss.
- GDPR: Customer data can be deleted on request.