CPWE AI is an idea-engineering platform that transforms raw data into intelligent applications via multi-agent orchestration, real-time analytics, and enterprise-grade security in under five minutes. It features voice-to-code technology, visual agent builders, and a 12-Agent Guild for AI-powered development.

How fast can I deploy an app with CPWE AI?

With CPWE AI's unified deployment pipeline, you can go from concept to live across mobile, desktop, voice assistants, and the web in under five minutes, leveraging prebuilt agents and CI/CD best practices.

What security features are built into CPWE AI?

Every deployment passes through a four-phase Cybersecurity Bridge covering schema foundation, multi-agent deployment, security mastery, and hardening. This ensures real-time monitoring, zero-PII encryption, and SOC II compliance. CPWE AI also solves the physical layer access problem in the OSI network model.

How does the Cybersecurity Bridge work?

The Cybersecurity Bridge is a four-phase security architecture that protects applications from physical layer (OSI Layer 1) through application layer. It includes real-time threat detection, MAC spoofing protection, ARP guard, 802.1X authentication, and automated security hardening.

Who leads the CPWE AI team?

QuantumCowboy (aka Kojie) leads a 12-agent family of AI specialists, orchestrating development, security, and operations in a collaborative, unified approach. The team includes specialized agents for code generation, security, data analysis, and project management.

Is CPWE AI free to use?

CPWE AI offers a free tier to ensure curiosity and innovation remain unrestricted. Advanced enterprise features and higher usage limits are available through premium plans. Community donations help cover AI generation and edge deployment costs.

Can CPWE AI build an app for me using voice commands?

Yes, CPWE AI features voice-to-code technology that lets you describe what you want to build using natural speech. The AI translates your voice commands into working code, creating applications, dashboards, and automation workflows without typing a single line.

What AI models does CPWE AI use?

CPWE AI integrates multiple leading AI providers including OpenAI GPT-5.3 Codex, Anthropic Claude, Google Gemini, Perplexity, xAI Grok, and GitHub Copilot Pro. An intelligent routing system automatically selects the best model for each task.

How do I get started with CPWE AI?

Getting started is simple. Sign up for a free account, describe your project idea to Kojie the AI assistant, and watch as it generates your application. No coding experience required. You can deploy your app to 23 platforms with one click.

What is the 12-Agent Guild in CPWE AI?

The 12-Agent Guild is a team of specialized AI agents that work together on complex projects. Each agent has unique skills like code generation, security analysis, data processing, or project management. They collaborate to deliver higher quality results than any single AI could achieve alone.

Can CPWE AI help with penetration testing?

Yes, CPWE AI includes a Relay Agent Fleet with specialized agents for security assessment and penetration testing. These agents can be deployed to local machines through the Local Agent Gateway to perform static analysis, network forensics, and vulnerability scanning.

Does CPWE AI integrate with my CRM?

Absolutely. CPWE AI features the Lead Orchestrator system that connects with your CRM for real-time event processing. It orchestrates lead engagement through email, voice calls, and AI agent missions, then feeds results back to your CRM automatically.

What is the Visual Inspection Report system?

CPWE AI's Visual Inspection Report system is a production-ready tool for construction and welding defect documentation. It features dynamic photo layouts (2 photos per row with single photos centered), support for up to 6 photo roles per defect, AI-powered defect analysis, 1E Specification PDF references, and Word document export with professional formatting. Real customer feedback shows over 50% efficiency gains - reducing report creation from 20 hours to under 10 hours, saving 50+ hours monthly.

How much time can CPWE AI save on documentation tasks?

CPWE AI delivers proven productivity gains. For Visual Inspection Reports, real customer feedback shows report creation time reduced from 20 hours to under 10 hours - over 50% efficiency improvement. At 5 reports per month, that equals 50+ hours saved monthly, giving back 15 full work weeks annually.

Privacy Policy

Guardian Posse AI Platform — Government-Grade Privacy Protection by CPWE AI

Effective: February 25, 2026 Version: 3.5 Last Updated: February 25, 2026

GDPR Compliant CCPA Compliant NIST 800-171 COPPA FERPA

Government-Grade Privacy Protection
Guardian Posse AI Platform, operated by CPWE AI, is committed to protecting your privacy with enterprise and government-grade standards. This policy covers all services across guardianposse.com, cpwe.ai, and ai-comic-studio.com.

Section 1

Data Controller

CPWE AI, the operator of the Guardian Posse AI Platform, is the data controller responsible for your personal data as defined under the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws.

Contact Information

Company: CPWE AI
Platform: Guardian Posse AI Platform
Domains: guardianposse.com · cpwe.ai · ai-comic-studio.com
Email: james@cpwe.biz
Data Protection Officer: james@cpwe.biz

Section 2

Information We Collect

Guardian Posse collects various categories of information depending on the platform features you use. Below is a comprehensive list of data categories.

User ID (stable identifier from Replit)
Email address
First and last name (if provided)
Profile image URL
OAuth tokens (encrypted at rest)

Sensitive Government Data: EPB Writer processes military performance data that may constitute Controlled Unclassified Information (CUI).

Military rank and grade
Air Force Specialty Code (AFSC)
Accomplishment narratives and bullet text
Performance period dates
Unit and duty assignment information (if voluntarily provided)

Important: EPB accomplishment text is processed through AI providers for bullet generation only. No military PII is stored beyond the active session unless explicitly saved by the user.

Call recordings (processed through Twilio)
Voice transcriptions and summaries
Phone numbers (caller and recipient)
SMS message content
Call metadata (duration, timestamps, disposition)
Voice samples for voice cloning (with explicit consent)

PCAP file uploads for network analysis
OSINT query terms and results
Vulnerability scan results and reports
Security assessment data and scoring
MITRE ATT&CK mapping data
Threat intelligence indicators
Splunk SIEM event forwarding records and pipeline metrics
HEC endpoint configuration metadata (URL hostname, index targets - never tokens)

AI-generated images and artwork
Image generation prompts and parameters
Character designs and descriptions
Comic storylines and scripts
Merchandise designs and configurations
Curriculum and educational content created

NIST 800-171 / NIST 800-53 assessment results
CMMC compliance scores and evidence
RMF (Risk Management Framework) data
Audit log entries (user actions, access events)
Compliance documentation generated

Customer contact information (name, email, phone, company)
Lead tracking and engagement metrics
Communication history and notes
Pipeline and deal stage data
Invoice and payment records

Projects created, managed, and deployed
AI chat conversations and code generation requests
Feature usage patterns and navigation data
Session tokens and authentication state
Browser, device, and operating system information
IP address and approximate location
Performance metrics and Core Web Vitals

Data collected from client-deployed relay agents that connect on-premise infrastructure to the Guardian Posse platform:

Relay agent deployment metadata (relay name, status, capabilities, platform type)
JWT authentication tokens for relay-to-platform communication
Agent relay dispatch records (agent assignments, priorities, statuses)
System inventory data collected by relay agents (hardware specs, OS info, installed software)
Configuration drift detection data from client infrastructure
Security scan results transmitted by relay agents (static analysis, network forensics)
Client infrastructure health metrics and heartbeat data
Relay installer script generation records

Enhanced Installer v3.0 Data

The Enhanced Relay Installer generates platform-specific deployment scripts (Windows PowerShell, Linux Bash, macOS Bash) that automate relay setup. Data involved includes:

Generated installer script metadata (platform type, selected features, generation timestamp)
Environment variable configurations set on client machines (relay ID, platform URL, JWT credentials stored in secure .env files with restricted permissions)
12-agent fleet deployment records (which agents were deployed, their status, and capabilities)
SSL/CertBot certificate request records when automated SSL is enabled (domain name, certificate authority, issuance status)
Firewall and security hardening configuration logs from deployment
OS-native service registration data (Windows Scheduled Tasks, Linux systemd units, macOS LaunchAgents)
Health check verification results (8-point validation of installation completeness)

IP lookup data (GeoIP, WHOIS, reputation scores)
AI-powered attacker profiling data
Abuse report generation records
Honeypot trap deployment logs (SSH, Web, DB, SMB, RDP, IoT)
MITRE ATT&CK mapping data from threat investigations
Legal counter-measure records (cease & desist, law enforcement referrals)

Risk register entries and risk assessments
Tabletop exercise scenarios, injects, and after-action reports
Statement of Work documents generated
Incident response plan configurations and contact information
POA&M (Plan of Action & Milestones) entries
CM (Configuration Management) control assessments

30-Device Security Arsenal: The Physical Pen Test Command Center manages a 30-device hardware security arsenal for authorized penetration testing engagements.

Device deployment configurations and mission templates
HAK5 device payloads and engagement parameters (Bash Bunny, USB Rubber Ducky, WiFi Pineapple, WiFi Coconut, etc.)
C2 mesh networking topology and remote device management data (Hak5 Cloud C²)
RF spectrum analysis data (HackRF One, RTL-SDR, YARD Stick One, Crazyradio PA)
RFID/NFC assessment data (Flipper Zero, Proxmark3 RDV4, iCopy-X)
Bluetooth and WiFi surveillance data (Ubertooth One, ESP32 Marauder, Pwnagotchi, DSTIKE Deauther Watch)
Network implant telemetry (Packet Squirrel, LAN Turtle, Shark Jack, Throwing Star LAN Tap, GL.iNet Slate Plus)
HDMI/video capture data (Screen Crab)
Keystroke capture data (Key Croc, O.M.G. Cable)
USB attack platform data (P4wnP1 A.L.O.A.) and USB resilience testing records (USB Kill v4)
Hardware security research data (GreatFET One) including firmware extraction and protocol analysis
AI-powered WiFi handshake capture data (Pwnagotchi reinforcement learning telemetry)
ICS/SCADA safety assessment records and Purdue Model compliance data
MITRE ATT&CK technique mappings per device engagement
AI-assisted engagement reports and loot analysis
Device synergy matrix and kill chain positioning data
Mission execution logs and evidence consolidation records

Important: All physical penetration testing data is collected only during authorized engagements with explicit written client authorization. Device telemetry is encrypted in transit and at rest.

Data collected and processed by the Guardian Relay Browser Extension (Chrome/Chromium Manifest V3):

Platform URL configuration stored in chrome.storage.sync (synced across user’s Chrome profile)
Extension preferences: polling interval, notification settings, auto-reconnect toggles
Relay status data fetched from the platform API (relay names, online/offline status, platform type)
Dispatch command records (quick commands and custom AI commands sent to relays)
Security alert logs retrieved from the platform for display in the extension popup
Badge count data (number of online relays) displayed on the browser toolbar icon

Local-Only Processing: The browser extension does not transmit any data to third parties. All communication is strictly between your browser and your configured Guardian Posse platform instance. No analytics, telemetry, or tracking data is sent to CPWE AI or any external service by the extension.

Data collected and processed by the CertBot SSL Certificate Manager for automated SSL certificate provisioning:

Domain names submitted for SSL certificate issuance
Certificate Authority (CA) selection and EAB (External Account Binding) credential references (Sectigo CA)
Certificate issuance, renewal, and revocation records
Generated CertBot installation and renewal scripts (Apache, Nginx, Standalone, pip-based)
Certificate status check results and expiration dates
Web server type and installation method preferences

Credential Security: CertBot EAB credentials (SECTIGO_EAB_KID and SECTIGO_EAB_HMAC_KEY) are stored as encrypted platform secrets and are never embedded in generated scripts. Generated scripts reference environment variables only.

Data collected and processed through Zapier Compliance Automation Pipeline and Zapier Macro Engine integrations:

Zapier webhook endpoint URLs configured by users for event forwarding
Event data forwarded to Zapier webhooks including: relay status changes, compliance posture updates, agent task results, security alerts, scan completions, deployment events, fleet health changes, compliance score changes, and agent trust updates (10 event types)
Zapier Macro Engine execution records: 8 pre-built automation macros including automated event-triggered actions for email, Slack, CRM updates, and other third-party services
Macro execution logs (trigger event, macro type, execution timestamp, success/failure status)
Webhook delivery status and retry records

Third-Party Data Sharing: When you configure Zapier webhooks, platform event data is forwarded to Zapier’s servers and subsequently to any downstream services you connect in your Zapier workflows. CPWE AI is not responsible for how Zapier or your connected third-party services handle this data. Review Zapier’s Privacy Policy and the privacy policies of any downstream services you connect.

Data collected and processed through OpenClaw AGI Security Bridge, OpenClaw Security Scanner, and OpenClaw Relay Bridge:

OpenClaw deployment registry metadata: deployment name, URL, version, last scan timestamp, and registration date
Security scan results from 6 scan types: Config Auditor, Skill Scanner, CVE Checker, Port Exposure, Permission Auditor, and Prompt Injection Detector
CVE (Common Vulnerabilities and Exposures) findings tracked per deployment
Configuration data submitted for security analysis (OpenClaw deployment configurations, skill manifests, network exposure data)
NIST 800-53 compliance mapping results across 19 control families mapped to OpenClaw requirements
OpenClaw Relay Bridge sidecar monitoring data: tool execution logs, behavior analysis patterns, compliance enforcement actions
Behavior monitoring logs analyzing OpenClaw tool execution for security threats including credential access patterns and data exfiltration indicators

Best-Effort Scanning: OpenClaw security scan results are provided on a best-effort basis. Scan results are not guaranteed to identify all vulnerabilities, misconfigurations, or security risks. Users should not rely solely on Guardian Posse scanning as their only security assessment for OpenClaw deployments.

Section 3

Legal Basis for Processing (GDPR Article 6)

We process personal data under the following legal bases as defined in GDPR Article 6(1):

Consent

Voice recording consent, analytics cookies, marketing communications, voice cloning opt-in

Contractual Necessity

Authentication, platform features, project management, AI-assisted services, CRM functionality

Legitimate Interest

Security monitoring, platform improvement, fraud prevention, performance optimization

Legal Obligation

Compliance record-keeping, audit logs, financial records, regulatory reporting requirements

Vital Interests

Security threat detection, active defense against cyber threats, protection of critical infrastructure

Section 4

How We Use Your Information

Provide secure authentication and session management
Deliver AI-assisted code generation, chat, and creative tools
Process EPB bullet writing for military performance reports
Execute security scans, OSINT queries, and PCAP analysis
Manage CRM contacts, leads, and communications
Generate compliance assessments and documentation
Deploy and manage relay agents on authorized client infrastructure
Collect and analyze security telemetry from relay agent fleet
Generate threat intelligence and attacker profiles for active defense
Create risk assessments, tabletop exercises, and statements of work

Monitor platform performance and optimize user experience
Analyze usage patterns to guide feature development
Generate anonymized, aggregated analytics reports
Improve AI model selection and response quality

Detect and prevent unauthorized access and fraud
Maintain audit trails for compliance requirements
Enforce role-based access controls (4-tier system)
Monitor Agent Trust Mesh integrity
Respond to security incidents and data breach obligations

Send transactional emails (invoices, confirmations)
Deliver platform notifications and security alerts
Provide customer support communications
Send marketing communications (with consent only)

Section 5

AI Provider Data Processing

Multi-AI Provider System: Guardian Posse integrates with multiple AI providers to deliver comprehensive AI assistance across all platform features.

5.1 AI Providers We Use

OpenAI (GPT-5.3 Codex, DALL-E) Anthropic (Claude) Google Gemini xAI (Grok) Perplexity

5.2 What Data Is Sent to AI Providers

User prompts, chat messages, and code generation requests
EPB accomplishment text for bullet writing (sanitized of PII where possible)
Image generation prompts and parameters
Document content submitted for AI analysis

5.3 What Is NOT Sent to AI Providers

Never Transmitted

Passwords, authentication credentials, or OAuth tokens
Social Security Numbers or government ID numbers
Financial account numbers or payment card data
Raw PCAP files or full security scan results
CRM customer data without explicit user action

5.4 AI Provider Retention

Each AI provider maintains its own data retention policies. We recommend reviewing:

AI-generated content is not stored on our servers unless you explicitly save it to your account, projects, or exported outputs.

Section 6

Twilio / Voice & Phone Data

Guardian Posse uses Twilio for voice calling, SMS messaging, and phone agent functionality. The following data is collected and processed:

6.1 Data Collected

Call Recordings: Audio recordings of inbound and outbound calls (with consent notification)
Voice Transcriptions: AI-generated transcripts of recorded calls
SMS Content: Text message content sent and received through the platform
Phone Numbers: Caller and recipient phone numbers
Call Metadata: Duration, timestamps, call disposition, and routing data

6.2 Consent & Recording Notices

All voice recordings are subject to applicable consent laws. Automated disclosure is provided at the start of recorded calls in compliance with two-party consent jurisdictions. Users can opt out of call recording at any time.

6.3 Retention

Voice Data Type	Retention Period
Call Recordings	90 days (configurable)
Transcriptions	12 months
SMS Messages	12 months
Call Metadata	24 months
Voice Samples (cloning)	Until user deletion request

Twilio's own data handling is governed by the Twilio Privacy Policy.

Section 7

Google Drive & Sheets Integration

Guardian Posse offers optional Google Drive and Google Sheets integration for bulk data import and document management.

7.1 Data We Access

Google Drive (drive.file scope): Access only to files you explicitly select or that our application creates. We cannot access your entire Drive.
Google Sheets (spreadsheets.readonly scope): Read-only access to spreadsheets you select for import purposes.
Basic Profile Info: Google email address and name for account linking.

7.2 How We Use This Data

Import data from your Google Sheets into the platform
Store photos from your Google Drive for inspection reports and creative projects
Link your Google account for seamless cross-platform access

7.3 Data Storage & Security

Google OAuth tokens are encrypted using industry-standard Fernet encryption
Tokens are stored per-tenant with strict isolation between customers
You can disconnect your Google account at any time, revoking our access
We never share your Google data with third parties

7.4 Revoking Access

Revoke CPWE AI's access at any time:

Visit Google Account Permissions
Find "CPWE AI" in the list of connected apps
Click "Remove Access"

Section 8

Government & Military Data (NIST 800-171 CUI)

Controlled Unclassified Information (CUI): Guardian Posse's EPB Writer and certain security tools may process data classified as CUI under NIST SP 800-171. This section describes our handling of such data.

8.1 EPB Writer & Military Performance Data

The EPB (Enlisted Performance Brief) Writer processes military performance data including rank, AFSC, accomplishment narratives, and duty descriptions. This data may constitute CUI under 32 CFR Part 2002.

8.2 CUI Handling Procedures

CUI Protection Measures

Encryption at Rest: All CUI data encrypted using AES-256 encryption
Encryption in Transit: TLS 1.2+ for all data transmission
Access Controls: Role-based access with 4-tier authorization model
Audit Logging: Complete audit trail of all CUI access and processing events
Session-Only Processing: AI prompts containing military data are sent to providers for processing only; no persistent storage beyond the user's active session unless explicitly saved
Data Minimization: Only the minimum data necessary is transmitted to AI providers

8.3 Data Residency

Military data is processed and stored within the United States only. We do not transfer military performance data, CUI, or related metadata to servers outside U.S. jurisdiction. AI providers used for military data processing are contractually bound to U.S.-based processing.

8.4 Military Users' Privacy Rights

In addition to all standard privacy rights, military users have the right to:

Request immediate deletion of all EPB and performance data
Obtain a complete audit log of who accessed their data
Restrict processing to session-only (no persistent storage)
Request data handling in accordance with DoD Privacy Program (DoD 5400.11-R)

8.5 NIST 800-171 Alignment

Our data handling practices align with NIST SP 800-171 Rev. 2 control families including: Access Control (AC), Audit & Accountability (AU), Identification & Authentication (IA), System & Communications Protection (SC), and System & Information Integrity (SI).

Section 8b

SSL/CertBot Certificate Data

The CertBot SSL Certificate Manager provides automated SSL certificate provisioning for relay agent deployments and client infrastructure. This section describes how certificate-related data is handled.

8b.1 Certificate Provisioning Data

Domain names and server configurations submitted for certificate issuance are stored in association with your account
Certificate issuance, renewal, revocation, and status check records are logged for audit and operational purposes
Generated CertBot scripts (Apache, Nginx, Standalone, pip) are created on-demand and delivered via the platform dashboard

8b.2 Credential Handling

EAB Credentials & Security

Sectigo CA External Account Binding (EAB) credentials are stored as encrypted platform secrets. They are never embedded in generated scripts or exposed to end users. Generated scripts reference environment variables that must be set on the target server before execution. This ensures credentials remain under platform control and are not distributed in plaintext.

8b.3 Certificate Lifecycle

Certificate metadata (domain, expiration date, CA, status) is retained for the life of the associated relay deployment
Revoked certificate records are retained for 12 months for audit trail purposes
Generated scripts are ephemeral and not stored on the platform after delivery to the user

Section 9

Security Operations Data

Guardian Posse includes cybersecurity tools for blue team operations, red team operations, purple team operations, OSINT research, network analysis, SIEM integration, API monitoring, and the Security Arsenal 42 toolkit. The following applies to data processed through these features.

9.1 PCAP File Analysis

PCAP files are uploaded for in-browser analysis
Network traffic data is processed locally and on our servers for AI-assisted analysis
PCAP files are not retained long-term — they are deleted after analysis completion or within 24 hours, whichever is sooner
Analysis results may be stored if the user saves them to a project

9.2 OSINT Query Data

Search queries submitted to OSINT tools are logged for audit purposes
Query results from external sources are displayed but not permanently stored unless saved by user
IP addresses, domains, and indicators of compromise queried are logged for security audit trails

9.3 Vulnerability & Security Assessments

Vulnerability scan results are stored in your account for ongoing monitoring
NIST/CMMC assessment scores and evidence are retained as compliance documentation
Security assessment data may be shared with authorized auditors upon your request

9.4 Relay Agent Infrastructure Monitoring

Relay agents deployed on client infrastructure transmit health metrics, heartbeat data, and system inventory back to the platform
Configuration drift detection identifies unauthorized changes to client systems and reports deviations to the platform
Security scan results from relay agents (static analysis, network forensics) are collected and stored for analysis
All relay-to-platform communication is authenticated via JWT tokens and encrypted in transit

9.4b Enhanced Relay Installer Monitoring

Enhanced Installer v3.0 scripts perform a 10-phase automated deployment including environment setup, Python installation, relay client, 12-agent fleet, SSL/CertBot, firewall hardening, service registration, and health verification
Installer health check results (8-point validation) are transmitted to the platform upon completion to confirm successful deployment
SSL certificates provisioned through the installer’s CertBot automation (via Sectigo CA) are tracked for renewal scheduling
Firewall rules and security hardening configurations applied by the installer are logged for compliance documentation

9.4c CertBot SSL Certificate Monitoring

The CertBot SSL Certificate Manager tracks certificate issuance, renewal schedules, and expiration dates for all managed domains
Certificate status checks query the target server and report back to the platform for dashboard display
Renewal and revocation operations are logged with timestamps and outcome status for audit purposes
All certificate operations are restricted to admin-level platform access

9.5 Browser Extension Monitoring

The Guardian Relay Browser Extension polls your platform instance for relay status at configurable intervals (default: 30 seconds)
Extension configuration (platform URL, preferences) is stored locally in chrome.storage.sync and synced across your Chrome profile
Desktop notifications are generated locally by the extension when relay agents go offline — no notification data is sent externally
Dispatch commands issued through the extension are routed through the same authenticated API endpoints used by the main platform dashboard
The extension does not inject content scripts, modify web pages, or intercept browsing data
No data is collected, transmitted, or shared with CPWE AI or third parties by the extension itself — all communication flows directly to your configured platform

9.6 Active Defense Operations

Active defense tools collect IP lookup data, attacker profiling information, and threat intelligence indicators
AI-powered attacker profiles are generated from observed threat patterns and MITRE ATT&CK mappings
Abuse reports and legal counter-measures (cease & desist notices, law enforcement referrals) are generated and logged

9.7 Honeypot Trap Data Collection

Honeypot traps (SSH, Web, DB, SMB, RDP, IoT) collect attacker interaction data for threat intelligence purposes
Honeypot deployment logs record trap configurations, attacker connection metadata, and captured payloads
Honeypot data is retained for 6 months and used exclusively for threat detection and security research

9.8 Physical Penetration Testing Data

The Physical Pen Test Command Center deploys a 30-device hardware security arsenal for authorized penetration testing engagements
Device categories include USB implants, network taps, RF analyzers, RFID/NFC tools, Bluetooth monitors, wireless auditing equipment, AI WiFi auditors, hardware security research tools, wearable pen test devices, and USB resilience testers
Mission execution data includes device deployment logs, payload configurations, C2 mesh network topology, and engagement evidence
ICS/SCADA safety assessments record Purdue Model compliance, IEC 62443 alignment, and Layer 2 PLC safety classifications
All pen test data requires written client authorization and is retained per engagement contract terms (default: 12 months)
AI-assisted analysis results (payload generation, loot analysis, defense assessments) are processed through the platform’s AI providers

Section 9b

Splunk SIEM Integration Data

Enterprise SIEM Forwarding
Guardian Posse integrates with Splunk Enterprise via HTTP Event Collector (HEC) to provide centralized security event management and compliance visibility.

9b.1 Data Forwarded to Splunk

When Splunk SIEM integration is enabled by the platform administrator, the following categories of security events are forwarded to your organization's Splunk instance:

Security Events: Authentication attempts, access control changes, suspicious activity alerts, and firewall events
Compliance Events: NIST control assessments, CMMC posture changes, compliance score updates, and audit trail entries
Threat Intelligence: OSINT findings, malware detections, suspicious IP alerts, and threat indicator matches
Agent Activity: Relay agent heartbeats, task executions, deployment events, and fleet status changes
Network Events: PCAP analysis results, network anomaly detections, and traffic baseline deviations
CRM Events: Pipeline changes, deal stage updates, and customer engagement metrics (anonymized)
Red/Purple Team Events: Attack simulation results, defense gap analyses, and exercise completion reports
Physical Pen Test Events: Mission creation records, device deployment logs, RF scan initiations, and engagement evidence

9b.2 Data Processing

Events are batched (up to 50 per batch) and forwarded every 5 seconds via encrypted HTTPS to your Splunk HEC endpoint
Events are routed to dedicated Splunk indexes based on category (e.g., guardian_security, guardian_compliance, guardian_osint)
HEC authentication tokens are stored encrypted and never exposed in logs, API responses, or client-side code
Event payloads are sanitized to remove PII before forwarding unless explicitly required for security investigation

9b.3 Data Ownership & Control

Your Data, Your Splunk Instance

All data forwarded to Splunk is sent directly to your organization's Splunk deployment. CPWE AI does not retain, process, or have access to your Splunk instance or the events stored there. You maintain full ownership and control over all forwarded security event data. Splunk integration can be enabled, disabled, or reconfigured at any time by the platform administrator.

9b.4 Relay Agent Splunk Forwarding

Client-deployed relay agents can optionally forward local security events directly to your Splunk instance:

Task execution results and agent activity logs
OSINT reconnaissance findings from local scanners
Red team and physical penetration testing event data
Blue team defense findings and compliance scan results
Relay heartbeat and health status events

Relay-to-Splunk forwarding is configured independently during relay setup and operates without routing through the Guardian Posse platform.

Section 9c

Security Arsenal 42 Data

42-Tool Security Toolkit
The Security Arsenal 42 integrates 42 security tools across 13 categories. This section describes the data collected and processed by the Arsenal toolkit.

9c.1 Tool Registry Data

The Security Arsenal maintains a registry of 42 tools with metadata including tool names, versions, categories, MITRE ATT&CK mappings, and NIST 800-53 control mappings
Tool registry data is static configuration and does not contain personal information
Tool integration status and availability metrics are tracked for operational purposes

9c.2 Scan & Assessment Data

When users initiate scans using Arsenal tools, the following data is collected: tool ID, target specification, scan type, timestamp, and scan results summary
Scan targets (domains, IPs, URLs) provided by users are logged for audit trail purposes
Scan results are stored in-memory with automatic rotation (most recent 500 scans retained)
Users are responsible for ensuring scan targets are authorized and lawful

9c.3 OSINT Data

OSINT tools (SpiderFoot, Recon-ng, theHarvester, Shodan, Sherlock, Maltego) may process publicly available information including domain records, email addresses, social media profiles, and network infrastructure data
OSINT query parameters and results are processed in accordance with Section 9.2 of this Privacy Policy
Data obtained through OSINT tools originates from public sources; CPWE AI does not independently verify the accuracy of such data

9c.4 Open-Source SIEM Connector Data

The Arsenal provides API connectors for Wazuh, Graylog, and ELK Stack in addition to the Splunk integration described in Section 9b
SIEM connector configuration data (endpoint URLs, authentication credentials) is stored encrypted
Event data forwarded to third-party SIEM platforms is subject to those platforms' respective privacy policies
CPWE AI does not access, monitor, or store data within your SIEM deployments

Section 9d

API Overwatch Monitoring Data

9d.1 Transaction Logging

API Overwatch logs API transactions including HTTP method, endpoint path, status code, response time, request size, and timestamp
Transaction logs are stored in-memory and are automatically rotated (most recent 10,000 transactions retained)
Transaction logs do not contain request/response bodies, authentication tokens, or personal data beyond user ID association

9d.2 Anomaly Detection Data

Anomaly detection flags transactions matching patterns such as slow responses, rate limiting, server errors, and potential brute-force authentication attempts
Anomaly alerts are stored in-memory with automatic rotation (most recent 1,000 anomalies retained)
Anomaly data is used solely for platform security monitoring and is not shared with third parties

9d.3 Data Retention

All API Overwatch data is stored in volatile memory (RAM) and is not persisted to disk or database. Data is automatically purged when memory rotation thresholds are reached or when the application restarts. No API Overwatch data survives application restarts.

Section 9e

Zapier & OpenClaw Integration Data

Third-Party Integration & Automation
Guardian Posse integrates with Zapier for compliance automation and provides security scanning for OpenClaw AGI deployments. These integrations involve data processing with third-party services.

9e.1 Zapier Compliance Automation Pipeline

The Zapier Compliance Automation Pipeline forwards platform events to user-configured Zapier webhooks for downstream automation. 10 event types are supported:

Relay status changes, compliance posture updates, agent task results, and security alerts
Scan completions, deployment events, fleet health changes, and compliance score changes
Agent trust updates and custom event triggers

Data Forwarding: Event payloads include event type, timestamp, relevant metadata, and summary data. Event payloads are forwarded in real-time to your configured Zapier webhook URL via HTTPS. Once data leaves the Guardian Posse platform, it is subject to Zapier’s data handling policies and any downstream services you connect.

9e.2 Zapier Macro Engine

The Zapier Macro Engine provides 8 pre-built automation macros that execute automated actions based on platform events:

Automated macro actions may trigger email notifications, Slack messages, CRM record updates, and other third-party service calls
Macro execution is event-driven and occurs automatically when configured trigger conditions are met
Macro execution logs record trigger event, macro type, execution timestamp, and outcome status

Automated Execution Risk

Zapier macros execute automatically based on platform events. Users are responsible for reviewing and configuring macro triggers appropriately. Misconfigured macros may result in unintended data sharing, duplicate notifications, or unwanted third-party service actions. CPWE AI is not liable for consequences of user-configured automated macro execution.

9e.3 OpenClaw AGI Security Bridge

The OpenClaw AGI Security Bridge provides security scanning and compliance monitoring for third-party OpenClaw deployments:

Deployment Registry: OpenClaw deployment metadata (name, URL, version, last scan date) is stored to maintain a registry of monitored deployments
Security Scanner: 6 scan types analyze OpenClaw deployments — Config Auditor, Skill Scanner, CVE Checker, Port Exposure, Permission Auditor, and Prompt Injection Detector
NIST Compliance Framework: 19 NIST 800-53 control families are mapped to OpenClaw-specific requirements for compliance assessment
Relay Bridge Sidecar: Security sidecar monitors OpenClaw tool execution, analyzes behavior patterns, and enforces compliance policies

9e.4 OpenClaw Behavior Monitoring

The OpenClaw Relay Bridge analyzes tool execution logs for security threats:

Tool execution patterns are monitored for credential access attempts and data exfiltration indicators
Behavior analysis flags suspicious patterns such as unauthorized file access, network connections to unknown endpoints, and privilege escalation attempts
Compliance enforcement actions (tool blocking, alert generation) are logged with timestamps and justification

9e.5 Data Retention for Zapier & OpenClaw

Data Type	Retention Period
Zapier Webhook Event Logs	90 days
Zapier Macro Execution Logs	90 days
OpenClaw Deployment Registry	Until deployment deregistered
OpenClaw Security Scan Results	12 months
OpenClaw CVE Findings	12 months
OpenClaw Behavior Monitoring Logs	6 months
NIST Compliance Mapping Results	12 months

Scan Result Disclaimer

OpenClaw security scanning results are provided on a best-effort basis and are not guaranteed to detect all vulnerabilities, misconfigurations, or security risks. Scan results should be used as one component of a comprehensive security assessment strategy. CPWE AI makes no warranty regarding the completeness or accuracy of scan findings.

Section 10

Cookie & Tracking Policy

Guardian Posse uses cookies and similar technologies to provide, secure, and improve our platform.

Cookie Type	Purpose	Duration	Required
Session Cookies	Authentication, CSRF protection, session state	Session / 24 hours	Essential
Preference Cookies	Theme, language, AI provider selection, UI preferences	1 year	Functional
Analytics Cookies	Google Analytics (anonymized), usage patterns	2 years	Optional
Google Ads (gtag)	Conversion tracking for advertising	90 days	Optional

No Third-Party Advertising Cookies

Guardian Posse does not use third-party advertising cookies, behavioral tracking pixels, or cross-site tracking technologies beyond the Google Ads conversion tag listed above. We do not sell your data to advertisers.

Cookie Consent

Non-essential cookies are only set after you provide consent. You may manage your cookie preferences at any time through your browser settings or by contacting us. Essential cookies required for platform functionality cannot be disabled.

Section 11

Data Security

Guardian Posse implements government-grade security controls aligned with NIST SP 800-171 to protect your data.

Cryptographic Identity

Ed25519 cryptographic identity for all agent-to-agent communications within the Agent Trust Mesh

Agent Trust Mesh

12-agent mesh network with mutual authentication and trust scoring for inter-agent data handling

End-to-End Encryption

TLS 1.2+ in transit, AES-256 at rest, Fernet encryption for OAuth tokens and sensitive credentials

4-Tier Access Control

Role-based access: Public, Authenticated, Admin, Super Admin with granular permissions per resource

Audit Logging

Comprehensive audit trail for all data access, modifications, and administrative actions

NIST 800-171 Controls

Security controls aligned with 14 NIST 800-171 control families covering 110 security requirements

Additional Security Measures

Secure OAuth authentication via Replit with session management
CSRF protection on all state-changing requests
Content Security Policy (CSP) headers
Regular security assessments and vulnerability scanning
Incident response procedures and breach notification protocols
Data sanitization and input validation on all user inputs

Section 12

Data Retention

We retain data only as long as necessary for the purposes described in this policy or as required by law.

Data Type	Retention Period	Purpose
Authentication Data	Until account deletion	Account management
EPB / Military Performance Data	Session-only (unless saved)	Bullet writing
Voice Call Recordings	90 days	Quality assurance
Voice Transcriptions	12 months	Service records
SMS Messages	12 months	Communication records
PCAP File Uploads	24 hours (auto-deleted)	Network analysis
OSINT Queries	6 months	Audit trail
Security Assessments	Until user deletion	Compliance records
Comic / Creative Content	Until user deletion	User projects
CRM / Lead Data	Until user deletion	Business operations
AI Chat Sessions	12 months	Service improvement
Audit Logs	3 years	Compliance & legal
Compliance Documents (NIST/CMMC)	5 years	Regulatory requirement
Analytics Data	24 months (anonymized)	Platform optimization
Invoice / Payment Records	7 years	Financial / tax obligations
Google OAuth Tokens	Until revoked / disconnected	Integration access
Relay Agent Data	Until relay deregistered + 90 days	Infrastructure monitoring
Active Defense Records	24 months	Threat intelligence
Risk Assessments	5 years	Compliance records
Incident Response Plans	Until user deletion	Security operations
Honeypot Trap Logs	6 months	Threat detection
Browser Extension Config	Until extension uninstalled	Local storage only (chrome.storage.sync)
SSL/CertBot Certificate Records	Until relay deregistered + 12 months	Certificate lifecycle management
Enhanced Installer Logs	90 days	Deployment verification
Zapier Webhook Event Logs	90 days	Automation audit trail
Zapier Macro Execution Logs	90 days	Automation audit trail
OpenClaw Deployment Registry	Until deployment deregistered	Security monitoring
OpenClaw Security Scan Results	12 months	Vulnerability tracking
OpenClaw Behavior Monitoring Logs	6 months	Threat detection

Section 13

International Data Transfers

Your data may be processed in the following jurisdictions:

United States: Primary hosting infrastructure and data processing (all military/CUI data remains US-only)
European Union: For EU users, transfers are protected under EU-US Data Privacy Framework adequacy decisions
AI Provider Locations: As determined by your selected AI provider's infrastructure

Transfer Safeguards

Standard Contractual Clauses (SCCs): Applied to all data transfers outside the EEA where no adequacy decision exists
EU-US Data Privacy Framework: Relied upon where applicable for transatlantic transfers
Data Residency Restrictions: Military and CUI data is restricted to US-based servers and US-based AI provider endpoints
Supplementary Measures: Encryption in transit and at rest, access controls, and regular transfer impact assessments

Section 14

Your GDPR Rights

Under the General Data Protection Regulation, EU/EEA users have the following rights regarding their personal data:

Right of Access

Obtain confirmation of whether your data is being processed and request a copy of your personal data.

Right to Rectification

Correct inaccurate or incomplete personal data without undue delay.

Right to Erasure

Request deletion of your personal data (“right to be forgotten”) where legally applicable.

Right to Restrict Processing

Request limitation of processing in certain circumstances (e.g., during accuracy verification).

Right to Data Portability

Receive your data in a structured, commonly used, machine-readable format (JSON or CSV) and transmit it to another controller.

Right to Object

Object to processing based on legitimate interests or for direct marketing purposes at any time.

Automated Decision-Making

Right not to be subject to decisions based solely on automated processing, including profiling, that produces legal effects.

Right to Withdraw Consent

Withdraw previously given consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact our Data Protection Officer at james@cpwe.biz. We will respond within 30 days of receiving your request. You also have the right to lodge a complaint with your local supervisory authority.

Section 15

Your California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information.

15.1 Categories of Personal Information Collected

Identifiers: Name, email, Replit user ID, IP address, phone number
Internet/Network Activity: Browsing history on our platform, search history, interaction data
Professional/Employment Information: Military rank, AFSC, accomplishment data (EPB Writer)
Audio/Visual Data: Call recordings, voice samples, AI-generated images
Geolocation: Approximate location from IP address
Inferences: AI provider preferences, feature usage patterns

15.2 Your CCPA Rights

Right to Know

Request disclosure of personal information collected, used, disclosed, or sold in the preceding 12 months.

Right to Delete

Request deletion of personal information collected from you, subject to legal exceptions.

Right to Opt-Out

Opt out of the sale or sharing of your personal information. We do not sell your personal information.

Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.

Sale of Personal Information

CPWE AI does not sell personal information as defined by the CCPA/CPRA. We do not offer financial incentives for the collection, sale, or retention of personal information.

To submit a CCPA request, email james@cpwe.biz with the subject line "CCPA Request." We will verify your identity and respond within 45 days.

Section 16

COPPA Compliance (Children's Privacy)

Guardian Posse AI Platform includes educational and creative features (comic creation, curriculum building) that may be used in K-12 educational settings. We take the protection of children's privacy seriously.

Age Requirement

Guardian Posse is intended for users aged 13 and older. We do not knowingly collect personal information from children under the age of 13 without verifiable parental consent.

16.1 Parental/Guardian Consent

If we become aware that a child under 13 has provided personal information without parental consent, we will promptly delete such data
Parents or guardians may contact us at james@cpwe.biz to review, delete, or refuse further collection of their child's information
Schools using Guardian Posse for educational purposes may provide consent on behalf of parents under COPPA's school consent exception

16.2 Educational Use

When used in educational settings for K-12 curriculum building or creative projects, educators are responsible for ensuring compliance with applicable age-gating requirements and obtaining necessary consents.

Section 17

FERPA Compliance (Educational Records)

When Guardian Posse is used by educational institutions for curriculum building, instructional content creation, or student-facing features, the Family Educational Rights and Privacy Act (FERPA) may apply.

17.1 Educational Records Protection

We act as a "school official" with legitimate educational interest when providing services to educational institutions under a written agreement
Student education records are used solely for the purpose for which the institution disclosed them
We do not re-disclose student education records without prior written consent from the institution or parent/eligible student

17.2 Student Data Handling

Student data processed through curriculum building tools is not used for advertising, marketing, or building user profiles
Institutions may request deletion of student education records at any time
AI-generated content from student interactions is not retained beyond the session unless the institution configures persistent storage

17.3 Institutional Responsibilities

Educational institutions using Guardian Posse are responsible for ensuring appropriate FERPA notices, consents, and directory information designations are in place before providing student data to the platform.

Section 18

Contact & Complaints

General Privacy Inquiries

james@cpwe.biz
Subject: Privacy Inquiry

Data Protection Officer

james@cpwe.biz
Subject: DPO Request

CCPA / GDPR Requests

james@cpwe.biz
Subject: CCPA Request / GDPR Request

Supervisory Authority

EU/EEA users have the right to lodge a complaint with their local data protection supervisory authority if they believe their data protection rights have been violated. A list of EU data protection authorities is available at EDPB Members.

We aim to respond to all privacy-related inquiries within 30 days. For CCPA requests, we will respond within 45 days as required by law.

Section 19

Changes & Version History

We will notify you of significant changes to this privacy policy via email or platform notification. Continued use of Guardian Posse after changes constitutes acceptance of the updated policy.

Version	Date	Summary of Changes
3.5	February 25, 2026	Added Zapier Compliance Automation Pipeline and Zapier Macro Engine data collection disclosures (Section 2.15). Added OpenClaw AGI Security Bridge, OpenClaw Security Scanner, and OpenClaw Relay Bridge data collection (Section 2.16). Added Zapier & OpenClaw Integration Data section (Section 9e) covering Zapier webhook forwarding, macro automation, OpenClaw deployment registry, 6-type security scanning, NIST 800-53 compliance mapping, and behavior monitoring. Added data retention entries for Zapier event logs, macro execution logs, OpenClaw scan results, and behavior monitoring logs. Added disclaimers for OpenClaw scanning (best-effort), Zapier third-party data forwarding, and automated macro execution risks.
3.2	February 19, 2026	Added SSL/CertBot Certificate data collection (Section 2.14), CertBot privacy section (Section 8b), Enhanced Relay Installer v3.0 data disclosures (Section 9.4b), CertBot monitoring (Section 9.4c), updated data retention for SSL certificates and installer logs. Updated relay data section with 12-agent fleet and enhanced installer details.
3.1	February 16, 2026	Added Browser Extension data collection disclosures (Section 2.13), Browser Extension Monitoring practices (Section 9.5), extension data retention entry. Clarified local-only processing for extension data.
3.0	February 13, 2026	Added Relay Agent Infrastructure data collection, Active Defense & Threat Intelligence disclosures, Risk Management data practices, enhanced Security Operations coverage, updated data retention schedules.
2.0	February 1, 2026	Complete rewrite for Guardian Posse branding. Added CCPA, COPPA, FERPA compliance sections. Added Government/Military CUI data handling (NIST 800-171). Expanded AI provider disclosures. Added Twilio/Voice data section. Added Cookie & Tracking policy. Added Security Operations data section. Enhanced data security disclosures with Agent Trust Mesh and Ed25519 cryptographic identity. Comprehensive data retention table.
1.0	August 29, 2025	Initial privacy policy for KOJIE AI Software Engineering Platform. Basic GDPR compliance, authentication data, AI provider integration, Google Drive/Sheets integration.

Current Version: 3.5 · Effective: February 25, 2026 · Next Review: August 2026