Security

Updated: 19 May 2026

Tawi is the brand. TawiGo is the product. This page explains how to report security issues and how TawiGo treats web, desktop, local model, account, coding, research, and automation risks.

Responsible disclosure

Report suspected vulnerabilities to support@tawi.ai with "Security report" in the subject line. Do not send live secrets, passwords, private keys, bearer tokens, database URLs, or customer data in email. Send a minimal description first and we will coordinate a safer evidence path if needed.

Security scope

• TawiGo web service and API surfaces.
• TawiGo Desktop install, local runtime, and native helpers.
• TawiGo browser, app, and service integrations.
• Release download, installer, and local model artifact integrity.
• Authentication, billing, memory, voice, coding, automation, and agent orchestration surfaces.

Automation safety

• Automation should be scoped to the user's requested task and selected surface.
• Sensitive actions should use approval gates, visible feedback, and clear cancellation paths.
• Generic synthetic work should stay isolated from the user's personal account state.
• Account-bound work should use approved user-consented channels and avoid unsafe global control ports.
• Computer control should be visible to the user and gated by approval where sensitive actions are involved.
• Secrets, passwords, signed URLs, private tokens, and credential material should not be printed into logs.
• Runtime helpers should use bounded lifetimes, cleanup, and process ownership to avoid stale automation clients.

Infrastructure and data safeguards

• TLS is required for public service traffic.
• Authentication, authorization, rate limits, and abuse controls protect production APIs.
• Secrets should be stored in managed secret systems, not in public source or browser logs.
• Operational evidence should be redacted before publication.

Out of scope

• Social engineering, spam, denial-of-service, or physical attacks.
• Testing against third-party providers outside TawiGo's control.
• Reports that require accessing another user's account or data without permission.