Security & Trust

Built for teams that can't afford to move fast and break things.

Your Slack conversations, competitor research, and growth decisions pass through us. Here's exactly how we protect them.

Contact security teamRequest DPA
Encryption

Encrypted in transit, encrypted at rest

Every byte of your data is encrypted end-to-end. We use industry-standard primitives — no in-house cryptography.

  • TLS 1.3 for all traffic between your browser, our Portal, and your gateway
  • AES-256-GCM at rest for gateway tokens and connector secrets
  • Scrypt password hashing using OWASP-recommended parameters
  • HMAC-SHA256 signed session cookies, rotated on each sign-in
Customer isolation

Each customer runs on its own instance

Your data never shares a process with another customer. Every customer gets a dedicated OpenClaw runtime on a distinct port and URL, with its own workspace, memory, and data store.

  • Separate WebSocket connection per customer — no shared event loop
  • Separate SQLite store per customer — no shared tables, no noisy-neighbor queries
  • Per-customer OpenClaw workspace — USER.md and every officer's MEMORY.md live inside your workspace only; no shared memory or cross-client learning
  • Cross-customer access checks in every read and write — a single contract, enforced system-wide
  • Device-paired ed25519 authentication for operator scopes — shared tokens alone cannot elevate
Access control

Least-privilege from day one

Employees access customer data only when needed to operate the service.

  • Role-separated authentication (operator vs customer) enforced at the middleware layer
  • Session binding to device identity for operator-scope actions
Data lifecycle

You own your data, and you can take it with you

Your findings, briefings, approvals, and evidence chains belong to you. We store them, we don't license them.

  • Full data export in JSON on request
  • 30-day retention after cancellation, then cryptographic purge
  • No training of AI models on customer content, ever
  • Standard Contractual Clauses for any cross-border data transfer
Compliance

Standards we hold ourselves to,
with status in the open.

SOC 2 Type II
In progress
Pursuing certification · report available under NDA once issued
GDPR
In progress
Working toward full alignment · DPA available to all paid customers
CCPA
In progress
Consumer rights honored today · see Privacy Policy for your rights
ISO 27001
Planned
Evaluating certification for 2026
HIPAA
Not covered
We are not a Business Associate · do not send us PHI
Operations

The boring work that
keeps the lights on.

Per-customer isolation

Every customer runs on a dedicated runtime with its own data store — no shared process, no noisy neighbors.

Encrypted secrets

Connector tokens and gateway credentials are encrypted at rest with AES-256-GCM, with encryption keys kept separate from the data store.

Vulnerability management

Dependencies are kept current and monitored for known advisories; security-relevant updates are prioritized.

Secure SDLC

Code review required for every change. No force-push to main.

Baseline images

Production runtime pinned to a vetted version tag — upstream upgrades regression-tested before promotion.

Subprocessors

Every third party we use,
named and accountable.

We notify paid customers at least 30 days before adding a new subprocessor. Existing customers can object in writing; if we can't find an alternative, you may terminate for cause.

Vendor
Purpose
Region
Railway
Application + database hosting
US / EU
Cloudflare
CDN, DDoS protection, WAF
Global edge
Anthropic
LLM inference for agent reasoning
US
Google (Gemini)
LLM inference (optional, per-customer)
US / EU
DeepSeek
LLM inference (optional, per-customer)
CN
NVIDIA Nemotron
LLM inference (optional, per-customer)
US
Resend
Transactional email
US
Stripe
Billing and payment processing
US / EU / SG
Composio
Managed OAuth + API gateway for marketing connectors (Google Ads at launch; Meta Ads / LinkedIn Ads / others to follow)
US
PostHog
First-party product + website analytics (consent-gated)
US / EU
Responsible disclosure

Found a vulnerability? Tell us first.

Email us at [email protected]. We acknowledge within one business day, investigate in good faith, and publicly credit you when the fix ships (unless you ask otherwise). No legal action against good-faith researchers.

Report a vulnerability

Last reviewed: 2026-05-29 · questions? [email protected]

Security & Trust · Ceres