Subs -30%
Subscriptions 30% off
SUB30
Subs -30%
Subscriptions 30% off
SUB30
Loading...
> docs/security-overview
Security Overview
4 min read
Security
Last updated March 12, 2026
How We Protect Your Data
Every ClawHosters instance runs on its own dedicated Hetzner Cloud VPS in Germany. Your data never leaves German soil. There is no shared hosting, no multi-tenant containers, and no resource pooling between customers.
This page covers the infrastructure, network, container, and data protection measures in place across the platform.
Infrastructure: Germany-Only Hosting
All servers are provisioned in the Hetzner Cloud data center in Falkenstein, Germany. The facility is ISO 27001 certified, with 24/7 on-site security, redundant power, and fire suppression systems.
| Detail | Value |
|---|---|
| Cloud provider | Hetzner Cloud |
| Data center location | Falkenstein (Germany) |
| Certifications | ISO 27001 |
| Jurisdiction | EU / German law |
Running everything in Germany simplifies GDPR compliance. Your data is subject to EU data protection law, not US cloud jurisdictions.
Network Security
Each VPS is hardened at the network level before any customer workload starts. The default firewall policy drops all inbound traffic except what is explicitly allowed.
Firewall Protection
- Inbound traffic is restricted to only required ports (SSH and web UI)
- All other inbound traffic is blocked by default
- Outbound email and IRC traffic is restricted to prevent abuse
- Connection rate limiting protects against flood attacks
Brute Force Protection
SSH login attempts are monitored, and IPs that repeatedly fail authentication are temporarily blocked automatically.
Container Isolation
Each instance runs inside a Docker container on its own dedicated VPS (single-tenant model). Since every customer gets their own virtual server, there is no container co-tenancy. Containers only run on that customer's VPS, providing full isolation by design.
Container Security Measures
Each customer gets their own dedicated virtual server with no shared hosting. Containers are resource-limited based on tier and include health monitoring with automatic restart on failure.
The container environment blocks several potential abuse vectors:
- No cross-instance communication. Each customer's VPS is fully isolated
- No privilege escalation. Security flags prevent unauthorized privilege elevation
- Memory limits enforced. Each container's memory is capped based on the tier
Snapshot and Pause Security
When an instance is paused (due to low balance), the system takes a Hetzner snapshot and deletes the server. The snapshot is stored in Hetzner's infrastructure and is only accessible through your account.
When you resume, a new server is created from the snapshot. The old server's IP address and SSH host keys are gone. This is a clean restore every time.
Snapshots are stored in Hetzner's infrastructure and are only accessible through authenticated API calls. You cannot download raw snapshots; they can only be restored to new servers through the Hetzner API.
Data Handling
What We Store
| Data | Where | Encryption |
|---|---|---|
| Account email, password | ClawHosters database (Hetzner VPS) | Password hashed with bcrypt |
| Billing records | ClawHosters database | Stored in PostgreSQL on dedicated VPS |
| Instance configuration | Customer's dedicated VPS | Stored on isolated server |
| Chat history and AI conversations | Customer's dedicated VPS | Not accessible by ClawHosters |
| Payment data (cards, bank) | Stripe (PCI DSS compliant) | Never touches our servers |
| LLM API keys (BYOK) | ClawHosters database | AES-256-GCM encryption via Rails encrypted credentials |
What We Do Not Store
- Credit card numbers or bank details (handled entirely by Stripe)
- Chat content or AI conversation logs (those stay on your instance)
- Hetzner Cloud API keys of customers (we only use our own provisioning keys)
GDPR Compliance
As a German-based service with all data stored in the EU, ClawHosters operates under the General Data Protection Regulation (GDPR).
Your Rights
- Access. Request a copy of all personal data we hold about you
- Rectification. Correct inaccurate personal data
- Erasure. Request deletion of your account and data
- Portability. Export your data in a standard format
- Objection. Object to processing of your data
To exercise any of these rights, contact support through your ClawHosters dashboard or email.
Data Retention
- Active accounts. Data retained as long as the account is active
- Deleted accounts. Personal data deleted within 30 days
- Financial records. Retained for 10 years per German tax law (GoBD)
- Server logs. Rotated and deleted after 90 days
Responsible Disclosure
If you discover a security vulnerability in ClawHosters, please report it to security@clawhosters.com or through the support ticket system in your dashboard. Do not post it publicly. We aim to acknowledge receipt within 48 hours and work to resolve confirmed issues promptly.
Related Docs
- Instance Overview: How instances work and what runs inside them
- Quickstart Guide: Get started with ClawHosters
- Billing Overview: How billing and payments work
Related Documentation
Data Handling and Privacy
What Data We Handle ClawHosters stores different types of data in different locations. This page...
Architecture Overview
How ClawHosters Works ClawHosters is a managed hosting platform for OpenClaw, an open-source AI ...
GDPR Compliance
GDPR and ClawHosters ClawHosters operates under the General Data Protection Regulation (GDPR) as...
