Security Overview

How We Protect Your Data

Every ClawHosters instance runs on its own dedicated Hetzner Cloud VPS in Germany. Your data never leaves German soil. There is no shared hosting, no multi-tenant containers, and no resource pooling between customers.

This page covers the infrastructure, network, container, and data protection measures in place across the platform.

Infrastructure: Germany-Only Hosting

All servers are provisioned in the Hetzner Cloud data center in Falkenstein, Germany. The facility is ISO 27001 certified, with 24/7 on-site security, redundant power, and fire suppression systems.

Detail	Value
Cloud provider	Hetzner Cloud
Data center location	Falkenstein (Germany)
Certifications	ISO 27001
Jurisdiction	EU / German law

Running everything in Germany simplifies GDPR compliance. Your data is subject to EU data protection law, not US cloud jurisdictions.

Network Security

Each VPS is hardened at the network level before any customer workload starts. The default firewall policy drops all inbound traffic except what is explicitly allowed.

Firewall Rules (iptables)

Direction	Rule
Inbound	Allow SSH (port 22), web UI (port 8080), established connections
Inbound	Drop everything else
Outbound	Block SMTP (ports 25, 465, 587, 2525) to prevent spam
Outbound	Block IRC (ports 6667, 6697, 194) to prevent botnet communication
Outbound	Allow everything else

SYN flood protection is active with a rate limit of 30 packets per second (burst 60). Excess packets are logged and dropped.

fail2ban

SSH brute force protection is enabled by default:

• Max retries: 3 failed login attempts
• Ban duration: 1 hour
• Monitored service: SSH (sshd)

After three failed SSH attempts from the same IP, that IP is blocked for one hour.

Container Isolation

Each instance runs inside a Docker container with strict resource limits and security hardening. Containers are isolated from each other and cannot communicate.

Docker Security Measures

Measure	What It Does
Dedicated VPS	Each customer gets their own virtual server, not a shared host
Memory limits	Containers are capped at 1 GB (Budget), 2 GB (Balanced), or 4 GB (Pro)
Log rotation	Container logs capped at 50 MB with 3 rotated files
Health checks	Container health monitored every 30 seconds with automatic restart on failure

What the Container Cannot Do

The Docker configuration blocks several potential abuse vectors:

• No cross-instance communication -- Each customer's VPS is fully isolated; containers from different customers cannot communicate
• No privilege escalation -- The no-new-privileges flag prevents setuid/setgid escalation
• Memory hard-limited -- Each container's memory is capped based on the tier, with automatic restart if exceeded

Snapshot and Pause Security

When an instance is paused (due to low balance), the system takes a Hetzner snapshot and deletes the server. The snapshot is stored in Hetzner's infrastructure and is only accessible through your account.

When you resume, a new server is created from the snapshot. The old server's IP address and SSH host keys are gone. This is a clean restore every time.

Snapshots are stored in Hetzner's infrastructure and are only accessible through authenticated API calls. You cannot download raw snapshots; they can only be restored to new servers through the Hetzner API.

Data Handling

What We Store

Data	Where	Encryption
Account email, password	ClawHosters database (Hetzner VPS)	Password hashed with bcrypt
Billing records	ClawHosters database	Stored in PostgreSQL on dedicated VPS
Instance configuration	Customer's dedicated VPS	Stored on isolated server
Chat history and AI conversations	Customer's dedicated VPS	Not accessible by ClawHosters
Payment data (cards, bank)	Stripe (PCI DSS compliant)	Never touches our servers
LLM API keys (BYOK)	ClawHosters database	Encrypted with Rails credentials

What We Do Not Store

• Credit card numbers or bank details (handled entirely by Stripe)
• Chat content or AI conversation logs (those stay on your instance)
• Hetzner Cloud API keys of customers (we only use our own provisioning keys)

GDPR Compliance

As a German-based service with all data stored in the EU, ClawHosters operates under the General Data Protection Regulation (GDPR).

Your Rights

• Access -- Request a copy of all personal data we hold about you
• Rectification -- Correct inaccurate personal data
• Erasure -- Request deletion of your account and data
• Portability -- Export your data in a standard format
• Objection -- Object to processing of your data

To exercise any of these rights, contact support through your ClawHosters dashboard or email.

Data Retention

• Active accounts -- Data retained as long as the account is active
• Deleted accounts -- Personal data deleted within 30 days
• Financial records -- Retained for 10 years per German tax law (GoBD)
• Server logs -- Rotated and deleted after 90 days

Responsible Disclosure

If you discover a security vulnerability in ClawHosters, please report it through the support ticket system in your dashboard. Do not post it publicly. We aim to acknowledge receipt within 48 hours and work to resolve confirmed issues promptly.

Related Docs

• Instance Overview -- How instances work and what runs inside them
• Quickstart Guide -- Get started with ClawHosters
• Billing Overview -- How billing and payments work