Skip to main content

Infrastructure Security

Instance Isolation

Each instance runs in its own dedicated micro virtual machine with complete isolation:
  • Dedicated resources — CPU, memory, and storage are fully isolated per instance
  • Network isolation — Instances cannot communicate with each other or access internal infrastructure
  • Secure virtualization — Each VM runs in a sandboxed environment with hardware-level isolation
  • Resource protection — One instance cannot affect the performance or availability of others

Network Security

  • Encrypted connections — All traffic to and from your instance uses TLS encryption
  • Access control — Only authenticated traffic from your configured messaging channels can reach your instance
  • Outbound filtering — Instances can only make secure HTTPS connections to prevent abuse
  • Private networking — Each instance has its own isolated network stack

Data Security

Encryption

All your data is protected with industry-standard encryption:
  • Data in transit — All connections use TLS encryption (HTTPS). SSL certificates are automatically provisioned and renewed.
  • Data at rest — Instance storage volumes are encrypted to protect your data even if physical hardware is compromised.
  • Credentials — Sensitive data like bot tokens, channel credentials, and API keys are encrypted before storage.

Your Credentials

We protect your sensitive credentials with multiple layers of security:
  • Encryption — All credentials are encrypted before being saved
  • Limited access — Credentials are only accessible to your running instance, never to other users
  • Masked display — API keys and tokens are never shown in full in the dashboard (only the last 4 characters)
  • Secure injection — Credentials are securely provided to your instance without exposure to logs or external systems

Backups

Instance backups are designed to keep your data safe:
  • Encrypted storage — Backup files are encrypted with unique keys for each instance
  • Access control — Only you can restore or download your backups
  • Secure location — Backups are stored in access-controlled object storage within the EU

Account & Access Security

Authentication

Your Suji account is protected with secure authentication:
  • Secure sessions — Login sessions use encrypted, HTTP-only cookies to prevent theft
  • Strong passwords — Passwords are hashed using industry-standard algorithms and must be at least 8 characters
  • Two-factor authentication — Optional TOTP-based 2FA for additional account protection
  • Password reset — Secure password reset with time-limited tokens that expire after 1 hour
  • Session invalidation — Changing your password automatically logs you out of all devices

Access Protection

We protect against unauthorized access attempts:
  • Rate limiting — Brute-force attacks are blocked by limiting failed login attempts
  • Input validation — All data sent to the platform is validated to prevent injection attacks
  • Security headers — Your browser receives security headers to protect against common web attacks
  • Audit logging — All account and instance actions are logged for your review

Instance Access

Only you can access your running instances:
  • Web terminal — Terminal access requires active authentication and has session limits
  • File operations — Uploading and downloading files requires authenticated access
  • Automatic timeout — Inactive sessions are automatically terminated after a period of inactivity

Instance Capabilities & Isolation

Your OpenClaw instance has full access to its own isolated environment: What your instance can do:
  • Install packages and software within its own VM
  • Write and modify files in its own storage
  • Make outbound HTTPS connections to external services
  • Run any development tools or scripts you need
What your instance cannot do:
  • Access other users’ instances or data
  • Communicate with infrastructure systems
  • Affect other instances’ performance or availability
  • Access data or services outside its isolated environment
This design gives you full flexibility to customize your instance while ensuring complete isolation from other users.

Data Location & Compliance

Where Your Data Lives

  • EU hosting — All instances run on infrastructure located within the European Union (Germany and Finland)
  • No data transfers — Your data never leaves the EU region
  • GDPR compliant — We follow EU data protection regulations for all user data
  • Certified infrastructure — Our hosting provider maintains ISO 27001 certification

Data Retention

  • Active instances — Data is retained while your subscription is active
  • Cancelled subscriptions — Instance data is kept for 30 days after cancellation, allowing you to reactivate
  • Free trial expiry — Trial instances are permanently deleted when the trial ends
  • Billing records — Invoices and payment records are retained for 10 years as required by French law

Monitoring & Logging

Platform Monitoring

We actively monitor for security events:
  • Anomaly detection — Unusual activity triggers automatic alerts
  • Failed login tracking — Repeated failed attempts are blocked automatically
  • Regular scanning — Infrastructure is regularly scanned for vulnerabilities
  • Incident response — Security events are investigated and addressed promptly

Your Audit Logs

You have full visibility into activity on your account:
  • Action tracking — All instance management actions are logged with timestamps
  • Export capability — Download your audit logs as CSV for your own records
  • User identification — Each log entry shows who performed the action
  • Compliance support — Use logs to demonstrate compliance with your own policies

Security Best Practices

Protect Your Account

  • Choose a strong, unique password for your Suji account
  • Enable two-factor authentication in your account settings
  • Never share your login credentials
  • Review your audit logs regularly for unexpected activity

Protect Your Instance

  • Keep your AI provider API keys confidential
  • Use secure credentials for your messaging channels
  • Create regular backups of important instance data
  • Keep your OpenClaw version updated to get security fixes

Data Management

  • Export critical data before cancelling your subscription
  • Review environment variables to ensure no secrets are accidentally exposed
  • Remove unused instances to limit your security footprint
  • Test backup restoration periodically to ensure recoverability

Reporting Security Issues

If you discover a security vulnerability or suspect a security incident:
  1. Do not disclose it publicly — This could put other users at risk
  2. Email [email protected] with details about the issue
  3. Include reproduction steps if you found a vulnerability
  4. Expect a response within 48 hours acknowledging your report
We take all security reports seriously and will:
  • Investigate the issue immediately
  • Keep you informed of our findings and remediation plans
  • Credit responsible disclosure if you wish
  • Apply fixes promptly and notify affected users if necessary
For general support questions, contact [email protected].