ClawHosting.io

Privacy policy states 'We do NOT read or access your OpenClaw conversations' and 'We do NOT access files on your OpenClaw instance.' Each user gets a dedicated VPS, providing physical isolation. However, there is no mention of encryption at rest on the VPS, no discussion of log sanitization, and no explicit statement about data not being used for AI training (they defer to third-party AI providers). The dedicated server model is a meaningful architectural claim but details on employee access controls and audit trails are absent.

No information found about prompt injection defenses, sandboxing, memory integrity protection, or human-in-the-loop mechanisms for agent actions. The Terms warn about 'Code Execution Risk: OpenClaw can execute arbitrary code and shell commands' but offer no mitigations beyond user responsibility. No mention of container escape prevention or separation of instructions from external data.

Privacy policy explicitly states 'We do NOT store your AI provider API keys (they stay on your server).' Docs instruct users to paste API keys on their dashboard, and the architecture keeps keys on the dedicated VPS. SSH access uses 'SSH key-based authentication (no passwords).' However, there is no mention of encrypted credential storage on the VPS itself, no credential leak detection in outputs, and no credential rotation mechanisms.

Terms mention that 'OpenClaw has the ability to read, write, and delete files on your server' and warn about 'Misconfigured or incorrectly prompted AI actions' but provide no guardrails. No mention of rate limiting, spending caps on agent actions, kill switches, behavioral monitoring, or least-privilege configurations. The warning to 'review AI actions before approving them' is the only mitigation, which is a user responsibility statement not a technical control.

Homepage lists 'Daily Backups' as a feature of the Standard plan. FAQ states 'Upon subscription cancellation, your server and all data is deleted within 30 days.' However, there is no mention of backup verification/restore testing, no data export tool, no uptime SLA, and no status page. The provider is a small Australian company (Bluebit Consulting Pty Ltd, ACN 668430519) run by a single person ('Built by Reza'), raising questions about continuity.

Pricing is clearly stated: $15/month Standard, $5/month Telegram plan. Docs note 'AI usage is billed separately by your provider (Anthropic/OpenAI). Typical use is $5-20+/month.' Terms state 'We reserve the right to change pricing with 30 days notice' and 'Failed payments will result in a 3-day grace period before service suspension.' Promo code 'CLAW100' for first month free. No hidden fees found. However, no hard spending caps on AI provider usage are offered by ClawHosting itself.

Company is registered as 'Bluebit Consulting Pty Ltd' with Australian Company Number 668430519. Contact emails provided for legal, privacy, and support. Privacy policy references GDPR-like rights (access, correction, deletion, portability). However, there is no mention of incident response procedures, breach notification timelines, audit logging, or agent action audit trails. No mention of security monitoring.

No information found about dependency scanning, MCP server vetting, SBOM, build pipeline security, or update verification. Docs mention 'automatic updates' but no details on how updates are verified or secured. Third-party dependencies include Auth0, Stripe, AWS, and Cloudflare, but no discussion of how these are secured or monitored.

Uses Auth0 for authentication with Google and GitHub SSO options, which is a solid choice. Privacy policy mentions 'Encrypted connections (TLS) for all communications' and 'Cloudflare protection for Gateway UI access.' SSH uses key-based authentication. HTTP headers confirm Cloudflare and HTTP/2. However, no mention of MFA enforcement, no security testing or penetration testing mentioned, no bug bounty program, and no security.txt file exists.

No information found about hallucination mitigation, approval workflows for high-impact actions, output verification mechanisms, or transparency about AI uncertainty. Terms warn about 'AI Limitations: OpenClaw uses large language models which may produce incorrect, misleading, or harmful outputs' but this is a disclaimer, not a mitigation. No undo/rollback capability mentioned.