Clawy

The FAQ states 'Every clawy user gets their own isolated container — your data is never shared with other users' and the features section claims 'Secure Isolation — Your instance runs in its own secure container. No shared risk.' The Privacy Policy covers only the website (not the hosting service, which is pre-launch) and mentions PostHog analytics on EU servers and Cloudflare as subprocessors. However, there is no detail on what container technology is used, no mention of encryption at rest for user data (only API keys), no data retention policy for agent data, no mention of whether data is used for AI training, and no employee access controls are described. These are marketing-level claims without technical specifics.

The homepage mentions 'No exposed ports' and 'Isolated containers' under the 'Secure by Default' heading, but there is no documentation of prompt injection defenses, sandboxing technology, human-in-the-loop approvals, memory integrity protection, or container escape prevention. The service is pre-launch so no architecture documentation exists. The only claim is generic container isolation with no named technologies.

The FAQ states 'Your AI API key is encrypted at rest, and all connections are secured with TLS.' This addresses encrypted storage and transport security at a high level but provides no specifics about the encryption method, key management, credential rotation, whether credentials are excluded from model context, or credential leak detection in outputs. The BYOK model means users provide their own keys, but how those keys are stored and protected beyond 'encrypted at rest' is undocumented.

No information found about guardrails for agent behavior. There is no mention of rate limiting, kill switches, tool gating, least-privilege permissions, behavioral monitoring, or approval workflows. The homepage's problem section ironically highlights '$300+ in 2 days — Claude Opus API costs spiral without visibility or controls' as a self-hosting pain point, but the solution section does not describe any specific cost controls or agent guardrails that Clawy implements.

The Terms state 'We aim to provide 24/7 uptime but do not guarantee uninterrupted service. We are not liable for any downtime or service interruptions.' There is no mention of backups, data export, disaster recovery, or what happens to user data if the service shuts down. The FAQ mentions 'Cancel anytime. No lock-in, no questions asked' but does not address data portability. The parent company thedriple.com is a placeholder page, raising concerns about provider stability.

Pricing is clearly stated at '$29 per month per OpenClaw instance' with the FAQ adding 'AI usage costs are separate and go directly to your AI provider via your own API key.' The BYOK model means users control their AI spending directly. The Terms note 'You are solely responsible for your AI API keys and any costs incurred through their use. We recommend setting usage limits with your AI provider to avoid unexpected costs.' This is reasonable transparency, but there are no hard spending caps, usage monitoring, or alerts provided by Clawy itself. Pricing change policy is vague: 'Founding member pricing is subject to change before launch.'

The Privacy Policy covers GDPR rights and names subprocessors (PostHog EU, Cloudflare). The Terms reference isolated containers and link to the Privacy Policy. However, there is no incident response process, no breach notification timeline, no audit logging described, no agent action audit trail, and no information about data jurisdiction for the hosting service itself (only analytics is confirmed EU-hosted). The Privacy Policy only covers the website, not the actual hosting service which is pre-launch.

No information found about dependency management, MCP server vetting, software bill of materials, build pipeline security, or how third-party tools are vetted. The 'Auto-Updates' feature is listed but with no detail on how updates are verified or delivered. No GitHub repositories are public for inspection.

The FAQ claims 'all connections are secured with TLS' and the homepage says 'No exposed ports.' The website itself is served via Cloudflare (per Privacy Policy). However, there is no information about authentication mechanisms (MFA support), access control, injection prevention, security testing, or platform hardening. The service is pre-launch so no dashboard or API exists to evaluate. No independent security testing or audits are mentioned.

No information found about approval workflows, output verification, hallucination mitigation, undo/rollback capability, or transparency about AI uncertainty. The service does not document any guardrails for ensuring output reliability or preventing trust exploitation.