Contabo

Contabo provides VPS-level isolation (each user gets their own virtual server) and states 'your data stays on your server' and 'we don't collect data on what runs on your VPS or Dedicated Server instance.' T&C Clause 10 confirms 'Only the customer has access to the server's individual administration password. The Provider has no access to the password.' However, T&C Clause 12(4) notes 'the Provider has the technical means to at any time inspect the data that the customer has stored on the server, insofar as the customer does not use a secure data-encryption system.' No encryption-at-rest is provided by default; this is the user's responsibility.

Blog guide mentions 'Enable sandbox mode for command execution' and 'Defend against prompt injection by treating all external input as untrusted. Block dangerous commands explicitly: recursive deletes, forced git pushes, arbitrary network calls.' However, these are advisory blog recommendations, not platform-enforced controls. Contabo provides no agent-level sandboxing, prompt injection protection, or memory integrity features -- all of this is the user's responsibility on their unmanaged VPS.

The OpenClaw FAQ states 'Your API keys are encrypted, and you control access completely.' The blog guide advises 'Store API keys in environment variables or a secrets manager, not plain config files.' However, Contabo itself provides no secrets management, credential rotation, or leak detection -- these are standard OpenClaw features and user responsibilities. No platform-level credential protection is offered.

Blog guide acknowledges risks: 'OpenClaw can execute shell commands, read files, and make API calls using stored credentials' and advises 'Run the agent with minimal necessary permissions, never root.' However, Contabo provides no rate limiting, kill switches, spending caps, or behavioral monitoring for OpenClaw agents. All guardrails are the user's responsibility. The FAQ warns 'be sure to keep an eye on token usage as these costs can add up fast with an autonomous agent.'

All VPS plans list 'Auto Backup available' as an add-on option. T&C Clause 11 provides 99.9% annual uptime SLA for 'physical connectivity.' Contabo has 22 years in business, 225,000+ customers, and 450,000+ servers -- strong stability signals. T&C Clause 2(6) states 'The Provider is under obligation to back up data only if and insofar as this is expressly stipulated in the service description.' Data export is inherent to VPS (full root access), and snapshots are included in plans.

Pricing is transparent with flat monthly VPS fees clearly listed (e.g., Cloud VPS 10 at 4.50 EUR/month). T&C Clause 4(9) states the provider 'may adjust the prices at any time in line with market developments' but grants a 'special right of termination' if the customer objects. The FAQ warns about external API costs: 'you will need to have an API key with billing set up for your chosen AI provider, and that you will pay per token.' No hard spending caps are provided for API usage.

Contabo is a registered German GmbH (Contabo GmbH, Welfenstrasse 22, 81541 Munich) subject to GDPR. They have a named Data Protection Officer (Dr. Karsten Kinast, KINAST Rechtsanwaltsgesellschaft). The Europe location page states 'We are not only 100% GDPR compliant.' T&C includes DSA compliance (Part 3) and TCO regulation contact point. However, there is no published incident response process, no breach notification timeline beyond GDPR requirements, and no agent-specific audit logging.

No information found about dependency scanning, SBOM, MCP server vetting, build pipeline integrity, or supply chain security measures. Contabo's 1-click installation deploys OpenClaw but provides no details about how the image is built, verified, or maintained. T&C states 'Any additional open source software included in the applications is owned by the respective provider - maintenance, upgrading, and troubleshooting are within the end-users responsibility.'

Contabo's VPS infrastructure includes 'Always-on DDoS protection,' 'strict access controls,' data centers with 'CCTV and physical access control,' redundant power/cooling/networking, and 'People On The Ground' 365 days/year. However, no MFA is mentioned for the customer panel, no independent security audits or penetration testing are published, and no ISO 27001 or SOC 2 certifications were found anywhere on the site despite extensive searching.

No information found about hallucination mitigation, approval workflows, output verification, or trust exploitation prevention. This is entirely outside Contabo's scope as an unmanaged VPS provider. The blog guide does not address misinformation risks from AI agents.