DeployClaw

DeployClaw's self-hosted model means user data stays on the user's own server, which is a strong architectural claim repeated across the homepage, privacy policy, and features page ('Your data stays on your infrastructure. No third-party data storage'). The privacy policy states they do not store, access, or process the content OpenClaw handles. However, there is no documentation of per-user isolation mechanisms, encryption at rest specifics, log sanitization, employee access controls with audit trails, or whether the management platform itself has data-at-rest encryption.

No information found anywhere on the site about prompt injection defenses, sandboxing for code execution, human-in-the-loop approvals for goal changes, memory integrity protection, output sanitization, or container escape prevention. The features page describes shell command execution and browser control as capabilities, but there is zero documentation about how these powerful capabilities are constrained or protected from hijacking.

The privacy policy mentions 'TLS/SSL encryption, role-based access controls, and secure credential storage' and 'encrypted SSH tunnels' for server connections. The pricing FAQ says users must supply their own AI provider API keys. However, there are no specifics about how credentials are stored, whether credentials are excluded from AI model context, credential leak detection, rotation support, or lifecycle management.

No information found about least-privilege defaults, high-risk tool gating, resource consumption limits, rate limiting, emergency kill switches, or behavioral monitoring. The product explicitly markets full shell access, file system access, and browser control with no documented guardrails.

The terms of service place backup responsibility on the user. No mention of tested backups, verified restore, circuit breakers, or blast-radius limits. Data export is vaguely referenced. The self-hosted model means data is on the user's server, which does help, but there is no documentation of provider stability signals or what happens to the management platform if DeployClaw shuts down.

Pricing is clearly documented with four tiers ($29, $49, $149, $399/mo) plus explicit mention of server infrastructure fees as an additional cost. The terms state 30 days advance notice for price changes. Prorated billing for plan changes is documented. Stripe/Paddle payment processing is named. 14-day money-back guarantee. However, there are no hard spending caps or usage monitoring with alerts.

The privacy policy identifies Macrofix Software Private Limited as the operating entity, based in India. The privacy policy mentions data retention and deletion rights. 'Activity logging' is listed as a feature but provides no details. There is no documented incident response process, no breach notification timeline, and no GDPR compliance statement.

DeployClaw deploys OpenClaw, which is open-source — a positive signal. However, there is no documentation of MCP server or tool vetting, dependency scanning, SBOM, build pipeline integrity, or how OpenClaw updates are verified before deployment.

The login page shows email/password authentication with Google OAuth but no MFA/2FA. The privacy policy mentions 'TLS/SSL encryption' and 'role-based access controls' in generic terms. No dedicated security page (404). The docs subdomain and status page do not resolve. No mention of injection prevention, SSRF protection, or independent security audits.

No information found about approval workflows, independent verification, output manipulation monitoring, undo/rollback capability, or transparency about AI uncertainty.