Hostinger

Hostinger provides KVM-based VPS with hardware-level isolation between users, which is stronger than container-based shared hosting. The DPA's Security Standards appendix documents 'Encrypting Personal Data and sensitive data at rest' and 'PII/SPI minimization in application, debugging and security logs.' The privacy policy confirms GDPR compliance and states data is 'treated as strictly confidential' with access by 'qualified and authorized personnel only.' However, the OpenClaw product page says 'Data privacy & sovereignty' without elaborating on specifics like whether agent conversation logs are accessible to Hostinger support. The DPA explicitly states Hostinger 'shall not process, retain, use, sell, or disclose Customer Data except as necessary to provide Covered Services.' No explicit mention of data not being used for AI training on the OpenClaw page itself.

The OpenClaw security hardening guide specifically addresses prompt injection: 'Treat all external input as untrusted. Wrap untrusted content in explicit untrusted boundaries.' It also recommends enabling sandbox mode: 'Always enable sandbox mode and, if using Docker, disable external network access for sandboxed tasks.' The Docker catalog deployment auto-configures gateway authentication and randomized ports to reduce attack surface. The guide covers blocking dangerous commands and enforcing network isolation via Docker networks. However, these are largely user-responsibility hardening steps rather than platform-enforced protections. KVM virtualization provides hardware-enforced isolation between VPS instances.

The installation documentation shows API keys (Anthropic, OpenAI, Gemini, XAI) are configured as environment variables during deployment, which is better than plaintext config files. The hardening guide states: 'Use environment variables for tokens, API keys, and secrets. Ensure sensitive files have strict permissions.' The installation docs warn: 'Keep your OPENCLAW_GATEWAY_TOKEN and any API credentials secure. Never share these publicly.' The DPA security appendix confirms encryption at rest for sensitive data. However, there is no mention of a dedicated secrets manager, credential rotation mechanism, or credential leak detection in agent outputs.

The security hardening guide addresses least privilege: 'Only enable the MCP tools OpenClaw actually needs. Granting broad or elevated tool access increases risk.' It recommends restricting DM policies and blocking dangerous commands. However, there is no documented hard spending cap, automated behavioral monitoring, or platform-enforced kill switch. These guardrails are described as user responsibilities rather than platform-provided features. The guide mentions 'Limit Tool Permissions' and 'Restrict DM Policies' but provides guidance rather than enforced controls.

Hostinger provides 'Free weekly backups' and manual snapshots across all VPS plans. The technology page mentions 'RAID-10' storage and 'daily or weekly backups.' The VPS page states 'Keep your data safe automatically and use manual snapshots to revert if something goes wrong.' The company has been operating since 2004 with 4M+ customers and FT 1000 recognition for six consecutive years, indicating strong stability. The DPA specifies a 30-day data retention after termination. However, there is no explicit mention of data export capability for OpenClaw configurations specifically, and no documented SLA or uptime guarantee beyond the general claim of '99.99% uptime' on the technology page.

Pricing is clearly displayed: KVM plans from $4.99/mo to $19.99/mo (promotional) with renewal rates shown (e.g., 'Renews at $9.99/mo for 2 years'). A 30-day money-back guarantee is offered. Plans include fixed resources (vCPU, RAM, disk, bandwidth) which limits surprise costs from resource spikes. AI credits via 'Nexos' are pre-purchased through hPanel. However, the page notes 'Prices are listed without VAT' and 'All plans are paid upfront,' which could surprise some users. No documented price change notification policy was found, and there are no hard spending caps mentioned for AI credit consumption.

The Information Security Policy explicitly references ISO/IEC 27001:2022 compliance. The DPA includes a Security Incident notification clause: Hostinger will 'without undue delay notify Customer of the Security Incident.' The security hardening guide recommends 'Enable comprehensive session and action logging to track what OpenClaw executes, when it runs, and who triggered it.' The DPA documents audit rights, breach notification, and security incident procedures. Hostinger is a Lithuania/Cyprus-registered company subject to EU regulations. The DPA lists sub-processors including AWS, Google Cloud, and Cloudflare. However, no specific breach notification timeline (e.g., 72 hours) is defined beyond 'without undue delay,' and the ISO 27001 claim is for the parent company, not OpenClaw specifically.

The DPA's Appendix 3 lists sub-processors: AWS, Google Cloud, Cloudflare, MailChannels, Proofpoint, Anthropic Ireland, and spectra tech UAB. The security hardening guide advises users to 'Only enable the MCP tools OpenClaw actually needs.' The responsible disclosure policy shows active security testing via HackerOne. However, there is no documented SBOM, no explicit dependency scanning or patching policy specific to the OpenClaw Docker image, and no documentation of how the pre-built OpenClaw Docker template is maintained or verified for integrity. The build pipeline security is not addressed.

Hostinger demonstrates strong platform security: KVM virtualization with dedicated IPs, 'Wanguard DDoS filtering,' managed firewall, malware scanner, in-house developed WAF, and 'Tier-3 datacenters.' The technology page mentions 'CloudLinux' with 'LVE containers for account isolation.' The DPA details penetration testing, vulnerability scans, strong authentication, role-based access, centralized audit logs, and physical security measures. A HackerOne bug bounty program pays $100-$25,000 for valid vulnerabilities. The platform uses 'strong cryptographic protocols' for communication. However, no MFA requirement is documented for hPanel access from the pages visited, and there is no mention of SSRF protection or inter-agent communication security.

The security hardening guide mentions defending against prompt injection and treating external input as untrusted, which partially addresses output manipulation. However, there is no documented approval workflow, output verification mechanism, undo/rollback for agent actions, or transparency features about AI uncertainty. The hardening guide places responsibility on the user to configure DM policies and sandbox mode. The Kodee AI assistant disclaimer states 'Kodee can make mistakes. Double-check replies' which shows some acknowledgment of AI fallibility, but no systematic misinformation protection is provided for OpenClaw agents.