Security

You can pause your agent instantly — the instance stops within seconds while your data is preserved. You can restart it at any time with everything intact.

You can delete your instance permanently whenever you want. When you do, all associated data is removed. We don't hold your data hostage — there are no lock-in periods.

You choose your AI provider, model, system prompt, tools, and channel integrations. ClawBase does not inject hidden instructions, modify your agent's behavior, or add telemetry to your conversations.

Agent instances run in hardened containers with restricted privileges — they cannot escalate permissions or access other parts of the infrastructure. Network policies enforce strict boundaries so instances can only reach the external internet (for AI provider API calls) and nothing else.

Our platform database enforces row-level security on every table, verified by automated tests. All API requests require authentication and are scoped to your team. Even if there were a bug in application logic, the database layer independently enforces data ownership.

All API endpoints are rate-limited to prevent brute force, credential stuffing, and resource exhaustion attacks. Sensitive endpoints like authentication have stricter limits. Every response includes standard rate limit headers so clients can self-regulate.

We support two-factor authentication via authenticator apps (TOTP). You can enable 2FA from your account settings to require a second verification step every time you sign in — even if your email is compromised, your account stays protected.

Our logging pipeline automatically redacts sensitive data — API keys, email addresses, authorization tokens, and other personally identifiable information are stripped before logs are stored. Production instance logs are filtered to exclude verbose output that could contain conversation content. Logs are retained for 30 days and then permanently deleted.

Gateway tokens that authenticate access to your agent are automatically rotated every 90 days. You can also rotate a token manually at any time from the agent detail page if you suspect it may have been compromised.

Infrastructure is managed as code with automated certificate renewal. Secrets are never stored in source control.

Your agents are monitored around the clock. If something goes wrong — whether it's a malfunction, a compromised instance, or unusual activity — our systems detect it and contain it automatically, typically within minutes.

When we step in, we stop the affected agent but never touch your data. Everything is preserved exactly as it was. You'll receive a notification explaining what happened, and our team is ready to help you get back up and running.

If a security incident ever affects your account, we'll notify you within 72 hours with clear information about what happened, what we're doing about it, and what steps (if any) you should take.

ClawBase runs OpenClaw, an open-source AI agent platform. You can read every line of code that runs your agent, inspect how prompts are constructed, verify how tools are sandboxed, and confirm how data flows through the system. No black boxes.

If you discover a security vulnerability, please report it to support@clawbase.ai. We take all reports seriously and will respond promptly.