Back to Security

Technical Security Overview

Last Updated: February 26, 2026

This document is intended for security teams, auditors, and evaluators conducting vendor assessments. It describes ClawBase's security architecture at a level sufficient for evaluation without exposing specific configuration values.

If you need additional detail for a formal assessment (SOC 2 questionnaire, pentest scope, configuration evidence), contact us at support@clawbase.ai.

1. Data Isolation & Privacy

Per-Customer Infrastructure Isolation

Each customer receives a dedicated set of Kubernetes resources — there is no multi-tenant container sharing. Every instance gets its own deployment, service, persistent volume, configuration, secrets, and ingress route. Production workloads are namespace-isolated from development environments.

Network Isolation

Kubernetes NetworkPolicy enforces strict per-pod boundaries:

  • Ingress: Only the agent control port is reachable from the gateway — no direct access to internal services
  • Egress: DNS resolution and external HTTPS/HTTP only (for AI provider API calls)
  • Blocked: All cluster-internal and private network ranges are blocked — pods cannot communicate with each other, reach internal services, or access cloud metadata endpoints

Database Row-Level Security

The platform database uses PostgreSQL Row-Level Security (RLS) on all public tables. Dangerous privileges have been revoked from client-facing database roles. An automated test suite verifies RLS is active and correctly configured on every table after each migration.

Encryption

  • At rest: Instance volumes, platform database, backups, and all stored secrets (gateway tokens, credential references) are encrypted at rest using AES-256 with provider-managed keys. Our infrastructure provider's encryption controls are covered under a SOC 2 Type 2 audit
  • In transit: All endpoints served over TLS with automatically-renewed certificates. HTTP is redirected to HTTPS at the gateway. All internal control plane traffic is also secured by TLS

No Data Access or Training

Conversations flow directly between the customer's agent instance and their chosen AI provider. ClawBase has no access to conversation content and does not use customer data for any purpose beyond providing the service.

2. Agent Containment

Container Security Context

Each agent instance runs in a hardened container environment:

  • Non-root execution enforced at the pod level
  • Privilege escalation disabled
  • Dedicated filesystem group for volume access
  • Network sandboxing via NetworkPolicy (see Section 1)

Instruction/Data Separation

OpenClaw separates system instructions from external data (user messages, tool outputs) at the prompt level. System prompts are configured by the instance owner and are not modifiable by end-user messages. As an open-source project, this behavior is auditable in the OpenClaw repository.

3. Credential Management

Secret Storage

All sensitive values (gateway tokens, API key references, internal credentials) are stored as encrypted secrets and injected into containers via environment variable references. No credentials are stored in plaintext in configuration, manifests, or images. The underlying secret store is encrypted at rest with provider-managed keys.

Bring Your Own Key (BYOK) Architecture

AI provider API keys are forwarded to the customer's agent instance at configuration time and stored in a per-instance encrypted secret. ClawBase does not retain, log, or proxy API keys — they flow directly from the instance to the AI provider.

Credential Lifecycle

Gateway tokens have a 90-day TTL and are automatically rotated before expiration. Tokens can also be manually rotated at any time if compromise is suspected. Rotation atomically replaces the stored secret and restarts the instance — there is no window where both old and new tokens are valid.

Infrastructure Secrets

Infrastructure secrets are managed through infrastructure-as-code tooling with sensitive value masking in logs and plan output. Production secrets are stored in environment-scoped platform variables or Kubernetes Secrets — never committed to source control.

4. Agent Authorization & Control

Resource Limits

Every instance has enforced CPU, memory, and storage limits at the container level. Containers exceeding memory limits are terminated; CPU is throttled at the limit. Network egress is restricted by NetworkPolicy.

Instance Lifecycle Controls

  • Pause: Immediately stops the instance while preserving all data
  • Resume: Restarts with data intact
  • Restart: Recreates the runtime environment
  • Delete: Permanently removes all associated resources and data

Kill switch: The pause function acts as an immediate kill switch — the instance is terminated within seconds, stopping all agent activity while preserving data for investigation.

OpenClaw Built-In Controls

OpenClaw provides human-in-the-loop gates for high-risk operations, tool permission management, and configurable agent behavior boundaries. These controls are auditable in the open-source repository.

5. Backup & Data Durability

Automated Backups

Instance data is backed up daily with 7-day rolling retention. Backups include both Kubernetes resources and persistent volume snapshots, stored in encrypted, S3-compatible object storage in a separate region.

Platform Database Backups

The platform database (accounts, subscriptions, configurations) is backed up nightly with 7-day retention by the managed database provider.

Data Lifecycle

After cancellation, instance data is deleted within 30 days. Backups containing customer data expire within the 7-day retention window. See our Privacy Policy — Data Retention for full details.

6. Pricing & Spending Controls

Flat monthly subscription pricing with no usage-based surcharges. AI provider costs are controlled directly by the customer through their own API key spending limits. Price changes require 30-day advance notice. See Pricing and Terms of Service.

7. Audit Logging & Accountability

Centralized Logging

All container logs from every pod are collected by a DaemonSet agent and shipped to a centralized log aggregation system. This includes instance lifecycle events, errors, and infrastructure events.

Metrics & Monitoring

Cluster health, resource utilization, and instance status are monitored with time-series metrics, dashboards, and automated alerting on infrastructure anomalies.

Incident Response

Security incidents are triaged with access to centralized logs, metrics, and the ability to immediately pause or delete affected instances. We commit to notifying affected customers within 72 hours of confirming a data breach, in compliance with GDPR Art. 33. Report security concerns to support@clawbase.ai.

8. Supply Chain Security

Open-Source Agent Runtime

ClawBase runs OpenClaw, an open-source AI agent platform. The container image is publicly available for inspection — Dockerfile, dependencies, and runtime behavior can be independently verified.

Infrastructure as Code

All cluster infrastructure is defined declaratively. Helm chart versions are pinned to prevent drift. The OpenClaw container image tracks the latest tagged release to ensure timely security and bug fixes, with a controlled upgrade strategy planned for staged rollouts.

AI Provider Data Policies

ClawBase supports major AI providers (Anthropic, OpenAI, Google, OpenRouter). When using API keys, most providers do not train on API traffic. Customers retain full control over provider and model selection.

9. Platform Security

Authentication

Passwordless authentication via magic link (OTP). No passwords are stored or transmitted. The API server validates Bearer tokens on every request via dedicated authentication middleware.

TLS

All endpoints are served over TLS with automatically-renewed certificates. HTTP traffic is redirected to HTTPS at the gateway level.

Server-Side Access Control

All data access flows through an API server with authenticated, team-scoped routes. Combined with PostgreSQL RLS, this provides defense-in-depth — even if application logic has a bug, the database layer enforces row-level ownership.

SQL Injection Prevention

The platform uses a type-safe ORM with parameterized queries throughout. There is no raw SQL string concatenation in the codebase.

SSRF Protection

NetworkPolicy blocks all access to cluster-internal and private network ranges, including cloud metadata endpoints. Agent containers cannot reach the Kubernetes API server, cloud metadata service, or internal infrastructure.

10. Trust & Transparency

Open-Source Transparency

OpenClaw is open source. Customers can audit the code that runs their agent, inspect prompt construction, verify tool sandboxing, and confirm data flow. No black boxes.

Instance Ownership

Customers have full control over AI provider, model, system prompt, tools, and channel integrations. ClawBase does not inject hidden instructions, modify agent behavior, or add telemetry to conversations.

No Lock-In

Instances can be paused, restarted, or permanently deleted at any time. There are no lock-in periods. On cancellation, data is deleted — not retained.

Methodology

This document is structured around 10 risk categories grounded in three OWASP frameworks: the OWASP Top 10 for Agentic Applications (2026), OWASP Top 10 for Web Applications (2021), and OWASP Top 10 for LLM Applications (2025).

For detailed evidence, configuration samples, or formal security questionnaire responses, contact support@clawbase.ai.