ClawSoulsClawSouls

SECURITY

Your data, your control

ClawSouls Hosting is built on isolation, encryption, and transparency. We can't see your conversations — by design.

🔒

Isolated by Default

Every customer gets a dedicated microVM with hardware-level isolation (Firecracker/KVM). No shared compute, no shared storage, no noisy neighbors.

🔐

Encrypted at Rest

API keys are encrypted with AES-256-GCM before storage. Decrypted only in memory, never logged. Database encrypted at rest with TLS enforced for all connections.

🔑

Bring Your Own Key

Your LLM API keys, your traffic. We never proxy, inspect, or log your AI conversations. Zero token markup — you pay your LLM provider directly.

🛡️

Authentication

OAuth 2.0 via GitHub and Google. Each instance receives a unique 256-bit machine token. All API routes verify session + ownership.

🦞

Open Source

The entire runtime (SoulClaw) is MIT-licensed and publicly auditable. No proprietary binaries. Self-host for free, or let us handle the infra.

📦

Data Portability

Export your complete workspace anytime. Import to restore. Delete to permanently erase — all data destroyed immediately, no retention period.

What we can — and can't — see

DataVisible to us?
Instance metadata (name, plan, region)🔓
API keys (encrypted ciphertext)(encrypted)🔓
LLM model selection🔓
Conversation content🚫
LLM API traffic🚫
Decrypted API keys🚫

Infrastructure

Compute isolation — Each instance runs in a dedicated Firecracker microVM with KVM hardware isolation. One customer's instance cannot affect another.

Dedicated storage — Persistent volumes are per-instance (1–10 GB). Not shared between users.

Transit encryption — All external traffic over TLS 1.2+. Internal traffic encrypted via WireGuard mesh.

Payment security — PCI DSS compliant processor. We never handle credit card numbers. Webhook signatures verified with HMAC-SHA256.

Deletion & Data Retention

When you delete an instance, everything is destroyed immediately:

  • Compute terminated
  • Persistent storage wiped
  • Networking removed
  • Database records hard-deleted
  • Encrypted API keys deleted

No retention period. No backups of deleted data. No recovery after deletion.

Questions?

For detailed security inquiries, enterprise assessments, or to report a vulnerability:

Contact Security Team

Full security whitepaper available upon request for enterprise customers.