Security

Security is built into every layer of ClawCloud. Your assistant runs on an isolated server that only you can access.

Infrastructure security

Isolated server

Every ClawCloud user gets their own dedicated cloud server. There is no shared infrastructure — your server is completely isolated from other users.

Firewall

The server firewall is locked down to only three ports:

All other ports are blocked. Internal services (AI gateway, terminal, desktop) are bound to localhost and are not accessible from the internet.

Auto-TLS

All web traffic is encrypted with TLS certificates automatically provisioned by Let's Encrypt via Caddy. No self-signed certificates, no security warnings.

Cookie-based authentication

Access to your server's web interfaces (terminal, remote desktop) requires authentication via short-lived, signed tokens. Sessions use HttpOnly, Secure, SameSite=Strict cookies that expire after 24 hours.

Data privacy

• No conversation logging — ClawCloud does not log or store your messages
• No data collection — We don't collect analytics from your server
• Your data stays on your server — Files, memories, and conversations never leave your isolated server
• Claude OAuth — Your Claude credentials are never stored by ClawCloud. We use OAuth tokens, the same standard used by Google and GitHub

What ClawCloud can access

ClawCloud's backend connects to your server via SSH to:

• Deploy and configure the AI agent during initial setup
• Apply updates if requested
• Restart services if needed

ClawCloud cannot read your conversations, files, or memories. The SSH connection is used only for infrastructure management.

Deleting your data

When you delete your account or your assistant, the cloud server is permanently destroyed along with all data on it. DNS records are automatically cleaned up.