Security at OpenClaw Direct

Last updated: May 2026

We take the security of Customer Content and Customer credentials seriously. This page documents the current security posture of the OpenClaw Direct service operated by Driven Success LLC. It is intended to be an honest description of what we do today, not an aspirational marketing statement. Where a control is in progress or not yet in place, we say so.

Infrastructure

The OpenClaw Direct service runs on a managed Kubernetes cluster in a single United States region (cloud provider TBD). Each Customer's Machine Instances run in isolated Kubernetes namespaces, with no shared compute between Customers.

  • Dedicated memory per Plan tier: 2 GB (Basic), 4 GB (Advanced), 8 GB (Turbo).
  • Namespace-level network and resource isolation between Customers.
  • Workloads are orchestrated and updated via declarative Kubernetes manifests.

Data encryption

Data is protected in transit and at rest:

  • In transit: TLS 1.2 or higher for all connections to the OpenClaw Direct service.
  • At rest: AES-256 encryption for stored data, including PostgreSQL volume encryption.
  • Application secrets: managed through Rails encrypted credentials and not stored in plaintext in the repository or container images.

Customer API key (BYOK) storage

Customers bring their own API keys for foundation-model providers and messaging channels. These BYOK credentials are treated as sensitive secrets:

  • Encrypted at rest using application-layer encryption.
  • Decrypted only in memory at the moment a model-provider API call is made.
  • Never logged, never written to disk in plaintext, and not exposed in our admin tooling.

Access controls

Engineering access to production systems is restricted and audited:

  • Production server access is via SSH keys with 2FA required on the bastion path.
  • Least-privilege access: engineers receive only the access necessary for their role.
  • Production access events are logged for review.
  • Customer accounts are protected by Devise-backed password authentication, with optional 2FA where available.

Vulnerability disclosure

We welcome responsible security research. To report a suspected vulnerability, email security@openclaw.direct with a clear description and reproduction steps.

  • We will acknowledge your report within 5 business days.
  • Researchers acting in good faith and following standard responsible-disclosure norms - no exploitation beyond what is necessary to demonstrate the issue, no data exfiltration, and scope limited to the OpenClaw Direct service - will not be pursued legally by Driven Success LLC.
  • We do not currently operate a public bug-bounty program.

Incident response

If we confirm a security incident that affects Customer data, we will notify affected Customers without undue delay, with a target of 72 hours from confirmation, in line with our Data Processing Addendum.

  • Live service status is published at status.openclaw.direct.
  • For material incidents, we publish a post-mortem describing impact, root cause, and remediation.

Certifications and compliance status

We aim to be precise about our current compliance posture rather than overstate it:

  • SOC 2: We are evaluating SOC 2 Type I readiness; an audit engagement has not yet commenced. We are not SOC 2 certified.
  • ISO 27001: We are not pursuing ISO 27001 certification at this time.
  • GDPR: Driven Success LLC acts as a Processor when a Customer is the Controller of personal data of individuals in the EU or UK. See our Data Processing Addendum for details.

Security contact

For security reports, vulnerability disclosure, or questions about this page, contact security@openclaw.direct. For privacy and data-protection questions, contact privacy@openclaw.direct.