Subprocessors
Last updated: May 2026
Driven Success LLC, doing business as OpenClaw Direct (openclaw.direct), engages a limited set of third-party service providers to operate the Service. These providers may process Customer Content on our behalf and act as subprocessors within the meaning of Article 28 of the EU General Data Protection Regulation (GDPR) and analogous obligations under the UK GDPR, Swiss FDPIC, and U.S. state privacy laws.
This page is incorporated by reference into our Data Processing Agreement and §14 (Data Protection) of our Terms of Service. Each subprocessor below is bound by contractual obligations consistent with Article 28(3) and, where personal data is transferred from the EEA, the United Kingdom, or Switzerland to the United States, the EU Standard Contractual Clauses (Commission Decision 2021/914), the UK International Data Transfer Addendum, or the Swiss FDPIC equivalent.
Infrastructure and Hosting
The Service runs as managed Kubernetes workloads in a single U.S.-region cluster operated by a U.S.-based managed-Kubernetes infrastructure provider. The provider supplies compute, storage, networking, and infrastructure-level backups used to run Customer Machine Instances and store associated data at rest.
The specific provider's identity is treated as a confidential aspect of our security posture and is disclosed under NDA on request from prospective and current Customers; email security@openclaw.direct to obtain it.
Customer Content stored within Machine Instances and associated databases is encrypted at rest and isolated at the network level between tenants.
Payments
We use Stripe to process subscription payments, one-time purchases, and Credit top-ups via Stripe PaymentIntents and Stripe Subscriptions. Card data is collected directly by Stripe through PCI-DSS compliant interfaces and is not stored on our infrastructure.
- Stripe, Inc. — United States — payment processing for non-EU Customers.
- Stripe Payments Europe, Ltd. — Ireland — payment processing for Customers located in the European Economic Area, the United Kingdom, and Switzerland. For these Customers, Stripe Payments Europe Ltd. acts as an independent controller for payment data as described in Stripe's Privacy Policy.
AI Model Providers
Machine Instances connect to foundation-model providers to generate completions and tool calls. When the Customer operates in Credits mode, OpenClaw Direct holds the provider relationship and routes inference requests on the Customer's behalf. When the Customer operates in BYOK (Bring Your Own Key) mode, the Customer maintains a direct relationship with the provider and is the controller for that API-key relationship; we transmit prompts and receive outputs but do not retain the provider account.
- Anthropic, PBC — United States — model inference via the Claude API.
- OpenAI, L.L.C. and OpenAI Ireland, Ltd. — United States and Ireland — model inference via the OpenAI API.
Both providers are contractually committed not to train their foundation models on API inputs or outputs by default.
Transactional and Marketing Email
We use Amazon Web Services to deliver transactional email (account verification, password resets, billing receipts, security notices) and opt-in marketing email.
- Amazon Web Services, Inc. (Simple Email Service,
email-smtp.us-east-1.amazonaws.com) — United States — outbound email delivery.
Email metadata (recipient address, delivery status, bounce and complaint events) is processed to operate the email channel and maintain sender reputation.
Web Analytics
On marketing and public-facing pages of openclaw.direct we use Google Tag Manager and Google Analytics 4 to measure aggregate site usage. These tags load only after the visitor grants consent through our cookie banner, in line with the EU ePrivacy Directive and applicable U.S. state privacy laws.
- Google LLC — United States — Google Tag Manager and Google Analytics 4, gated by visitor consent.
No analytics tags are loaded inside the authenticated Customer portal or within Machine Instances.
Notifications of Changes
We maintain this page as the authoritative public list of subprocessors. Updates — including the addition of a new subprocessor, the removal of an existing one, or a material change to a subprocessor's role or processing location — will be posted here and announced by email to the address on file for the Customer's account at least 14 days before the change goes live.
We do not yet operate a subscription mailing-list dedicated to subprocessor updates. The static list published on this page, combined with email notice to each Customer's account address, satisfies the minimum notice requirements of GDPR Article 28(2) and is sufficient under our Data Processing Agreement.
Objections and Contact
If a Customer reasonably objects to a proposed new subprocessor on data-protection grounds, the Customer may notify us within the 14-day notice window. We will work in good faith to address the objection; if no resolution is reached, the Customer may terminate the affected subscription as described in §14 of the Terms of Service and our Data Processing Agreement.
Contact for subprocessor objections and data-protection inquiries: privacy@openclaw.direct. Security disclosures: security@openclaw.direct.