Built for people who care
where their data lives.
We don't ask for blind trust. Here's exactly how your data is protected, who processes it, and what we do when something goes wrong.
Encryption everywhere
TLS 1.3 for every connection. Data at rest encrypted at the volume level. Secrets encrypted with libsodium (pgsodium) before storage.
Isolated by default
Every customer runs on a dedicated VM — never a shared container, never a shared kernel. Your data cannot touch another customer's data by design.
Backups off-cloud
Nightly encrypted backups land on Cloudflare R2 — a different cloud vendor than your VM. Cross-provider redundancy isn't a buzzword here.
We don't read your data
Your conversations, memory files, and skills stay on your VM. We see metadata (uptime, CPU %, plan) — never content.
You own the keys
LLM API keys go directly to your VM's OpenClaw config. You can store them server-side (encrypted) or inject them via web terminal — your call.
Network hardened
UFW firewall default-deny, fail2ban on SSH, DDoS protection via Cloudflare edge, Let's Encrypt TLS with auto-renewal.
Who we work with.
GDPR Article 28 requires us to disclose every vendor that processes your data. Here's the full list — updated whenever it changes.
Changes to this list are posted 30 days in advance. Email security@nacre.sh to receive change notifications.
When things go wrong.
Every cloud provider fails eventually. Here's what happens when ours does.
Single VM crash or data corruption
Automatic detection via heartbeat. Restore /data from last nightly R2 backup to a fresh VM. Customer sees ~5 min of downtime, max 24 hours of data loss.
Regional outage (1 DC, hours)
Status page banner goes up immediately. VMs remain intact; wait for recovery. Affected customers can request a migration to another region from their dashboard.
Primary provider account issue
Documented runbook: restore encrypted backups from Cloudflare R2 to a pre-configured secondary provider. Email every affected customer with honest updates every 4 hours until resolved.
Multiple providers down simultaneously
If both our VM provider AND Cloudflare fail at once, we publish status via Twitter/Mastodon and email (not from our domain). This scenario has never happened in cloud history — but we're ready with the runbook.
DR drill: every 90 days
We run a live migration drill on a canary customer every quarter — restoring from R2 to an alternate provider, verifying integrity, then moving back. The runbook has to work on a calm Tuesday, not just on an outage day.
What we have. What we're building.
We don't claim certifications we don't have. Here's the honest state.
GDPR DPA
Sign a Data Processing Agreement (DPA) directly from your dashboard under Settings → Compliance. EU Standard Contractual Clauses included.
Sub-processor transparency
Full list on this page, plus 30-day advance notice of changes via email subscription.
SOC 2 Type I
Audit scheduled for Q3 2026. Policies and controls implemented; evidence collection in progress.
HIPAA BAA (Enterprise)
Available on Enterprise plans once we reach the customer threshold for annual audit costs. Contact sales to discuss.
Data export on demand
Download your full /data directory as an encrypted tarball anytime from Settings → Export. No questions asked, no waiting period.
Right to be forgotten
Delete account flow permanently removes all data after a 90-day retention grace period (per our ToS). No dark patterns.
Found a vulnerability?
We run a good-faith responsible disclosure program. Email security@nacre.sh with findings. We respond within 24 hours, patch within 7 days for critical issues, and credit researchers publicly (if they want).