Skip to content
Transparency

Compliance & subprocessors

We do not yet hold our own SOC 2 audit. We are honest about that. What we DO hold is a small, audited supply chain — Cloudflare and Hetzner are both SOC 2 Type II + ISO 27001 + GDPR. Your data inherits those certifications.

Inherited certifications across our supply chain

SOC 2 Type II ISO 27001 GDPR PCI DSS Level 1 ISO 27017 / 27018 Our own SOC 2: not yet

Inherited via Cloudflare, Hetzner, Google, Stripe, WorkOS. Click any subprocessor below to read their auditor reports directly.

What we do NOT have

  • Our own SOC 2 Type II audit — not engaged with auditors yet
  • Our own HIPAA BAA — we do not sign BAAs and are not HIPAA-covered
  • Our own ISO 27001 certificate — not pursued at MVP stage
  • Independently audited penetration test — planned but not done

What we DO have

  • Per-tenant Docker container with dedicated named volumes — never shared filesystem
  • Cloudflare + Hetzner certifications inherited by your data
  • Region pinning: your data physically stays in Singapore, EU, or US per your choice
  • TLS 1.2+ everywhere via Cloudflare Universal SSL (LetsEncrypt + Google Trust Services)
  • LUKS-encrypted disk on the underlying Hetzner volume (encryption at rest)
  • BYOK keys envelope-encrypted at rest, injected at boot, never logged
  • Structured audit logs at the API layer — you can export
  • GDPR-compliant DPA available, published privacy policy

Subprocessors

Every third-party that ever touches your data, what they touch, where they store it, and which audits they carry.

Cloudflare

Edge + DNS + Workers + D1 + KV + R2

Provider trust page
Purpose
Edge proxy, DNS, TLS termination, DDoS protection, Workers, D1, KV, R2
Data touched
Encrypted HTTP traffic, terminal WebSocket frames, control-plane API calls
Region
Global edge (300+ PoPs)
SOC 2 Type II ISO 27001 ISO 27018 PCI DSS GDPR HIPAA (Enterprise plan)
HETZNER

Hetzner Cloud

Compute (Singapore / EU / US) + volumes

Provider trust page
Purpose
Compute infrastructure (cpx tier per plan), persistent volumes, backups
Data touched
Your container filesystem, RAM, BYOK keys at rest, all workspace state
Region
Singapore (SIN), Falkenstein (DE), Helsinki (FI), Ashburn (US)
SOC 2 Type II ISO 27001 ISO 9001 GDPR TÜV Süd-certified data centers
Google

Google (OAuth)

OAuth IDP — sign-in only

Provider trust page
Purpose
Sign-in — we receive your email + name only, never your Google password
Data touched
OAuth token, email address, display name
Region
Global (Google policy)
SOC 2 Type II ISO 27001 ISO 27017 ISO 27018 GDPR
Stripe

Stripe

Payments + billing + tax

Provider trust page
Purpose
Payment processing, billing meters for AI Credits, tax (Stripe Tax)
Data touched
Card token (we never see card numbers), billing address, invoice metadata
Region
Stripe global (PCI DSS scope)
SOC 1 Type II SOC 2 Type II PCI DSS Level 1 ISO 27001 GDPR
WorkOS

WorkOS

SSO / SAML / SCIM (ULTRA tier)

Provider trust page
Purpose
SSO / SAML / SCIM for ULTRA tier (optional)
Data touched
Identity provider metadata, SAML assertions, SCIM directory sync
Region
US-East (WorkOS infrastructure)
SOC 2 Type II ISO 27001 GDPR HIPAA
Anthropic+ OpenAI + Gemini

Anthropic, OpenAI, Google Gemini

LLM inference (vendor-direct, BYOK)

Provider trust page
Purpose
LLM inference — only when you BYOK or use AI Credits pool. Each call goes vendor-direct.
Data touched
Prompt + response text per call. We never proxy or log LLM payloads.
Region
Vendor-managed
SOC 2 Type II (each) ISO 27001 (each) GDPR (each)

We commit to 14-day advance notice before adding or changing a subprocessor. Subscribe to the changelog at github.com/cloudscode.

How your data flows

Plain-English path from your browser to your container.

Ingress (your traffic in)

  1. 1 Browser — you, on your device
  2. 2 Cloudflare edge — nearest PoP, terminates TLS, runs DDoS protection
  3. 3 Cloudflare Workers — routes API calls, enforces auth
  4. 4 Hetzner Cloud (your region) — control-plane D1, then your dedicated container

Storage (where data sits)

  1. 1 Cloudflare D1 — tenant metadata (subdomain, plan, user ID), region-local
  2. 2 Cloudflare KV — ephemeral session data, edge-cached
  3. 3 Cloudflare R2 — backup tarballs, region-pinned
  4. 4 Hetzner volume — your container filesystem, dedicated to your tenant only

Per-tenant isolation

Every tenant gets a dedicated Docker container (named cloudscode-openclaw-<your-subdomain>) on a Hetzner cpx node sized for your plan. Your container has its own named volumes (openclaw-data, openclaw-config) that no other tenant can mount, read, or list. Memory and CPU are isolated by Docker cgroups; disk is isolated by per-tenant volume.

MAX and ULTRA add gVisor — a kernel-syscall sandbox — on top of Docker isolation. ULTRA gives you a single-tenant dedicated node, so even the host kernel is yours alone.

BYOK keys (Anthropic, OpenAI, Google) are envelope-encrypted at rest in our control-plane and only injected as environment variables when your container boots. They never hit shared filesystem, never appear in logs, never leave your container.

Need a DPA, custom data-residency, or compliance questions?

Email hello@cloudscode.com — we will answer with specifics, not boilerplate.

Get started Security FAQ