← Back to Home
Security
How we protect business data, identity information, and operational records on the OpenClaw to Business platform.
Last updated: 2026-05-06. Security posture is reviewed continuously. Material updates are reflected here and communicated to subscribers.
1. Encryption
1.1 Encryption in transit
All data transmitted between users, the OpenClaw to Business platform, and our sub-processors is protected by TLS (HTTPS). HTTP requests are redirected to HTTPS. Modern TLS versions are required; legacy protocols are disabled.
1.2 Encryption at rest
Sensitive fields are encrypted before storage using industry-standard symmetric encryption. This includes:
- Third-party API keys (OpenAI, Anthropic, Google, Stripe).
- Telegram bot tokens.
- OAuth refresh tokens for Google integrations.
The platform-managed PostgreSQL and Redis databases run on Railway managed infrastructure with at-rest encryption at the storage layer.
1.3 Future enhancements (planned for Business Expense Management launch)
When operational expense card features launch, encryption is upgraded to:
- Hardware-backed key management (HashiCorp Vault, AWS KMS, or equivalent) appropriate to PCI DSS Level 1 scope.
- Tokenization of all card primary account numbers (PAN) — the platform never stores PAN; only tokens issued by the card processor.
- Independent encryption keys for identity verification data versus operational data.
2. Authentication
- Authentication via Google OAuth — passwords are never handled or stored by OpenClaw to Business.
- Bearer tokens issued upon successful authentication; HTTP-only cookies and session management.
- Multi-factor authentication is required for sensitive operations on the operational dashboard (when card features launch).
3. Access controls
- Business data is isolated at the database level — each business can only access its own records.
- Internal admin access is restricted to designated platform operators.
- Audit logging captures sensitive operations including admin actions, integrations, and identity verification events.
- Production access requires multi-factor authentication.
4. Hosting and infrastructure
- Application hosting — Railway (US-East). PostgreSQL and Redis on managed Railway clusters. Railway maintains SOC 2 Type II compliance.
- Static site hosting — Cloudflare Pages, with global CDN distribution. Cloudflare maintains SOC 2 Type II and ISO 27001 compliance.
- Messaging infrastructure — Self-hosted Evolution API on Hetzner VPS for WhatsApp messaging.
- Email infrastructure — Zoho Mail (US datacenters) with DKIM and SPF enforced.
- Transactional email — Resend.
5. Compliance posture
- SOC 2 Type I audit — planned for execution before Business Expense Management launch.
- PCI DSS — currently SAQ A applicable (Stripe Subscriptions hosted checkout). When card features launch, scope is reassessed and we plan to operate under SAQ A by routing PAN handling exclusively to the contracted card processor.
- BSA / AML written compliance program — drafted under outside counsel review for launch of Business Expense Management.
- GDPR / CCPA — Privacy Policy aligned with applicable state and international privacy frameworks. See Privacy Policy.
6. Vendor due diligence
Each sub-processor is contractually bound by a written data processing agreement (DPA) with confidentiality and data protection commitments. Sub-processors with access to identity, business, or financial data are required to maintain SOC 2 Type II compliance or equivalent. See the Sub-Processors page for the complete list.
7. Vulnerability disclosure
If you believe you have discovered a security vulnerability in OpenClaw to Business, please report it responsibly to: [email protected]
Please include:
- A description of the vulnerability and its potential impact.
- Steps to reproduce.
- Your contact information for follow-up.
We commit to acknowledging valid reports within 5 business days and to working with researchers in good faith. We ask researchers to:
- Avoid privacy violations, destruction of data, and disruption to others.
- Avoid testing against production data of other businesses.
- Allow reasonable time for remediation before public disclosure.
8. Breach notification
In the event of a data breach affecting personal information of users, we will:
- Notify affected users within 30 days of discovery, consistent with Florida law.
- Provide a clear description of the nature of the breach and the data involved.
- Explain remediation steps taken and protective steps users can take.
- Notify regulatory authorities as required by applicable law.
Notifications are sent via email to the address associated with the affected account. See Privacy Policy §15 for full details.
9. Operational security
- Production deployment via GitHub Actions with controlled secrets management.
- Code review on all changes touching authentication, payment, encryption, or compliance flows.
- Dependencies monitored for known vulnerabilities; security patches applied promptly.
- Regular review of access controls, audit logs, and infrastructure configurations.
10. Contact
Security questions or vulnerability reports: [email protected]
Privacy inquiries: [email protected]
General inquiries: [email protected]
LPJ SERVICES LLC
6800 NW 39th Ave
Coconut Creek, FL 33073
United States
