Privacy-First Architecture

Your Data Stays Yours

ClawMates was designed with one core principle: your conversations are none of our business. We never store, log, or read your message content. Here is exactly how we protect your privacy.

None
Conversation storage
TLS 1.3
Encryption
Per-user
Container isolation
In progress
SOC 2 audit

How We Protect You

🔒
No Conversation Storage

Your messages are never written to disk. Conversations flow directly from Telegram or WhatsApp through your isolated bot container to the AI API — and nowhere else.

Zero-retention architecture by design, not policy.
🔐
Encrypted Transit (TLS 1.3)

Every connection in the stack — device to ClawMates, ClawMates to AI provider — uses TLS 1.3 encryption. Your messages are protected in motion at every hop.

TLS 1.3 enforced on all endpoints. No plaintext paths.
📦
Isolated Containers

Each ClawMates deployment runs in its own container with separate resources, network policies, and credentials. Your bot is completely isolated from every other user.

Container-level isolation. No shared memory or network namespaces.
🗝️
Credential Vault

Your bot tokens and API keys are stored encrypted at rest using AES-256. They are never logged, never transmitted in plaintext, and accessible only to your bot container.

AES-256 encryption at rest for all credentials.
🌍
EU Region Available

For European users and GDPR-conscious businesses, ClawMates offers EU-region deployment. Your bot container runs in Frankfurt, keeping data within EU jurisdiction.

Frankfurt (EU-WEST) region available on all plans.
🛡️
SOC 2 Roadmap

We are pursuing SOC 2 Type II certification, with the audit expected to complete in late 2026. We implement SOC 2 controls now — access control, audit logging, incident response.

SOC 2 Type II audit in progress. ETA: late 2026.

Where Your Data Goes

When you send a message to your AI assistant, here is exactly what happens — and what does not.

1
Your devicenot stored by ClawMates

You type a message in Telegram or WhatsApp

2
Telegram / WhatsApp serversnot stored by ClawMates

Message travels over the app's encrypted transport

3
Your ClawMates containernot stored by ClawMates

Isolated container receives the message and forwards it to the AI API — no logging

4
AI provider API (OpenAI / Anthropic / Google)stored by provider

The AI model processes your message and returns a response. Subject to the AI provider's own privacy policy.

5
Response back to younot stored by ClawMates

The AI's reply travels back through your container to your messaging app

* If you self-host OpenClaw instead of using ClawMates, step 3 runs on your own server — achieving complete third-party-free data flow. See the ClawMates vs self-hosted comparison.

What ClawMates Does Store

We believe in radical transparency. Here is the complete list of data ClawMates stores:

DataWhyRetention
Account emailAuthentication and billingUntil account deletion
Subscription statusPlan managementUntil account deletion
Bot token (encrypted)To run your botUntil you delete the bot
System promptYour assistant's personalityUntil you change/delete it
AI model preferenceTo call the correct APIUntil you change it
Message count (not content)Usage limits and billingRolling 90-day window
Error logs (no message content)Debugging and reliability30 days

Conversation content is not in this list — because it is never stored.

Maximum Privacy: Self-Host OpenClaw

For users who require complete data sovereignty — no third-party infrastructure whatsoever — ClawMates also supports a self-hosted path. OpenClaw is fully open-source (MIT license) with 250,000+ GitHub stars. You can deploy it on your own server, in your own cloud account, or even on a local machine.

In a self-hosted setup, the only external network call is to the AI provider API of your choice (OpenAI, Anthropic, Google, or a local model via Ollama). Your messaging data and conversation history stay entirely on your infrastructure.

Compare ClawMates vs self-hosting →

Security FAQ

Does ClawMates store my conversations?
No. ClawMates never stores or logs the content of your conversations. Messages travel directly between your messaging app (Telegram or WhatsApp) and the AI model API. ClawMates acts as an infrastructure operator, not a data processor for your chats.
Can ClawMates employees read my messages?
No. Because ClawMates does not store conversation content, there is nothing for employees to access. Your messages are never written to disk or any ClawMates-controlled storage system.
Are my messages encrypted in transit?
Yes. All connections between your device, ClawMates's infrastructure, and the AI provider are encrypted with TLS 1.3. Telegram and WhatsApp also apply their own end-to-end or transport encryption at the messaging layer.
Is ClawMates GDPR compliant?
ClawMates's architecture is designed to minimize data processing. We do not store conversation content, which removes the largest GDPR risk. For EU-based users and businesses, we offer EU-region deployment options and can sign a Data Processing Agreement (DPA) on request.
What data does ClawMates actually store?
ClawMates stores your account information (email, plan), your bot configuration (chosen AI model, system prompt, bot token), and aggregate usage metrics (number of messages, not content). Conversation content is never stored.
Is my bot isolated from other users' bots?
Yes. Each ClawMates deployment runs in its own isolated container with separate resources, network policies, and credentials. Your bot cannot access data from any other user's bot, and vice versa.
What happens to my data if I cancel my ClawMates subscription?
When you cancel, your bot is shut down and your configuration data (API keys, system prompt, bot token) is deleted within 30 days. Since conversation content is never stored, there is no conversation history to delete.
Can I self-host OpenClaw instead for maximum privacy?
Yes. OpenClaw is fully open-source and can be self-hosted on your own server for complete data sovereignty. If you need air-gapped deployments or have zero tolerance for third-party infrastructure, self-hosting is the right choice. ClawMates is ideal for users who want strong privacy without the operational overhead of managing servers.
Is ClawMates SOC 2 certified?
ClawMates is currently pursuing SOC 2 Type II certification, with the audit process expected to complete in late 2026. In the meantime, we implement the security controls that SOC 2 requires: access control, audit logging, vulnerability management, and incident response procedures.
Questions About Security?

We take security seriously and are happy to answer any questions about our architecture, data practices, or compliance. Or try ClawMates free — privacy-first, no credit card required.

Try ClawMates Free →Contact Security Team
Responsible disclosure: [email protected]
ClawMates Security & Privacy — Your Data Stays Yours | ClawMates