Security

OpenClaw Security: Built for Enterprise Requirements

Your security team has questions. We have answers. Here's exactly how Pinchy protects your data, your network, and your compliance posture.

🚧 Pinchy is in active development. Features described here represent our roadmap — not current functionality.

Architecture

Everything runs on your infrastructure. Period.

🏠

Self-Hosted

Pinchy deploys to your servers. Docker, Kubernetes, bare metal. Your infrastructure, your rules, your jurisdiction.

🧩

Plugin Permission Layer

Agents don't get raw tools. They get scoped plugins. A "Create Jira Ticket" plugin with defined parameters and boundaries — not unrestricted shell access. The plugin decides what the agent can do, not the agent itself.

🔒

Network Isolation

Agents run in isolated containers. They only access what you explicitly allow. No lateral movement, no surprise connections.

🔑

Bring Your Own Keys

Your API keys for OpenAI, Anthropic, or Azure stay in your environment. We never see them. We never store them. We don't even know which provider you use.

Data Flow

Where your data goes. And where it doesn't.

1

User sends a message

Via Slack, Teams, or Web UI → your Pinchy Gateway (on your server).

2

Gateway routes to agent

Locally. Same server or same network. No external hop.

3

Agent calls the AI model

This is the only external connection. To your chosen provider. With your API key. Over HTTPS.

4

Response flows back

Model → Agent → Gateway → User. Logged locally. Nothing stored externally.

Want zero external connections? Use a local model (Llama, Mistral). Then nothing leaves your network. Ever.

Compliance

Compliance checklist. Tick them off.

GDPR

All data processed in your jurisdiction. Data minimization by design. Deletion on request. DPA not needed — you're the controller and processor.

No Telemetry

Zero data sent to us. No analytics, no crash reports, no "anonymous" usage data. We literally don't know you're running Pinchy.

Audit Logging

Every agent action, user login, configuration change. Structured logs. Forward to your SIEM. Retain as long as you need.

RBAC (planned)

Role-based access control. Admin, manager, user roles. Will define who can create agents, who can use them, who can see logs.

FAQ

Security questions we hear every week.

Does OpenClaw send data to external servers?

No. Pinchy will run entirely on your infrastructure. The only external connection is to your chosen AI model provider. No telemetry, no analytics, no phone-home.

Can I run it air-gapped?

Yes. Pair Pinchy with a local model via Ollama or llama.cpp and you get zero external connections. No internet required. No data leaves the server. For regulated industries — finance, healthcare, public sector — this isn't a nice-to-have. It's a requirement.

How are API keys stored?

In your environment variables or secrets manager. Pinchy reads them at runtime. They never touch our systems. Use Vault, AWS Secrets Manager, or whatever you already use.

Can agents access internal systems?

Only what you explicitly configure. Each agent has a defined set of tools and permissions. Network policies restrict what they can reach.

Can we review the security architecture?

Book a security review call and we'll walk through the architecture, data flows, and compliance posture with your team.

Want to review the security architecture in detail?

Interested in Pinchy? Book a call — let's talk about your security requirements and how Pinchy can help.

Book a Security Review →

Or email us: hey@clemenshelm.com