Security FAQ

On your server. The voice gateway runs on your OpenClaw instance - not on ours. Call audio, transcripts, and customer conversations stay on your machine.

No. We don't have access to your server, we don't receive your call data, and we don't store your conversations.

No. The gateway listens on localhost only - it's not reachable from outside your machine. All external traffic flows through an outbound-only encrypted Cloudflare tunnel. You don't need to open inbound ports or configure firewall rules.

Cloudflare handles DDoS protection at the edge before anything reaches your instance. Internal diagnostic endpoints are blocked from tunnel traffic entirely - they're only accessible from the machine itself.

Every inbound event from the phone network is verified using Ed25519 digital signatures with timestamp replay protection. Timestamps older than five minutes are rejected. If the signing key is missing or invalid, the gateway rejects all webhooks - it fails closed, not open.

The system fails closed by default. If the webhook signing key is missing, webhooks are rejected. The platform also refuses to generate install tokens without the signing key configured, so an insecure deployment can't ship silently.

Through a one-time encrypted install token. The token is encrypted with AES-256-GCM, can only be used once, expires in 15 minutes, and is permanently deleted from our systems after you redeem it. Only audit metadata is retained.

No. The encrypted install payload is deleted after redemption. Your agent secret is stored on our side only as a SHA-256 hash - we never see the raw value after you receive it.

Never. It runs under your OpenClaw service user with strict systemd sandboxing: no privilege escalation, read-only system directories, isolated temp space, and no core dumps.

No. The tunnel process is forked before any secrets are exported. Your Gemini API key, agent secret, and OpenClaw token are invisible to the tunnel process.

No. The Telnyx API key stays in Google Cloud Secret Manager on our infrastructure. When your gateway needs to control a call, it sends an authenticated request to our signaling proxy, which validates your identity, applies rate limits, and makes the call on your behalf.

A compromised gateway cannot extract the API key or control another customer's phone number.

Every binary and bundle is SHA-256 verified before anything runs on your server. The skill bundle is additionally scanned for path traversal and symlink attacks before extraction.

Recording is off by default. When enabled, recordings are stored by our telephony provider (Telnyx) and accessible through your dashboard. We're working on direct storage to your own bucket in a future release.

Yes. The startup scripts, configuration files, systemd unit, and file permissions are all readable on your server. You can inspect exactly how secrets are loaded, how processes are forked, and what sandboxing is applied. Run ninja-talk doctor for a quick health check, or read the files directly.

The gateway binary itself is compiled and protected as proprietary software - the source code is not exposed on your instance. But the infrastructure around it (how it starts, what permissions it has, what it can access) is fully transparent.

No. The installer will never create users, add SSH keys, open firewall ports, install telemetry, modify system configuration, inject cron jobs, or send usage data. It only writes to the install directory and the OpenClaw workspace.

Your calls run on your server, through your tunnel, under your control. We built every layer with the assumption that attackers will try - and designed it so they can't get in. You don't have to take our word for it - everything is verifiable on your machine.