Security Practices

Security is foundational to everything we build at HostAgentes. This page describes the technical and organizational measures we take to protect your data, your agent configurations, and your API keys when you use Paperclip or OpenClaw. We update these practices continuously as threats evolve.

If you discover a security vulnerability, please see Section 8 on Responsible Disclosure before taking any action.

1. Infrastructure Security

1.1 Hosting and Edge Network

The HostAgentes marketing site is deployed on Vercel's global edge network, which provides built-in DDoS protection, automatic HTTPS, and edge caching. Our Paperclip and OpenClaw platforms are hosted on enterprise-grade cloud infrastructure with physical security controls, redundant power, and network isolation.

1.2 Network Segmentation

Production environments are isolated from development and staging environments at the network level. Internal services communicate over private networks and are not exposed to the public internet. External access is restricted to explicitly defined entry points, protected by firewalls and security groups.

1.3 Secure HTTP Headers

All pages served from hostagentes.com include hardened HTTP security headers:

• Strict-Transport-Security (HSTS): Forces HTTPS for all connections
• Content-Security-Policy (CSP): Restricts script and resource loading to trusted origins
• X-Frame-Options: Prevents clickjacking via iframe embedding
• X-Content-Type-Options: Prevents MIME-type sniffing
• Referrer-Policy: Limits referrer data leakage to third parties
• Permissions-Policy: Disables unused browser features (camera, microphone, geolocation)

2. Data Encryption

2.1 Encryption in Transit

All data transmitted between your browser and our services is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints and redirect any HTTP requests to HTTPS automatically. Internal service-to-service communication also occurs over encrypted channels.

2.2 Encryption at Rest

All customer data stored on our platform — including agent configurations, workflow definitions, and logs — is encrypted at rest using AES-256. Database backups are also encrypted. Encryption keys are managed using a dedicated key management service with access logging and rotation policies.

2.3 API Key Storage (OpenClaw)

When you provide your own LLM API keys for use with OpenClaw, those keys are encrypted at rest using envelope encryption. Keys are decrypted only at execution time, within isolated compute environments, and are never logged or exposed in plaintext outside of the secure execution context.

3. Access Controls

3.1 Principle of Least Privilege

Internal team members are granted only the minimum level of access required to perform their job functions. Access to production systems is restricted to a small number of authorized engineers and requires approval and audit logging.

3.2 Multi-Factor Authentication

All internal team access to production systems, cloud consoles, and administrative interfaces requires multi-factor authentication (MFA). We strongly encourage customers to enable MFA on their HostAgentes accounts as well.

3.3 Customer Isolation

Each customer's agent workloads run in isolated execution environments. Customers cannot access each other's configurations, data, or execution logs. Logical separation is enforced at both the application and infrastructure layer.

3.4 Access Reviews

We conduct periodic access reviews to ensure that internal permissions remain appropriate. Access is revoked promptly when team members change roles or leave the organization.

4. Application Security

4.1 Secure Development Practices

Our development process includes:

• Code review requirements before merging to production
• Static analysis and dependency vulnerability scanning in CI/CD pipelines
• Regular review of third-party dependencies for known CVEs
• Secrets scanning to prevent accidental commit of credentials

4.2 Dependency Management

We monitor our software dependencies for known security vulnerabilities using automated scanning tools. Critical vulnerabilities are patched within 24 hours; high-severity vulnerabilities are addressed within 7 days.

4.3 Input Validation and Output Sanitization

All user-supplied input is validated and sanitized before processing. We apply appropriate escaping and encoding to prevent injection attacks, including SQL injection, XSS, and prompt injection in agent pipelines.

5. Operational Security

5.1 Logging and Monitoring

We maintain comprehensive audit logs of administrative actions, authentication events, and API access. Logs are stored in a tamper-resistant, append-only system. Automated alerting systems monitor for anomalous activity, authentication failures, and potential intrusion indicators around the clock.

5.2 Backup and Recovery

Customer data is backed up regularly. Backups are stored in geographically separate locations and tested periodically to verify recoverability. Our recovery time objective (RTO) and recovery point objective (RPO) targets are defined in our internal business continuity plan.

5.3 Patch Management

Operating system and software patches are applied on a defined schedule. Security patches rated critical are applied within 24 hours of release. Systems are kept up to date with vendor-supported software versions.

6. Incident Response

6.1 Incident Detection

We have automated detection systems in place to identify potential security incidents, including anomalous API usage, failed authentication spikes, and unusual data access patterns. Our team is on-call to investigate and respond to alerts.

6.2 Response Process

When a potential security incident is detected:

• Triage: The incident is assessed for severity and scope within 1 hour of detection.
• Containment: Affected systems or accounts are isolated to prevent further impact.
• Investigation: Root cause analysis is conducted to understand what happened and what data was affected.
• Remediation: The vulnerability or attack vector is addressed and systems are restored.
• Post-mortem: A written post-mortem is produced for significant incidents, including learnings and process improvements.

6.3 Customer Notification

If a security incident results in unauthorized access to your data, we will notify you within 72 hours of confirming the breach, in accordance with GDPR Article 33. Notification will include the nature of the breach, data affected, likely consequences, and measures taken or proposed to address it.

7. Compliance

7.1 GDPR

We process personal data of EEA residents in compliance with the General Data Protection Regulation (GDPR). This includes maintaining records of processing activities, upholding data subject rights, implementing appropriate technical and organizational measures, and observing breach notification obligations. See our Privacy Policy for full details.

7.2 SOC 2 (Goal)

We are actively working toward SOC 2 Type II certification. Our security controls are designed around the Trust Services Criteria (TSC) covering security, availability, and confidentiality. We will publish our SOC 2 report when certification is achieved. Enterprise customers may request a copy of our current security posture documentation by contacting support@hostagentes.com.

7.3 Sub-processors

We maintain a list of sub-processors involved in delivering our services. These sub-processors are evaluated for their security practices and bound by data processing agreements. Customers can request our current sub-processor list by contacting our support team.

8. Responsible Disclosure

We take security reports seriously and are grateful to researchers who help us protect our customers. If you believe you have found a security vulnerability in any HostAgentes service, please report it to us responsibly.

8.1 How to Report

Email your findings to support@hostagentes.com with the subject line "Security Disclosure". Please include:

• A description of the vulnerability and its potential impact
• Steps to reproduce the issue
• Any supporting screenshots, logs, or proof-of-concept code
• Your contact information for follow-up

8.2 Our Commitments

When you report in good faith, we commit to:

• Acknowledge your report within 2 business days
• Investigate and provide status updates within 10 business days
• Not pursue legal action against you for good-faith security research
• Credit you in our acknowledgments if you wish, once the issue is resolved

8.3 Scope

In-scope targets include: www.hostagentes.com, app.hostagentes.com, and the Paperclip and OpenClaw APIs. Out-of-scope activities include: denial of service attacks, social engineering, physical attacks, and testing that impacts other customers' data or service availability.

Please do not publicly disclose vulnerability details until we have had a reasonable opportunity to investigate and remediate.

9. Contact

For security-related questions or to report a vulnerability:

HostAgentes Security Team
Email: support@hostagentes.com
Subject line: "Security Disclosure" or "Security Question"
Website: www.hostagentes.com