Generic hosts run your AI agents on shared infrastructure with API keys in environment variables and unrestricted internet access. When your security team says no, they're right. We built the hosting that passes the review.
If your AI agents touch regulated data, proprietary workflows, or client confidences — generic hosting isn't a cost saving. It's a liability.
Agents that touch PHI must live in HIPAA-compliant environments. We provide isolated namespaces, access-controlled audit trails, and security documentation for your compliance officer and BAA discussions.
Attorney-client privilege doesn't stop at your firewall. Every client's agent environment is isolated from every other — at the network level, not just the application level. No shared processes, no shared memory.
SOC 2 and SEC requirements demand documented controls, audit trails, and verifiable access policies. Our audit logs, egress allow-lists, and Vault credential management give your security team something concrete.
CMMC and FedRAMP-adjacent programs require dedicated infrastructure, documented network controls, and verifiable access logging. Shared hosting fails the first technical review. We were built for this.
Underwriting data, claims information, and actuarial models processed by AI need the same protection as your core systems — not a $5/mo VPS shared with strangers.
If your agents touch data your legal or security team cares about, the answer is probably the same. Let’s talk.
Talk to Us →Shared hosting works fine for personal projects. The moment your agents touch real client data, production credentials, or regulated systems — the architecture that made it cheap is exactly what makes it dangerous.
Gray Fox was built specifically so your security review has something to say yes to.
Your agents run alongside other customers' agents on the same host. One misconfigured sandbox can reach another tenant's data. No shared-infrastructure host can prevent this by design.
API keys stored as env vars are visible to any process in the container, appear in logs and crash reports, and are readable by anyone with host-level access — including the hosting provider.
Agents can reach any endpoint on the internet with no allowlist, no visibility, and no protection against data exfiltration. Nothing stops a compromised dependency from calling home.
Dedicated namespace, Vault-backed credentials, and deny-by-default network policy — each enforced independently at the kernel level, with documentation you can hand to your compliance team.
The difference isn't a feature. It's the entire architecture.
Each layer is hard enforcement — not best-effort. Any one of them alone would stop most breaches. Together, they're what enterprise actually means.
Cilium eBPF enforces deny-by-default at the kernel. Agents can only reach explicitly approved hostnames, ports, and HTTP methods. A packet that bypasses your agent code is still dropped if it doesn't match an allow rule — before it leaves the node.
CiliumeBPFCiliumNetworkPolicy
Your API keys live in HashiCorp Vault and are injected into outbound requests by Envoy at the network layer. The agent only ever holds a placeholder string. Keys never appear in pod memory, environment variables, logs, or kubectl describe output.
HashiCorp VaultEnvoyExternal Secrets
Every client runs in a dedicated Kubernetes namespace with RBAC scoped exclusively to that namespace. Cross-environment traffic is blocked cluster-wide at the kernel. One environment cannot read, reach, or write to another — regardless of misconfiguration.
Kubernetes RBACNamespace isolationVault path scoping
Agents run non-root with a read-only filesystem, all Linux capabilities dropped, and seccomp RuntimeDefault applied. These are enforced at admission — a pod that violates them is rejected before it ever starts. Security tests run on every commit to prevent regression.
Pod Security StandardsseccompAdmission Webhooks
We handle the infrastructure and the compliance documentation. You focus on what your agents actually do.
We start with a conversation — your industry, your compliance requirements, your data types. We'll tell you exactly what we can and can't cover before any commitment.
We provision your isolated namespace, vault your credentials, and configure egress policies for every integration your agents need — scoped exactly to what they require and nothing more.
Always-on agents with automatic recovery, full audit logging, and a dedicated Grafana dashboard. We handle uptime, patching, and secret rotation. You get the security documentation.
If your question isn't here, ask us directly. We'd rather answer before the procurement process starts than during it.
Yes. We provide a security architecture document that describes each isolation layer, our credential management approach, network egress controls, and audit logging implementation. This is designed to be handed directly to your compliance officer, auditor, or security review committee. We can tailor the language to your specific framework on request.
We don't currently hold SOC 2 Type II certification ourselves — if that's a hard requirement, tell us and we'll work through what that means for your engagement.
Self-hosting on AWS/Azure gives you the raw infrastructure — you're still responsible for configuring namespace isolation, setting up Vault, implementing Cilium egress policy, hardening pod security, and maintaining all of it as OpenClaw updates ship. That's a 3–6 month project for a dedicated DevOps and security team, not a weekend deployment.
We've already built and hardened that stack. You get the security outcome without the engineering investment. If you have the team to do it yourself, you probably don't need us — and we'll tell you that.
Each client runs in a dedicated Kubernetes namespace with RBAC scoped exclusively to that namespace. Cross-namespace traffic is blocked cluster-wide using Cilium network policy enforced at the kernel — not at the application layer. This means even if two agents in different namespaces both have bugs or misconfigurations, neither can reach the other's data, memory, or network connections.
Vault path scoping ensures your credentials are only accessible under paths namespaced to your environment. An agent in another namespace can't request your secrets even if it knows the path.
Most clients are running in under a week from first call to live agents. The first call is scoping — we understand your integrations, compliance requirements, and agent workflows. Provisioning your namespace, vaulting your credentials, and configuring egress policies typically takes 1–3 business days.
If you have complex custom egress requirements or specific compliance documentation needs, add a few days. We'll give you a realistic timeline on the scoping call.
Your OpenClaw configuration, agent definitions, and workflow data belong to you. We can export everything in a format you can deploy elsewhere. We don't use proprietary agent formats or lock-in mechanisms — OpenClaw is the same platform regardless of host.
We'd rather keep clients because the service is worth it, not because leaving is painful.
No. We manage the entire infrastructure layer — Kubernetes operations, patching, secret rotation, uptime monitoring, and incident response. You interact with OpenClaw through its native interface and the gfclaw CLI. The infrastructure is invisible to your team unless you want to see it — in which case you get a read-only Grafana dashboard scoped to your environment.
If something goes wrong at the infrastructure level, that's our problem to fix, not yours to debug.
13 pre-built policy presets. Each one whitelists the exact hostnames, ports, and HTTP paths required — nothing more, nothing less.
Need an integration not listed? Custom policy presets are available on request.
No single point of failure. If a node goes down, your sandbox is rescheduled and running again within seconds — automatically, without paging anyone.
Every agent creation, deletion, and policy change is logged with operator identity and timestamp. Query in Grafana or export for compliance reviews.
Manage agents programmatically with a JWT-authenticated REST API or the gfclaw CLI. Full OpenAPI spec included. Integrates with your existing pipelines.
Grafana dashboards, Prometheus metrics, and distributed tracing scoped to your environment. Your telemetry doesn't share a panel with other clients.
Add or remove integration presets on running agents without pod restarts or credential rotation. Changes propagate in seconds via the operator's reconcile loop.
Update a credential in Vault. The Envoy sidecar picks it up in under 60 seconds. No restart. No downtime. No exposure window during rotation.
Tell us about your use case, your industry, and any compliance requirements you're working with. We'll come back with a direct answer — whether that's a yes, a proposal, or a referral if we're not the right match.