Skip to main content
14 min read tech

OpenClaw & GDPR: Self-Hosting in Europe on Hetzner

Run OpenClaw on a GDPR-compliant European server. Step-by-step Hetzner deployment guide for Luxembourg businesses that need EU data sovereignty.

Luxembourg businesses face some of the EU’s strictest GDPR enforcement. Before deploying OpenClaw in a professional context, understanding the data flow and building a compliant architecture isn’t optional — it’s a legal requirement. This guide provides the complete, tested setup for a GDPR-compliant OpenClaw deployment on Hetzner Cloud.

Understanding OpenClaw’s Data Architecture

OpenClaw processes data in two separate places. Understanding this split is the foundation of GDPR compliance planning.

Component 1: The OpenClaw Daemon (Your Server)

This is the Node.js process running on your machine or VPS. It handles:

  • Receiving messages from your messaging app
  • Managing skills and tools
  • Storing conversation history and configuration
  • Executing local operations (file access, browser control, shell commands)

GDPR status: Fully under your control. No third-party involvement. All data stays on your hardware.

Component 2: LLM API Calls (Third-Party Cloud)

Every time OpenClaw needs the AI to “think,” it sends your message (and context) to an LLM API:

  • Anthropic (Claude): US servers
  • OpenAI (GPT-4): US servers
  • DeepSeek: China-based servers
  • Ollama: Your own server — no external API call

GDPR status of cloud LLMs: This is the compliance risk. Sending data containing personal information to a non-EU server requires a legal basis under GDPR Chapter V (adequacy decision, SCCs, etc.). For most practical purposes, the cleanest solution is Ollama — your data never leaves your infrastructure.

Why Hetzner Cloud

Hetzner is the preferred European cloud provider for OpenClaw deployments for three reasons:

  1. EU-only data centers: Germany (Nuremberg, Falkenstein) and Finland (Helsinki) — no US involvement
  2. Price: CX21 (2 vCPU, 4GB RAM) is ~€6/month — comparable AWS is ~€30/month
  3. GDPR compliance: ISO 27001 certified, EU-based company, clear DPA available

For reference, OpenClaw itself recommends Hetzner in their deployment documentation. The community calls it “the GDPR pick.”

Server Setup: Step-by-Step

Step 1: Create Your Hetzner Server

  1. Create a Hetzner Cloud account

  2. Create a new project

  3. Add a new server with these settings:

    • Location: Nuremberg or Helsinki (EU)
    • OS: Ubuntu 22.04 LTS
    • Type: CX21 (2 vCPU, 4GB) for cloud LLMs; CX31 (4 vCPU, 8GB) if running Ollama
    • SSH Key: Add your public key (generate with ssh-keygen -t ed25519 if needed)

  4. Note your server’s public IP address

Step 2: Initial Server Security

SSH into your server and run these hardening steps:

# SSH into server
ssh root@YOUR_SERVER_IP

# Update everything
apt update && apt upgrade -y

# Create a non-root user
adduser openclaw-admin
usermod -aG sudo openclaw-admin

# Copy SSH key to new user
cp -r ~/.ssh /home/openclaw-admin/.ssh
chown -R openclaw-admin:openclaw-admin /home/openclaw-admin/.ssh

# Disable root SSH login and password auth
nano /etc/ssh/sshd_config
# Set: PermitRootLogin no
# Set: PasswordAuthentication no
# Set: PubkeyAuthentication yes
systemctl restart sshd

# Switch to non-root user for remaining setup
su - openclaw-admin

Step 3: Configure Firewall (UFW)

# Install and configure UFW
sudo apt install ufw -y

# Default: deny all incoming, allow all outgoing
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH only
sudo ufw allow 22/tcp

# Enable firewall
sudo ufw enable
sudo ufw status

Critical: Do NOT open any OpenClaw-specific port to the public internet. OpenClaw should only be accessible via the secure tunnel you’ll set up in Step 7.

Step 4: Install fail2ban

sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

# Verify
sudo fail2ban-client status

fail2ban automatically blocks IPs that fail SSH login multiple times — essential protection against brute-force attacks.

Step 5: Install Node.js 22

# Install nvm
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash
source ~/.bashrc

# Install Node 22
nvm install 22
nvm use 22
nvm alias default 22

# Verify
node --version
npm --version

Step 6: Install Ollama (GDPR-Compliant LLM)

Using Ollama keeps all AI processing on your Hetzner server — no data leaves the EU.

curl -fsSL https://ollama.ai/install.sh | sh

# Pull a capable model (choose based on server RAM)
# CX21 (4GB RAM): use smaller models
ollama pull mistral         # 7B, ~4GB — fits CX21 with some care
ollama pull gemma:2b        # 2B, ~1.5GB — very fast, less capable

# CX31 (8GB RAM): recommended for better performance
ollama pull llama3          # 8B, ~5GB — excellent balance
ollama pull deepseek-r1:7b  # 7B, strong reasoning

# CX41+ (16GB RAM): enterprise-grade
ollama pull llama3:70b      # 70B, ~40GB — near GPT-4 quality

# Test Ollama
ollama run mistral "Hello, what is today's date?"

# Enable Ollama as a service
sudo systemctl enable ollama
sudo systemctl start ollama

Step 7: Set Up Secure Access with Tailscale

Instead of opening OpenClaw to the internet, use Tailscale (a WireGuard-based VPN) to access it from your devices over an encrypted tunnel.

# Install Tailscale
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

# Note your Tailscale IP (looks like 100.x.x.x)
tailscale ip -4

Install Tailscale on your phone and laptop. Once connected, you’ll access OpenClaw via the Tailscale IP — never the public internet IP.

Step 8: Install and Configure OpenClaw

npm install -g openclaw@latest

openclaw onboard --install-daemon

During onboarding:

  • LLM Provider: Select Ollama
  • Ollama URL: http://localhost:11434 (default)
  • Model: Select the model you pulled (e.g. llama3)
  • Messaging: Connect your WhatsApp or Telegram

Step 9: Configure OpenClaw Security Settings

Edit ~/.openclaw/config.json:

{
  "llm": {
    "provider": "ollama",
    "baseUrl": "http://localhost:11434",
    "model": "llama3",
    "maxTokens": 4096
  },
  "security": {
    "requireConfirmation": true,
    "allowedPaths": ["/home/openclaw-admin/workspace"],
    "blockedCommands": ["rm -rf", "format", "dd", "mkfs", "shutdown", "reboot"],
    "maxConcurrentTasks": 3,
    "rateLimit": {
      "messagesPerHour": 100
    }
  },
  "privacy": {
    "logRetentionDays": 30,
    "anonymizeInLogs": true
  }
}

Step 10: Set Up Automatic Updates

# Install unattended-upgrades for security patches
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades

# Cron job for OpenClaw updates (weekly, at 3am Monday)
(crontab -l 2>/dev/null; echo "0 3 * * 1 npm update -g openclaw && systemctl restart openclaw") | crontab -

GDPR Data Mapping for OpenClaw

Before going live, complete this data mapping exercise:

Data typeWhere processedLegal basisRetentionRisk
Your messagesHetzner server (EU)Legitimate interest30 daysLow
Email contentHetzner server (EU)Contract performanceProcessing onlyLow
Client namesHetzner server (EU)Legitimate interest30 daysLow
LLM promptsOllama on HetznerN/A (local)Not storedNone

If you switch to cloud LLM (OpenAI/Claude), the LLM prompts row changes to “US server” and the risk column changes to “High — requires DPA and legal basis review.”

Monitoring Your Deployment

# Check OpenClaw service status
systemctl status openclaw

# View live logs
journalctl -u openclaw -f

# Check Ollama
systemctl status ollama
curl http://localhost:11434/api/tags

# Check disk usage (Ollama models are large)
df -h

# Review firewall status
sudo ufw status verbose

Monthly Security Checklist

  • Run npm update -g openclaw and verify version
  • Run sudo apt update && sudo apt upgrade -y
  • Review OpenClaw logs for anomalies: journalctl -u openclaw --since "30 days ago"
  • Check fail2ban blocked IPs: sudo fail2ban-client status sshd
  • Review installed skills — remove any you’re no longer using
  • Verify backup integrity if you’ve set up backups

The Bottom Line for Luxembourg Businesses

A properly configured OpenClaw on Hetzner with Ollama is:

  • Fully GDPR-compliant — all data stays in the EU
  • Secure — firewall, fail2ban, SSH keys, no public exposure
  • Affordable — €16/month total infrastructure
  • Maintained — automatic security updates

This is not a weekend setup — it takes 2-4 hours to configure correctly. But once it’s running, you have enterprise-grade security at SME cost.

dcode provides this complete setup as a managed service for Luxembourg businesses. We handle the Hetzner provisioning, security hardening, OpenClaw configuration, and ongoing maintenance. Get a free consultation.

Frequently Asked Questions

Is OpenClaw GDPR-compliant?
The self-hosted daemon itself can be GDPR-compliant. The data transfer risk comes from LLM API calls to US providers (OpenAI, Anthropic). Using Ollama (local models) eliminates this risk. Your data never leaves your Hetzner server.
Why Hetzner specifically?
Hetzner operates data centers in Germany (Nuremberg, Falkenstein) and Finland (Helsinki) — all within EU jurisdiction. They are ISO 27001 certified, GDPR-compliant, and significantly cheaper than AWS or Azure for equivalent compute.
What if I need to use Claude or GPT-4 instead of Ollama?
You can use cloud LLMs, but you must implement data minimization (don't send more than necessary), have DPAs (Data Processing Agreements) with Anthropic/OpenAI, and inform your users. Consult a GDPR specialist for your specific situation.
How much does a GDPR-compliant OpenClaw setup cost?
Hetzner CX21 server: ~€6/month. CX31 (for Ollama): ~€16/month. OpenClaw itself is free. Total infrastructure cost: €6-16/month plus implementation time.
Tags: openclaw GDPR Hetzner self-hosted europe data sovereignty luxembourg privacy

Related Service

Web Development Services

Share this article

Related Articles

Back to Blog