Security model

NerdHosting is not a general-purpose cloud platform. It is a restricted execution environment designed specifically for bots and automation.

Threat model

We assume user code may be buggy, malicious, or intentionally hostile. The platform is designed to limit what code can do by default.

Each bot runs in its own isolated sandbox
No filesystem access
No OS or system calls
No binary or compiled code execution
No cross-bot visibility

Secrets & tokens

Bot tokens and environment variables are stored encrypted and injected into the runtime only when the bot executes.

No secrets are logged
No internal dashboards expose user secrets
Secrets are scoped to a single bot sandbox

As with any hosting provider, privileged infrastructure access could theoretically be used to access data. The platform is designed to make such access unnecessary, deliberate, and auditable.

Network access

Bots may make outbound network requests to supported APIs (e.g. Discord, Telegram). Inbound connections and lateral traffic between bots are not permitted.

What we do not claim

We do not inspect bot logic for intent
We cannot prevent a bot from leaking its own token if explicitly programmed to do so
We do not protect users from permissions they grant to third-party platforms

Responsible operation

The platform is actively maintained. Issues are patched quickly when identified, and abuse or policy violations result in suspension.

If you have questions about the security model, contact support.