Back to all workshops
WorkshopIntermediate

Private Agents — Zero-Retention + Dedicated Endpoints

Your Data Never Leaves. Your Endpoints Never Share. Your Agents Stay Private.

Deploy OpenClaw on Nebius Serverless and connect it to dedicated Token Factory endpoints with zero data retention. Your prompts and documents are never stored at rest. Optional dedicated endpoints give you isolation and stable latency for sensitive workloads — legal, finance, healthcare, HR.

Jump to Step-by-Step Guide

Who This Is For

Teams handling sensitive data, compliance-focused orgs, regulated industries

Key Value

Zero-retention inference with dedicated endpoints for data isolation

You'll Say

"Our legal team approved this in one meeting — zero retention plus dedicated endpoints was exactly what they needed"

What You'll Build

1

A private OpenClaw agent on Nebius Serverless processing confidential documents

2

Dedicated Token Factory endpoints with zero data retention enabled

3

An end-to-end workflow where no data is stored at rest at any point

What We'll Cover

  • Zero-retention inference: what it means, how it works, what guarantees you get
  • Dedicated vs. shared endpoints: isolation, latency stability, and compliance tradeoffs
  • Deploying OpenClaw on Serverless with private networking
  • Processing sensitive documents: contracts, medical records, financial reports
  • Audit logging and compliance documentation for your security team
  • Cost model for dedicated endpoints vs. shared infrastructure

Schedule

12:00 PM – 12:30 PM

Zero-Retention Architecture Deep Dive

How zero retention works at the infrastructure level and what guarantees you get

  • What 'zero retention' means: prompts and responses are never stored at rest
  • Dedicated endpoints: your own isolated inference infrastructure
  • Compliance landscape: HIPAA, SOC 2, GDPR — what this architecture enables
12:30 PM – 1:15 PM

Hands-On: Deploy a Private Agent Stack

Deploy OpenClaw on Serverless with dedicated Token Factory endpoints

  • Deploy OpenClaw on Nebius Serverless with private networking
  • Create a dedicated Token Factory endpoint with zero retention enabled
  • Configure OpenClaw to route all inference through your dedicated endpoint
  • Verify data isolation with request tracing
1:15 PM – 2:00 PM

Process Sensitive Documents

Build a workflow that processes private documents end-to-end

  • Feed contracts, medical records, or financial reports to your agent
  • Build extraction and summarization pipelines
  • Verify zero retention: confirm no data persists after processing
  • Add audit logging for compliance documentation
2:00 PM – 2:30 PM

Compliance Review & Production Planning

Architecture review, cost analysis, and getting your security team on board

  • Walk through the architecture diagram with a security lens
  • Cost model: dedicated endpoints vs. shared, scaling considerations
  • Common questions from security and compliance teams (and how to answer them)
  • Q&A and next steps for production rollout

Prerequisites

  • Laptop with a browser and terminal access
  • A Nebius AI Cloud account (we'll help you set one up if needed)
  • Familiarity with basic CLI tools and REST APIs

You'll Leave With

A private agent processing documents with zero data retention
Dedicated Token Factory endpoints configured for your project
A compliance-ready architecture diagram for your security team
CLI scripts to deploy and manage private agents
Cost estimates for dedicated vs. shared endpoint configurations

Step-by-Step Guide

Follow these steps during the workshop. Each step includes commands you can copy, tips from our mentors, and a checkpoint to verify before moving on.

Step 1~5 min

Install the Nebius CLI

Install and configure the Nebius AI Cloud CLI for managing serverless endpoints and dedicated infrastructure.

Instructions

  1. 1.Download and install the Nebius CLI
  2. 2.Authenticate with your Nebius account
  3. 3.Verify your project and tenant configuration

Commands

# Install Nebius CLI
curl -sSL https://storage.eu-north1.nebius.cloud/cli/install.sh | bash
# Login
nebius auth login
# Verify config
cat ~/.nebius/config.yaml

Checkpoint

Running 'nebius iam whoami' returns your user info without errors.

Step 2~5 min

Set Up Private Networking

Configure a VPC network and subnet for your private agent deployment. This keeps your traffic off the public internet.

Instructions

  1. 1.List existing networks or create a new one for your private agent
  2. 2.Get the subnet ID for endpoint deployment
  3. 3.Note the network ID for later use

Commands

# List networks
nebius vpc network list
# Get subnet ID
export SUBNET_ID=$(nebius vpc subnet get-by-name \
  --name default-subnet --format jsonpath='{.metadata.id}')
echo $SUBNET_ID

Checkpoint

You have SUBNET_ID exported and ready for deployment.

Step 3~10 min

Deploy OpenClaw on Serverless

Deploy the OpenClaw agent on a Nebius Serverless endpoint. CPU-only — the agent orchestrator doesn't need a GPU.

Instructions

  1. 1.Generate secure credentials for your endpoint
  2. 2.Create the serverless endpoint with the OpenClaw container
  3. 3.Wait for the endpoint to become active (~30 seconds)
  4. 4.Retrieve the endpoint IP

Commands

# Generate credentials
export AUTH_TOKEN=$(openssl rand -hex 32)
# Deploy OpenClaw
nebius msp serverless v1alpha1 endpoint create \
  --name openclaw-private \
  --container-image openclaw:latest \
  --container-template-resources-platform cpu-d3 \
  --container-template-resources-preset 4vcpu-16gb \
  --port 8080 \
  --username admin \
  --password "$AUTH_TOKEN" \
  --network-id <your-network-id> \
  --parent-id <your-project-id>
# Get endpoint info
export ENDPOINT_ID=$(nebius msp serverless v1alpha1 endpoint get-by-name \
  --name openclaw-private --format jsonpath='{.metadata.id}')

Tips

For production, consider disabling --public and using private networking only

Checkpoint

Your OpenClaw endpoint is active and responding to health checks.

Step 4~10 min

Create a Dedicated Token Factory Endpoint

Set up a dedicated Token Factory endpoint with zero data retention. This gives you isolated inference — your prompts never touch shared infrastructure.

Instructions

  1. 1.Navigate to Token Factory in the Nebius console
  2. 2.Create a dedicated endpoint (not shared) with zero retention enabled
  3. 3.Generate an API key scoped to your dedicated endpoint
  4. 4.Configure OpenClaw to use this endpoint for all inference

Commands

# Set your dedicated TF endpoint
export TF_API_KEY=<your-dedicated-tf-api-key>
export TF_ENDPOINT=https://<your-dedicated-endpoint>.nebius.com
# Test zero-retention endpoint
curl $TF_ENDPOINT/v1/chat/completions \
  -H "Authorization: Bearer $TF_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "meta-llama/Meta-Llama-3.1-70B-Instruct",
    "messages": [{"role": "user", "content": "Test message - verify zero retention"}],
    "max_tokens": 50
  }'

Tips

Dedicated endpoints have stable latency because you're not sharing capacity with other users
Zero retention means your prompts and responses are never written to disk — they exist only in memory during processing

Checkpoint

Your dedicated endpoint returns completions and you've confirmed zero-retention is enabled in the console.

Step 5~15 min

Build a Private Document Pipeline

Create an agent workflow that processes sensitive documents — contracts, medical records, or financial reports — with full privacy guarantees.

Instructions

  1. 1.Choose a document type: legal contracts, medical records, or financial reports
  2. 2.Configure the agent to extract key information from documents
  3. 3.Process sample documents through the pipeline
  4. 4.Verify that no data persists after processing

Tips

Use the sample documents we provide, or bring your own (redacted) examples
The extraction pipeline is the same regardless of document type — the prompts change, not the architecture

Checkpoint

Your agent processes 3 sample documents and returns accurate extractions. No data remains on the endpoint after processing.

Step 6~10 min

Add Audit Logging

Set up audit logging so your security team can verify what happened without seeing the actual data.

Instructions

  1. 1.Enable structured logging on your OpenClaw endpoint
  2. 2.Configure log entries to include request IDs, timestamps, and operations — but not document contents
  3. 3.View logs through the Nebius CLI
  4. 4.Export a sample audit log for your compliance team

Commands

# View endpoint logs
nebius msp serverless v1alpha1 endpoint logs $ENDPOINT_ID
# Check endpoint status and uptime
nebius msp serverless v1alpha1 endpoint get $ENDPOINT_ID

Tips

Good audit logs answer 'who did what when' without revealing 'what was in the document'

Checkpoint

You can pull audit logs that show processing activity without exposing document contents.

Step 7~10 min

Architecture Review & Compliance Prep

Document your architecture for your security team and plan the production rollout.

Instructions

  1. 1.Review the architecture: Serverless (CPU) → Dedicated TF Endpoint (zero retention) → no persistent storage
  2. 2.Document the data flow for your compliance team
  3. 3.Calculate costs for dedicated endpoints at your expected volume
  4. 4.Save your deployment scripts for repeatable production deployments

Tips

The key selling point for compliance: data is never stored at rest, inference happens on dedicated hardware, and you have full audit logs
Most compliance teams approve this architecture quickly because the guarantees are infrastructure-level, not policy-level

Checkpoint

You have a compliance-ready architecture doc, cost estimates, and a deploy script for production.

Ready to Build?

RSVP required. Spots are limited since we provide hands-on support for every attendee.

Register Now