Skip to content

Privacy & Connections

TraceWall Desktop is designed for local-first operation. This page documents what data leaves your machine, when, and why.

Core Principle

Telemetry never leaves your workstation unless you explicitly configure an outbound integration.

  • Local sensor data (host state, interfaces, ARP, routing, processes) stays in the local SQLite database.
  • ARGUS inference runs 100% locally via loopback — no prompts, context, or model outputs are transmitted.
  • Event buffer, Exposure Intelligence results, and Network Topology are computed and stored locally.

Outbound Connections

FeatureTriggerDestinationData SentUser Control
Public IP detectionExposure Intelligence: “Internet-facing” profile runhttps://api.ipify.org (or configured alternative)HTTPS GET — returns only the public IP addressDisable “Internet-facing” profile or set custom endpoint in Settings → Exposure Intelligence
Integration pollingConfigured per integration (FortiGate, Palo Alto, Wazuh, Zabbix, SNMP, Syslog)Target device / collector APIRead-only API calls (config, logs, metrics) — no credentials leave DesktopDisable or remove integration
ARGUS model downloadFirst launch if model not bundled (future releases will bundle)https://huggingface.co / CDNModel weights (GGUF, ~4–8 GB)Pre-bundle model in installer (planned); or place model manually in %LOCALAPPDATA%\TraceWall\models
Update checkAutomatic (configurable)https://download.trace-wall.comVersion manifest (JSON) — no system infoDisable in Settings → Updates

What Is Never Sent

  • Raw packet captures, process lists, file system scans
  • Local event buffer contents (SIEM tab)
  • Exposure Intelligence findings (CVE matches, open ports, TLS certs)
  • Network Topology graph data
  • ARGUS prompts, tool calls, or generated briefs
  • Local SQLite database
  • Credentials for integrations (stored encrypted locally via DPAPI / libsecret)

ARGUS Local AI — Privacy Details

  • Model: Quantized LLM (GGUF format), runs via llama.cpp server on 127.0.0.1:<random-port>
  • Tools: Read-only — get_interface_status, query_events, search_assets, get_exposure_findings, get_topology
  • Context window: Limited to relevant local data slices (max ~4k tokens per request)
  • Logging: Tool calls and responses logged locally at DEBUG level only; not uploaded
  • Telemetry: Zero. No usage analytics, no prompt logging to external systems.

Local Data Storage

DataLocation (Windows)Location (Linux)Retention
Application config%APPDATA%\TraceWall\config.json~/.config/tracewall/config.jsonUntil uninstall
Local database (telemetry, events, assets)%LOCALAPPDATA%\TraceWall\tracewall.db~/.local/share/tracewall/tracewall.dbConfigurable (default 30 days)
Logs%LOCALAPPDATA%\TraceWall\logs\~/.local/share/tracewall/logs/Rotating (default 7 days, 50 MB)
ARGUS model cache%LOCALAPPDATA%\TraceWall\models\~/.local/share/tracewall/models/Until manually removed
Integration credentials (encrypted)DPAPI (per-user)libsecret (keyring)Until integration removed

Controlling Outbound Traffic

Firewall Rules (Example)

Terminal window
# Allow only specific endpoints if needed
New-NetFirewallRule -DisplayName "TraceWall Public IP Detection" -Direction Outbound -RemoteAddress api.ipify.org -Protocol TCP -RemotePort 443 -Action Allow
# Block all other TraceWall outbound (defense-in-depth)
New-NetFirewallRule -DisplayName "TraceWall Block Other" -Direction Outbound -Program "%LOCALAPPDATA%\TraceWall\TraceWall.exe" -Action Block

Proxy Configuration

Desktop respects system proxy (WinHTTP on Windows, http_proxy/https_proxy env vars on Linux). Integration traffic to managed infrastructure does not route through proxy (uses direct sockets).

Air-Gapped Environments

  • Install via offline .exe / .deb
  • Disable “Internet-facing” Exposure profile
  • Place ARGUS model manually in models/ directory
  • All features except public IP detection work fully offline