Security
Security
Zero data exfiltration — by architecture, not by promise.
Zero Data Exfiltration
PII values never leave your infrastructure. Only counters and metadata transit to the cloud hub.
TLS 1.3
All communication between the agent and cloud hub is encrypted with TLS 1.3. No plaintext transmission.
Read-Only Agent
The agent only issues SELECT queries and read-only API calls. No writes, no deletes, no schema changes.
SHA256 Integrity
Every binary release is signed with SHA256. Verify before running — mismatches abort installation.
GDPR by Design
No data persistence in the cloud after report generation. No analytics, no telemetry, no third-party tracking in the agent.
Native Rust Agent
No interpreter, no server, no dependencies on the client machine. Autonomous packaged binary (PyInstaller + Rust native module).
What Stays vs What Transits
| Stays on your infrastructure | → Transits to the cloud |
|---|---|
| File contents | File count per type |
| Database rows | Table/column names + PII flags |
| Emails, names, IBANs | PII category counters |
| Documents, spreadsheets | Metadata (size, date, permissions) |
| Passwords, tokens | Encryption status (yes/no) |
Binary Integrity Verification
Each release includes a SHA256SUMS.txt file. Verify before running:
Linux
EXPECTED=$(curl -sSL https://aiia-tech.com/download/SHA256SUMS.txt | grep "apollo-agent$" | awk '{print $1}')
ACTUAL=$(sha256sum ./apollo-agent | awk '{print $1}')
[ "$EXPECTED" = "$ACTUAL" ] && echo "OK" || echo "MISMATCH — do not execute"
macOS
EXPECTED=$(curl -sSL https://aiia-tech.com/download/SHA256SUMS.txt | grep "apollo-agent-macos$" | awk '{print $1}')
ACTUAL=$(shasum -a 256 ./apollo-agent-macos | awk '{print $1}')
[ "$EXPECTED" = "$ACTUAL" ] && echo "OK" || echo "MISMATCH — do not execute"
Windows (PowerShell)
$expected = (Invoke-WebRequest https://aiia-tech.com/download/SHA256SUMS.txt).Content `
| Select-String "apollo-agent.exe" | ForEach-Object { $_ -split '\s+' | Select-Object -First 1 }
$actual = (Get-FileHash .\apollo-agent.exe -Algorithm SHA256).Hash.ToLower()
if ($expected -eq $actual) { "OK" } else { "MISMATCH - do not execute" }
How to Verify Yourself
You are encouraged to audit the agent and its network traffic:
# Verify outgoing network connections during a scan # (no connections to undocumented third parties expected) netstat -an | grep ESTABLISHED # Verify no PII data is written to disk during the scan # (only the final report is written to the directory you specify) lsof -p <pid_apollo> | grep REG
No outgoing connections to third parties (analytics, telemetry, advertising) are initiated by the agent.
Responsible Disclosure
Found a security issue? Please report it privately before any public disclosure.
Email: contact@aiia-tech.com
Subject:
We commit to acknowledging within 48h and resolving confirmed issues within 30 days. Public disclosure: 90-day embargo.
Email: contact@aiia-tech.com
Subject:
[SECURITY] APOLLO Data Auditor — <short description>We commit to acknowledging within 48h and resolving confirmed issues within 30 days. Public disclosure: 90-day embargo.
Supported Versions
| Version | Security Support |
|---|---|
1.7.R (current) | ✓ Supported |
| < 1.7 | ✗ Not supported — upgrade required |