Security & Privacy

Your diagnostic data contains sensitive server configurations, IP addresses, and system internals. Here is exactly how we handle it — with full transparency.

Zero External Calls
No data leaves the server
Auto-Delete
Reports expire after 7 days
No IP Tracking
IPs are SHA-256 hashed
Encrypted at Rest
AES-128 Fernet encryption

Data Lifecycle

When you upload a diagnostic archive, here is exactly what happens:

StageWhat HappensDuration
Upload Archive saved to temporary storage on the server Seconds
Analysis Archive is extracted, parsed across 13 diagnostic categories, and a structured report is generated 10–60 seconds
Archive Deletion The uploaded archive is permanently deleted immediately after analysis completes (even if analysis fails) Immediate
Report Storage The parsed report (JSON) is stored for you to access the dashboard and export PDFs 7 days (configurable)
Auto-Cleanup Reports are automatically deleted after the TTL expires. No manual action required. Automatic

Zero External Network Calls

The application makes absolutely zero outbound HTTP requests. This is verifiable:

  • No HTTP client libraries — The codebase does not import requests, urllib, httpx, or any HTTP client
  • No analytics SDKs — No Google Analytics, Mixpanel, Segment, or any third-party tracking
  • No telemetry — No usage data, crash reports, or diagnostics sent anywhere
  • Self-hosted assets — Bootstrap CSS, JavaScript, and icon fonts are served locally from the server — no CDN requests
  • Firewall-enforced — Production server firewall (UFW) is configured with default deny outgoing, blocking all outbound connections except DNS, apt updates, and NTP
Verify it yourself: Run ss -tunp | grep -v '127.0.0.1' on the hosting server during an upload — you will see only inbound nginx connections, zero outbound from the application.

Privacy Protections

  • IP Anonymization — Visitor IP addresses are hashed with SHA-256 before storage. We cannot reverse the hash to recover your IP address. Only a 16-character hash prefix is stored for unique visitor counting.
  • No Cookies for Tracking — We use a minimal Flask session cookie for report history only. No advertising, tracking, or third-party cookies.
  • No User Accounts — No registration, no login, no personal data collection beyond optional email for exports.
  • Email Collection — Emails are requested only for PDF/Excel exports. They are stored with anonymized IPs and are never shared with third parties.
  • Report Access — Reports are accessible via unique UUID links. UUIDs are cryptographically random and effectively unguessable (2122 combinations).

Encryption

  • In Transit — All traffic is encrypted via TLS 1.2/1.3 (Let’s Encrypt certificate, nginx SSL termination)
  • At Rest — When configured, all stored data (reports, analytics, leads) is encrypted using Fernet symmetric encryption (AES-128-CBC + HMAC-SHA256). The encryption key is stored as an environment variable, never in code.
  • Archive Handling — Uploaded archives are processed in-memory where possible and deleted from disk immediately after analysis

Architecture Security

Application Layer
  • Python 3.12 with Flask (minimal attack surface)
  • No database — file-based storage only
  • Rate limiting (configurable daily upload limits per IP)
  • File extension whitelisting and size limits (500MB max)
  • Input sanitization on filenames and paths
Infrastructure Layer
  • Hetzner VPS (EU data center, GDPR compliant)
  • UFW firewall: deny-all outbound (except DNS/apt/NTP)
  • nginx reverse proxy with SSL termination
  • Gunicorn WSGI with worker recycling (500 req max)
  • Non-root process execution (Docker: appuser)

Enterprise Deployment

For organizations that require on-premises deployment, the Linux Diagnostic Analyzer can be self-hosted:

  • Docker Image — Deploy behind your own firewall with docker-compose up
  • Air-Gapped Support — All assets are self-hosted, no internet access required after deployment
  • Custom TTL — Set REPORT_TTL_DAYS to control data retention (default: 7 days)
  • Encryption Key — Provide your own ENCRYPTION_KEY for at-rest encryption
  • Rate Limits — Configure DAILY_UPLOAD_LIMIT per your usage requirements
For enterprise licensing and support, contact linuxdiag.support@gmail.com

Your Data, Your Control

We built this tool to solve a real problem for SREs. We handle your data the way we would want ours handled — with minimal collection, maximum protection, and full transparency.

Start Analyzing