What data does Unimus collect from local instances?

General discussion of anything Unimus
Post Reply
User avatar
Tomas
Posts: 1206
Joined: Sat Jun 25, 2016 12:33 pm

Thu Jan 07, 2021 4:22 pm

Recently, we have received multiple requests / questions to clarify what data we (NetCore j.s.a.) collect from local (your) Unimus instances. Due to the recent events in the industry, and since Unimus requires a connection to our Licensing Server, we wanted to provide an official statement on what data is being sent to our Licensing Server.

We have always been transparent about this (there are multiple older forum threads on this topic), but in keeping with our full transparency policy, I wanted to post a single central thread that clarifies this.

Q1: Do you collect credentials, or any other sensitive data from local Unimus instances?
A: No, we have never collected, and we do not plan to collect any sensitive data (such as credentials, usernames/passwords or anything similar) from local Unimus instances.

Q2: Do you collect Backups or Config Push presets or any other data retrieved from devices in Unimus instances?
A: No, we have never collected, and we do not plan to collect Backups or Config Push presets / settings from local instances. We also do not collect, and we do not plan to collect any data retrieved from devices in Unimus.

Q3: Do you collect any statistical data or metadata from Unimus instances?
A: No, we do not currently collect any statistical data or metadata from Unimus instances. We do plan to implement statistics collection, but this will be opt-in and disabled by default.

Q4: Do you collect any data from local Unimus instances?
A: Yes, we collect licensing data from all Unimus instances.

Q5: What licensing data is being collected?
A: Device addresses and internal UUIDs. Zone names, numbers, default flags, proxy types and internal UUIDs. All internal UUIDs are randomly generated and do not hold any user data.

Q6: Are any data about my devices (such as vendor, model, type, or anything else) being collected?
A: No, we do not collect any data from your devices other than the device address and it's internal UUID. As mentioned in the answer to Q2, we do not collect any data that Unimus retrieves from your devices.

Q7: Are zone access keys or descriptions being collected?
A: No, as mentioned in the answer to Q1, we do not collect any sensitive data from Unimus instances. We also do not collect zone descriptions, we only collect the data as specified in the answer to Q5.

Q8: Why do you collect this (licensing) data?
A: We send basic information to our licensing server from Unimus for license validation purposes. We do this to track the use of the license keys, validate your license and to provide device and zone synchronization between multiple Unimus instances using the same license key for HA.

Q9: Do you share the licensing data with any 3rd parties?
A: No, we do not share nor sell this data to any 3rd parties. The licensing data it utilized solely by us and only for licensing purposes.

Hopefully this thread answers what we do and do not collect (what data is being sent to our Licensing Server). If you have any questions or would like more information about anything related to this topic, please feel free to ask!
dahook
Posts: 10
Joined: Fri Sep 23, 2022 1:09 pm

Sun Feb 19, 2023 2:40 pm

Thank you for providing this information. I do however need a clarification on Q5/Q7.

"Device addresses and internal UUIDs. Zone names, numbers, default flags, proxy types and internal UUIDs".

Does this mean that if I use a customer name as a zone name your licensing server will see that name? Will it also see the correlation between device address and which zone it belongs to?

We are thinking about a heavy use of zones where we use Docker containers for each customer. This is for several reasons, for example handling security/routing, overlapping addresses and maintainability inside Unimus GUI. Unimus does not (yet?) provide a good way to easily search/filter on tags and/or notes in the device view.

As long as IP addresses are RFC1918 I don't see an issue, but whenever the IP address is public, and can be found in public whois databases, we expose unnecessary information.

Further, we don't always have DNS names for devices, which complicates overlapping address spaces. The workaround I see there is to create DNS zones for customer devices and use those names instead of IP addresses in Unimus. That would also provide a way to filter based on customers inside unimus, but it would also mean that if we use a descriptive name for the DNS zone we would expose information that we need to keep confidential.

We have the unlimited license. Could air-gapping our installations be an option for us? Is it possible to use zones with the air-gapped license? I get the feeling when I read the docs that is is only for standalone servers but maybe that is a misunderstanding on my part. Our requirement is to have a central Unimus installation for most customers, and several standalone, customer unique installations for customers with a higher security requirement. My questions here is primarily related to the central multi-customer instance, which today is using the online licensing.
User avatar
Tomas
Posts: 1206
Joined: Sat Jun 25, 2016 12:33 pm

Mon Feb 20, 2023 4:18 pm

dahook wrote:
Sun Feb 19, 2023 2:40 pm
Device addresses and internal UUIDs. Zone names, numbers, default flags, proxy types and internal UUIDs
Does this mean that if I use a customer name as a zone name your licensing server will see that name? Will it also see the correlation between device address and which zone it belongs to?
Yes, Zone names are sent to our Licensing Server. If this is an issue in your environment, you can put the data into the Zone Description, which is not sent to the Licensing Server. Also a yes on the Licensing Server knowing which device belongs to which Zone - this is necessary for the Licensing Server to be able to issue a license seat to a device when adding it.
dahook wrote:
Sun Feb 19, 2023 2:40 pm
We have the unlimited license. Could air-gapping our installations be an option for us? Is it possible to use zones with the air-gapped license? I get the feeling when I read the docs that is is only for standalone servers but maybe that is a misunderstanding on my part.
Yes, with an Unlimited License you can indeed use an air-gapped (Offline Mode) deploy. This will fully work with Zones and Remote Cores. Cores never need communication to anything else than your Unimus Server in the first place. This entire licensing documentation only applies to the Unimus Server, as the server is what communicates with our Licensing Server.
dahook
Posts: 10
Joined: Fri Sep 23, 2022 1:09 pm

Mon Feb 20, 2023 5:33 pm

Thank You, that fully answers my questions. Using description fields for the zones is indeed an option, but as we also have the option to use Offline Mode we might go with that. I really appreciate your ability to answer questions both fast and right on point :-)
Post Reply