Privacy Policy — TLSStress.Art¶

Read in your language: English · Português · Español

Scope status (post-Scope-Freeze 2026-05-10) — See ARCHITECTURE.md for the canonical 37 MÓDULOs + 7 Test Kinds + DOM/CPOS/PIE-PA safety architecture. ADRs 0014, 0019-0025 cover post-Freeze additions.

Effective date: 2026-05-06 Version: see dashboard/src/lib/license-versions.ts constant PRIVACY_POLICY_VERSION. The version is bumped whenever this document is materially changed; users are required to re-acknowledge the new version before continuing to use the Dashboard.

This document describes what personal data the TLSStress.Art Dashboard collects, why, where it is stored, and the operator's choices. It is the plain-language complement to the LICENSE (Appendix A: Use Restrictions) and the USAGE_POLICY.md.

Summary in one sentence: the only personal data collected is what the operator explicitly enters into the License Acceptance Modal at first login (role + Cisco CCO email) plus disclosed request metadata (IP, User-Agent, locale, timestamp). Everything is stored locally in the Dashboard's PostgreSQL database. Nothing is transmitted to third parties unless the operator explicitly opts in to optional telemetry.

What is collected¶

When you accept the licence on first login (or after a licence-version bump), the Dashboard records a single row in the audit_license_acceptance table:

Field	Source	Why
`session_user`	The Dashboard session cookie (`agentcluster_session`), HMAC-signed, contains the username supplied at login	Lets the system know whether THIS user has accepted the current licence version
`role`	Radio button you selected: `cisco_employee` or `cisco_partner`	Required by Appendix A of the LICENSE — the audience policy
`declared_email`	The CCO email you typed in the modal (lowercased)	Audience policy enforcement; used to contact you about authorisation requests
`declared_email_raw`	Same email with original casing preserved	For accuracy when displaying back to you
`license_version`	A constant in `dashboard/src/lib/license-versions.ts`	Lets the system require re-acceptance when the LICENSE text changes
`usage_policy_version`	Same	Same
`privacy_policy_version`	Same	Same
`telemetry_consent`	Optional checkbox — defaults to false	Records whether you explicitly opted into the future opt-in telemetry endpoint (NOT yet active)
`client_ip`	The HTTP `X-Forwarded-For` header (or `X-Real-IP` fallback) of the request that submitted the form	Audit trail of who accepted from where
`user_agent`	The HTTP `User-Agent` header	Audit trail of the browser used
`accept_language`	The HTTP `Accept-Language` header	Records which locale the modal was displayed in (so we know which translation of the policy you actually saw)
`accepted_at`	Server timestamp at the moment of submission	Audit trail of when

These exact fields are listed verbatim in the modal before you submit. There is no covert collection. The list shown to the user IS the schema.

What is NOT collected¶

We do not collect your browser fingerprint beyond the standard HTTP User-Agent string. There is no canvas fingerprinting, no font enumeration, no WebGL probing.
We do not collect any infrastructure identifiers (UCS serial numbers, NGFW serial numbers, Nexus 9000 serial numbers, MAC addresses, hostnames, or kernel versions) without explicit consent for a future feature that may request it.
We do not collect any metric or event from the Prometheus/Grafana telemetry stack as part of the licence acceptance flow. Those metrics are operational telemetry, governed separately, and never include personally identifying information beyond the username of an authenticated operator who triggered an action.
We do not transmit any data to third-party services for the licence acceptance flow. Specifically, the Dashboard does NOT call analytics services, advertising trackers, error-monitoring SaaS, or external email services.
We do not contact the IP address you connected from outside the scope of serving the Dashboard you are using.

Where data is stored¶

All licence-acceptance audit records are stored exclusively in the local PostgreSQL database that the Dashboard provisions in your cluster (web-agents namespace, postgres-0 StatefulSet, table audit_license_acceptance). The PostgreSQL data lives on a PersistentVolume mounted on the same UCS host the database runs on.

The only network destination for licence-acceptance data is the Dashboard's own API endpoint (POST /api/license/acceptance) on the same Kubernetes cluster.

Retention¶

Licence-acceptance records are retained for the lifetime of the Dashboard's database, with no automatic expiry. The records are evidence that operators have agreed to the LICENSE and Appendix A; you should retain them as long as you are using the software for compliance / audit reasons.

To delete a specific record (e.g., a former operator who is no longer authorised), the project owner can run:

DELETE FROM audit_license_acceptance WHERE declared_email = 'name@cisco.com';

To delete ALL records (e.g., before donating the cluster to another team):

TRUNCATE audit_license_acceptance;

After truncation, every operator will be prompted to re-accept on next login — that is the desired behaviour for a clean handover.

Optional telemetry¶

The Dashboard may, in a future version, ship an opt-in telemetry endpoint that allows the licensor (the project author) to receive ANONYMIZED usage statistics — specifically:

The current deployment mode (single / dual / tri / multi)
The number of Synthetic + Cloned personas active
The number of browser-engine + synthetic-load agents active
A salted hash of the cluster's install ID (so we can count distinct installations without identifying which install)

The licence-acceptance modal includes a clearly-labelled, default-off checkbox where you can consent to this transmission. If you do not check the box, no telemetry is sent.

If you check the box and later change your mind:

UPDATE audit_license_acceptance
   SET telemetry_consent = false
 WHERE session_user = 'your-username'
   AND license_version = (SELECT MAX(license_version) FROM audit_license_acceptance);

The telemetry endpoint reads this flag at every transmission attempt; updating to false halts further telemetry within the next polling interval (typically 5 minutes).

The telemetry endpoint is not yet active as of the current version. When it ships, this section will be updated to describe the exact payload, the destination URL, the polling interval, and the cryptographic guarantees.

Your rights¶

Because the Dashboard runs on your cluster (not on a vendor-hosted SaaS), you have full access to and control over all data described in this policy.

Access: query the audit table directly via psql or via the admin-only /admin/audit/license-acceptances page in the Dashboard.
Rectification: update any field directly via SQL.
Erasure: delete rows via SQL.
Portability: dump the table with pg_dump --table audit_license_acceptance for export.
Withdraw consent: see "Optional telemetry" above; the licence acceptance itself cannot be withdrawn while you continue to use the software (because using the software requires accepting the licence), but you can stop using the software at any time.

Lawful basis (where regulations apply)¶

Where applicable (GDPR in the EU, LGPD in Brazil, CCPA in California, similar laws elsewhere):

The lawful basis for collecting role + CCO email is performance of a contract — specifically, the Appendix A audience policy of the LICENSE which restricts use to a defined audience.
The lawful basis for collecting request metadata (IP, User-Agent, locale, timestamp) is legitimate interest in maintaining an audit trail of acceptances, with the disclosed purpose stated above.
The lawful basis for collecting telemetry (when active) is consent, requested via the explicit checkbox.

Contact¶

For privacy-related questions, deletion requests, or to report a violation:

André Luiz Gallon — agallon@Cisco.com

The licensor will respond within a reasonable time (typically within 5 business days for routine requests, immediately for security incidents).

Changes to this policy¶

When this policy changes materially, PRIVACY_POLICY_VERSION in dashboard/src/lib/license-versions.ts is bumped. The Dashboard's licence-acceptance modal will then prompt every operator to re-accept the new version before continuing — you will see exactly what changed in the modal text.

This is intentional: privacy choices should be re-confirmed when the underlying terms change. Silent privacy-policy updates that bind users without their explicit re-consent are not honoured by this project.