Privacy Policy

1. Scope and philosophy

Desmodus is designed for on‑premise, bare‑metal, and air‑gapped environments. Unlike cloud AI services, our architecture is built so that analysis data and queries remain under customer control and do not leave the customer's infrastructure unless explicitly configured otherwise.

2. Data we process

All processing described below occurs locally within your deployment by default.

• •
  Software artifacts: Compiled binaries, JVM bytecode (JAR), Android packages (APK), and other compiled libraries provided by users for analysis.
• •
  Derived structural data: Call graphs, dependency maps, string tables, control‑flow and program graphs extracted during static analysis.
• •
  Knowledge graphs: Persistent representations of discovered relationships, subsystems, and semantic metadata.
• •
  AI interpretations: Model‑generated labels, summaries, and functional descriptions produced by local AI components.
• •
  Operational metadata: Timestamps, analysis job metadata, and user annotations needed for reproducibility and auditing.

3. Data residency & isolation

• •
  Local execution by default: Static analysis, graph construction, and AI interpretation run on customer infrastructure (local hardware or private cloud).
• •
  Air‑gap compatibility: The platform supports operation in physically isolated networks and air‑gapped environments.
• •
  No default telemetry: Desmodus is shipped with no phone‑home telemetry or third‑party tracking enabled by default.

4. AI models and third‑party services

• •
  No external inference by default: Desmodus does not send code fragments or analysis artifacts to external AI providers for inference or training unless the deployment is explicitly configured to do so.
• •
  Local model usage: Where AI interpretation is required, it is performed using local model instances or customer‑managed model endpoints.
• •
  Structured, auditable outputs: AI components produce constrained, structured outputs that are logged and auditable within the local environment.

5. Purpose of processing

Data is processed to:

• perform static analysis and program graph construction;
• discover and label functional subsystems;
• generate human‑readable summaries and structured outputs to aid analyst workflows;
• persist insights for incremental analysis and collaboration.

6. Retention and user control

• •
  User control: As a self‑hosted platform, customers control retention policies, backups, and deletion procedures for all stored artifacts and knowledge graphs.
• •
  Persistence: Analysis results are stored in a persistent knowledge graph to enable incremental work and reproducibility.

7. Security measures

Desmodus is built with security and compliance in mind. Recommended controls include:

• deploying on isolated VLANs or bare‑metal hosts for strong network isolation;
• using host OS or HSM‑backed, NIST‑validated cryptographic modules for storage and key management (FIPS 140‑2 where required);
• enforcing role‑based access control (RBAC) and strong authentication for user accounts.

8. Regulatory & export considerations

Desmodus provides technical controls to help customers satisfy regulatory requirements:

• •
  ITAR: Data derived from defense‑related artifacts can be retained entirely within the customer's facility to avoid unauthorized export.
• •
  FIPS: The platform supports integration with validated cryptographic modules for protecting data at rest.

9. Changes to this policy

As Desmodus evolves beyond v0.1 (for example, to support runtime instrumentation or optional remote services), this policy will be updated. Customers will be informed of material changes to data flows and options for remaining in an isolated configuration.