Skip to main content
Founding Customer: 50% off year 1 — first 50 customers · code FOUNDING50
NetInsightPro
Hybrid tier — regulated industries

Keep your raw telemetry on-prem.

The cloud control plane never sees a byte of your fleet's network data. Only Ed25519-signed digests flow up for billing and fleet health. Built for financial services, healthcare, defence, and the public sector.

Get a quote

On-prem telemetry · Cloud digests only · Your keys, your storage

Data residency

Data residency at a glance

EU/UK customers stay in EU/UK. US and APAC available on request.

Compliance-aligned

  • UK GDPR Art. 44
  • DORA
  • BSI C5
  • NIS2
  • ISO 27001
  • SOC 2 Type II
Why hybrid?

Built for regulated constraints.

Regulated organisations in financial services, healthcare, defence, and the public sector face strict constraints on where network monitoring data may be processed or stored. The Hybrid tier is purpose-built for those constraints.

UK GDPR Art. 44

International data transfer restrictions. Raw device telemetry never leaves your network perimeter — no adequacy decision or SCCs required for the data plane.

DORA (EU 2022/2554)

Operational resilience for financial sector. Collector runs air-gap-capable; a cloud outage does not stop local event capture or log integrity.

BSI C5

Germany federal information-security catalogue. Customer-managed KMS keys (AWS KMS, Azure Key Vault, or on-prem HSM) satisfy BSI C5 criteria OPS-10 and OPS-11.

NIS2 (EU 2022/2555)

EU cyber-security directive for healthcare and energy operators. Hybrid deployment keeps critical telemetry under Article 21(2)(j) supply-chain controls.

How hybrid works

Four components. One boundary.

Only the last arrow crosses your network perimeter — and it carries only a cryptographically signed aggregate digest, never raw telemetry.

  ┌───────────────────────────────┐
  │  Client app (device)          │
  │  NetInsightPro agent          │
  │  Windows / Linux / Android    │
  └──────────────┬────────────────┘
                 │  raw events (local socket, never leaves device)
                 ▼
  ┌───────────────────────────────┐   ← YOUR NETWORK PERIMETER
  │  Collector container          │
  │  docker-compose / k8s pod     │
  │  Receives + normalises events │
  │  Signs daily digest (Ed25519) │
  └──────┬──────────────┬─────────┘
         │              │
         │ raw events   │ signed digest only
         ▼              ▼
  ┌──────────────┐  ┌───────────────────────────────┐
  │ Customer S3  │  │  NetInsightPro cloud            │
  │ / MinIO      │  │  /collector/digest endpoint     │
  │ (your KMS)   │  │  Billing + fleet health only   │
  └──────────────┘  └───────────────────────────────┘

  ← All data at rest encrypted with YOUR keys →
  ← Cloud sees ONLY signed digests, NOT raw events →
Client app

NetInsightPro agent on each device. Sends raw events over a local encrypted socket to the collector — never to the internet directly.

Collector container

Runs on your infrastructure (single host or k8s). Normalises events, writes to your object store, and produces a daily signed digest.

Customer S3 / MinIO

Raw event storage under your AWS account or on-prem MinIO. Encrypted with your KMS keys — we never hold or request them.

Cloud digest ingest

/collector/digest accepts Ed25519-signed JSON digests only. Used for billing metering and fleet health. Zero raw events in transit.

Capabilities

Split by trust boundary.

Every capability is purposefully placed on the correct side of your network perimeter.

On-prem sidestays inside your perimeter

Local event storage

Raw telemetry written to your S3, Azure Blob, or on-prem MinIO. Encrypted at rest with your KMS keys. Retention period under your control.

Air-gap-capable collector

Collector operates without internet for event capture and local storage. Only the daily digest upload requires outbound connectivity — and can be proxied.

BYOK encryption

Customer-managed keys via AWS KMS, Azure Key Vault, GCP Cloud KMS, or HashiCorp Vault. Key rotation follows your own KMS schedule.

SIEM integration (on-prem)

Forward normalised OCSF events to your on-prem SIEM via syslog-TLS. Splunk, Sentinel, Elastic, Chronicle, and QRadar tested. Data stays inside your perimeter.

Cloud sidedigest-only, no raw events

Signed digest ingest

Ed25519-signed daily digests only. Aggregate counters with no PII, no hostnames, no process names. Signature rejected if tampered.

Fleet health monitoring

Cloud console shows collector last-seen timestamps, digest receipt status, and anomaly-marker trends — all derived from digests, never raw events.

Licence & billing metering

Seat count and usage metering operate from digest data only. Raw device telemetry is never transmitted to or stored in our cloud infrastructure.

Admin console (cloud-side)

Policy distribution, licence provisioning, and fleet health dashboards accessible from the cloud console without requiring VPN into your perimeter.

Same surface, your perimeter

Pro client + admin console — running inside your network.

Every device runs the same Pro client. On Hybrid, the admin console sits in your VPC; raw events never leave your perimeter — cloud sees only Ed25519-signed daily digests.

Pro
Device
workstation-001 · sarah.mitchell@example.com · macOS 14.5
Healthy · Pro tier
Anomaly detectedCursor — 7.2x bytes-out baseline at 14:23
AppBytesVerdict
ChatGPT Desktop
+2.4 MB/min
Claude Desktop
+1.8 MB/min
Slack
+6.4 MB/min
Dropbox
+14.2 MB/h
Spotify
+0.9 MB/min
bytes_out · last 24h
Sample only — not a live control
Enterprise
Tenant
TechProf Ltd
techprof.netinsightpro.com
Healthy · Enterprise Cloud
Seats142 / 250
HostnameLast seenStatus
workstation-0012 min agoactive
mbp-finance-045 min agoactive
devbox-0114 min agoactive
pos-store-1247 min agoidle
Live demo

See the collector in action.

The interactive demo below shows the admin-side and customer-side forwarder / collector flow — the same architecture your deployment runs.

Live demo

How the data actually moves.

Raw events are normalised by your Forwarder/Collector and written to storage you own. Only an Ed25519-signed daily digest ever reaches our cloud — and only in the Hybrid shape.

Client deviceslaptops · desktopsForwarder/Collectoryour VM or k8sYour KMS storageAWS · Azure · GCPencrypted at restSaaS admin (read-only)signed digest onlyhash-verified
Your KMS key (AWS KMS / Azure Key Vault / GCP KMS / HashiCorp Vault) — NetInsightPro never sees it.
Forwarder event streamencrypted
  • 15:42:03laptop-7a4cTCP184.72.x.x:443cloud:openai
  • 15:42:04desk-9b21UDP10.0.x.x:53dns:local
  • 15:42:05laptop-4f88TCP52.216.x.x:443cloud:s3
  • 15:42:06kiosk-1d02TCP142.250.x.x:443cloud:google
  • 15:42:07desk-3e55TCP13.107.x.x:443cloud:m365
15:42:07 desk-3e55 TCP to 13.107.x.x:443 classified cloud:m365, encrypted
Today's daily integrity digest
sha256:7a4c8f...e91b

Ed25519-signed. Verifiable by your auditor against the published collector public key — no cloud round-trip required.

Use cases

Regulated industries, served.

Defence & intelligence

Air-gap-capable collector supports classified networks and disconnected environments. No cloud dependency for telemetry capture. Ed25519 signatures provide tamper evidence for chain-of-custody requirements.

Financial services

DORA and FCA Operational Resilience alignment. Local capture survives cloud outages. Immutable audit log with 7-year retention in your own object store. SIEM forwarding to your existing on-prem SOC.

Healthcare & life sciences

Patient-adjacent devices generate telemetry that cannot leave controlled environments. Hybrid keeps all raw events under your clinical data governance. UK GDPR + NHS Data Security Standard alignment.

Government & public sector

Data sovereignty requirements met natively — no adequacy decisions or SCCs required for the data plane. BSI C5 and NIS2 supply-chain controls supported. On-prem HSM key management via HashiCorp Vault.

Security & data residency

What is in a digest?

Each daily digest is a compact JSON document signed with the collector's Ed25519 key. It contains only aggregate counters — no PII, no hostnames, no process names.

Digest schema — fields, types, and PII status
FieldTypeDescriptionContains PII?
event_countintegerTotal events captured in the 24-hour windowNo
bytes_upintegerTotal bytes uploaded across all devicesNo
bytes_downintegerTotal bytes downloaded across all devicesNo
top_providersstring[]Top 5 cloud provider labels (e.g. AWS, GCP) — no IPsNo
anomaly_markersintegerCount of EWMA anomaly triggers in the windowNo
tenant_iduuidYour tenant identifier (opaque to us for correlation)No
dateISO 8601UTC date of the digest periodNo
signatureEd25519Collector private key signature over the above fieldsNo

No host identifiers, IP addresses, process names, usernames, or application payloads appear in any digest. The digest schema is versioned; breaking changes require a collector upgrade with advance notice.

Deployment shapes

Three shapes. One collector binary.

All three encrypt data at rest with customer-managed keys. Keys never leave your account.

Your VM — docker-compose

Fastest to deploy

One VM or bare-metal server in your environment runs the collector and a local object store. Suitable for smaller regulated fleets or proof-of-concept.

docker-compose.yml provided. Secrets injected via environment variables. TLS termination via your reverse proxy. Collector image signed for supply-chain verification.

Recommended

Your Kubernetes — Helm chart

Production recommended

Collector deployed as a Deployment + Service inside your cluster. Persistent storage via a StorageClass backed by your CSI provider.

Helm chart hosted in our signed OCI registry. Values file covers replica count, resource limits, KMS provider (your choice — AWS, Azure, GCP, or HashiCorp Vault), and digest endpoint URL. Works with Istio or Cilium service mesh.

Your AWS account — Terraform module

Customer-cloud native

Bootstraps an object-store bucket with SSE + your KMS CMK, IAM role for the collector, and a container task definition — all inside your AWS account.

You retain key administrator role. Bucket policy denies all access without matching KMS grant. Module output exports bucket and task role ARNs for your own CI/CD pipeline. NetInsightPro never receives credentials.

Compliance evidence

Ready for your procurement team.

The following artefacts are available to qualified procurement leads under NDA. Typical turnaround is two business days.

Master Services Agreement (MSA) with Hybrid data-plane addendum
Data Processing Agreement (DPA) — GDPR Art. 28 compliant, EU and UK variants
SIG-Lite / CAIQ vendor questionnaire (pre-filled)
ISO 27001 control cross-walk (Annex A)
SOC 2 Type II report (available Q3 2026; bridge letter on request)
Penetration test executive summary (annual, external firm)
Ed25519 public key bundle for digest signature verification
Or email info@netinsightpro.com
FAQ

Hybrid questions answered

More questions? Email enterprise sales or request DPA / MSA templates.

Ready to get a hybrid quote?

Hybrid tier is sales-quoted based on fleet size, deployment shape, and support SLA. Our sales engineers can arrange a technical deep-dive call with your security and ops teams.

Or email direct: sales@netinsightpro.com

Talk to sales

On-prem telemetry · Cloud digests only · Your keys, your storage

NetInsightPro

See which apps are sending your data — and stop the ones you don't trust. Local-only, per-app, on the devices you already own.

TechProf Ltd
Suite 27 Chessington Business Centre
Cox Lane, Chessington
Surrey KT9 1SD, United Kingdom

Product

Legal

Support

© 2026 TechProf Ltd. NetInsightPro is a registered trademark of TechProf Ltd.

All systems operational
Made in the UKUK GDPR · EU GDPR · CCPA