Proxara
Device Protection

Due diligence & deployment, ready to download

The same documentation we hand to reviewers. Everything the security and IT teams need to deploy Proxara on the device and assess it with confidence.

Two documentsHTML & PDFNo sign-in

Two documents, one device

One for the team that rolls it out, one for the team that signs off on it.

01 · For IT · macOS & Windows

Deployment Guide

MDM and manual installation for macOS and Windows. Silent deployment, certificate trust, and proxy configuration.

  • Prerequisites & what the installer does
  • The Name-Constrained root certificate
  • MDM (Jamf · Intune · Kandji · Mosyle) & manual paths
  • Network architecture & day-one timeline
  • Verification & clean uninstall
Download HTMLPDF
02 · For Security & Compliance

Due Diligence Pack

Security assessment for the device-wide TLS proxy. Certificate handling, data isolation, and compliance documentation.

  • What it can and cannot do, by design
  • Data handling: flagged, unflagged, on-device
  • Encryption, isolation & access controls
  • Subprocessors & backend infrastructure
  • Compliance support mapped to the rules
Download HTMLPDF
What's inside

A reviewer's pack, not a brochure

The Due Diligence Pack reads like an assessment, because it is one. Scope and coverage, the certificate's exact limits, where data goes when something is flagged and where it does not when nothing is, laid out plainly enough to forward to a regulator.
X.509 Name ConstraintsAES-256 · TLS 1.3Single-tenantAWS-only subprocessor

What the review will find

Three things every security team asks about, answered in the pack and summarised here.

01

Coverage

Interception at the OS network layer, opened only when the destination is positively identified as AI. The root certificate carries X.509 Name Constraints that keep banking, sign-in, healthcare, and government domains out of reach.

X.509 Name Constraintsclaude.ai · chatgpt.comAI destinations only
02

Data handling

Flagged events route to your archive, then purge. Unflagged traffic passes through and is never stored. AWS is the only subprocessor.

Single-tenantAWS KMSSmarsh · Global Relay
03

Security

Encrypted at rest and in transit, with certificate pinning, QUIC blocking, and a tamper-evident audit log across the fleet.

AES-256 at restTLS 1.3 in transitCert pinning
From the deployment guide

Live in a day, not a quarter

Proxara provisions the backend. You upload one signed installer to your MDM. The service deploys silently, with no prompts and no reboots, and starts protecting at boot.

< 24h
Backend provisioned by Proxara
30 min
Installer uploaded to your MDM
Minutes
Service deployed across the fleet
Same day
Fully operational
Jamf · Intune · Kandji · MosyleManual install supportedClean uninstall, any time

Written for the wealth firm’s reviewer

The pack maps Proxara to the rules a wealth-management compliance team is actually measured against, with the firm's compliance archive as the system of record, not Proxara.

FINRA Rule 3110 · SupervisionSEC Regulation S-PSEC Rule 17a-4 · RecordkeepingEmployee monitoring disclosure
Read the full security overview