Security & Privacy

Learn how Thox.ai protects your data and how to configure security settings.

Privacy by Design

Thox.ai is designed from the ground up for privacy. All AI processing happens locally on your device. Your code, prompts, and data never leave your network. We don't collect telemetry or usage data.

Data privacy overview

Your data stays local

Thox.ai processes all AI requests locally on your device. Your prompts, code, and data never leave your network. This is fundamental to our privacy-first design.

No telemetry by default

We don't collect usage data, analytics, or telemetry by default. You can optionally enable anonymous crash reports to help us improve the product.

Model data

AI models are downloaded once and stored locally. Model updates are also processed locally. No inference data is sent to external servers.

Network access

The device only makes outbound connections for: firmware updates (can be disabled), model downloads (user-initiated), and time synchronization (optional).

Network security settings

API authentication

Enable API key authentication to secure access to your device: thox auth enable. This prevents unauthorized applications on your network from using the device.

IP allowlisting

Restrict which IP addresses can connect to your device by configuring allowed IPs in /etc/thox/security.yaml or via the admin interface.

Rate limiting

Configure rate limits to prevent abuse: requests_per_minute and tokens_per_minute can be set in the security configuration.

Binding to specific interfaces

By default, the device listens on all interfaces. You can restrict this to specific interfaces (e.g., only Ethernet) in the network configuration.

Firewall configuration

Default ports

Thox.ai uses port 8080 for HTTP/WebSocket API, port 8443 for HTTPS (if enabled), and port 5353 for mDNS discovery.

Inbound rules

For local network access only, allow inbound connections on port 8080 from your local subnet (e.g., 192.168.0.0/16).

Outbound rules

The device needs outbound access to: updates.thox.ai (443) for firmware, models.thox.ai (443) for model downloads, and NTP servers (123) for time sync.

Blocking external access

We strongly recommend blocking the device from the public internet. Use your router's firewall to prevent port forwarding to the device.

Firmware updates

Automatic updates

By default, the device checks for updates weekly and notifies you. You can enable automatic installation or keep manual approval.

Manual updates

Check for updates: thox system update --check. Install updates: thox system update --install. View current version: thox --version.

Offline updates

For air-gapped environments, download update packages from our website and install via USB: thox system update --file /path/to/update.bin

Rollback

If an update causes issues, rollback to the previous version: thox system rollback. The device keeps one previous version for recovery.

Disabling updates

To completely disable update checks: thox config set updates.enabled false. Note: This means you'll need to manually check for security patches.

Related Topics

Advanced Security Settings

TLS, API keys, and more

Privacy Policy

Our full privacy commitment