Data Privacy and Connectivity

At VoIP Detective we take data privacy seriously and aim to be as transparent as possible about how the appliance handles your data. This article explains where your call data lives, why VoIP Detective makes a limited set of outbound connections, and the options available if your organization restricts internet access.

Looking for ports or domains?: The complete list of inbound ports and outbound endpoints – for CUCM, CUBE, Webex Calling, and Microsoft Teams – lives in the System Requirements article. This article focuses on privacy and how to lock connectivity down.

Privacy by Design

Whichever calling platform you connect, two principles always hold:

Your data stays with you. VoIP Detective never transmits the data it collects to VoIP Detective’s servers or any third party. Everything it gathers is stored only in your local appliance database.
Least-privilege access. The appliance only ever needs the access required to read call records – never administrative control of your phone system or cloud tenant.

How Each Platform Is Accessed

The way call data reaches VoIP Detective differs by platform. Cisco sources push files to the appliance; cloud sources are pulled by the appliance using an authorization you grant and can revoke.

Platform	Model	Access Required
CUCM	Push	CUCM pushes CDR/CMR files to VoIP Detective’s built-in SFTP server. No administrative permissions are required. Importing user/device names is optional and uses a read-only AXL account you add to CUCM.
CUBE	Push	CUBE is configured to send its CDRs to VoIP Detective over FTP or SFTP. No elevated access to the appliance is required.
Webex Calling	Pull	You authorize an OAuth connection to your Webex organization. VoIP Detective uses that token to pull call records with reporting/analytics access only. You can revoke the authorization in Webex at any time.
Microsoft Teams	Pull	You grant the appliance read access to call records through a Microsoft Graph app registration (OAuth). VoIP Detective uses those permissions to pull records. You can revoke access in Microsoft Entra ID at any time.

Related: To remove or mask digits from stored numbers and meet GDPR or similar requirements, see the “Data Privacy – Masking Digits” article.

Why VoIP Detective Connects Out

The appliance initiates a small, predictable set of outbound connections. It never receives unsolicited inbound connections from VoIP Detective’s servers. Outbound traffic falls into three categories:

Product services (free edition). Periodic checks to verify internet access, notify you of available updates, deliver upgrades, and validate the license about once a week.
Cloud call data (optional). If you enable Webex Calling or Microsoft Teams reporting, the appliance reaches the relevant cloud APIs to pull call records into your local database.
Operating-system updates (optional). If you update the underlying Linux OS from the command line, the package manager reaches standard Linux repositories.

The exact hostnames and ports for each of these are documented in System Requirements, so your network team can allow or inspect them precisely.

Restricting or Securing Internet Access

If your organization does not allow unsecured outbound internet access, you have several options:

Offline license (PRO). VoIP Detective PRO users can request an offline license, which removes the requirement for internet access to validate licensing.
Proxy server. Both free and PRO support routing traffic through a proxy server, so you can monitor any traffic the appliance initiates.
Firewall with packet inspection. Place VoIP Detective behind a firewall and inspect outbound packets to the documented destinations.

Important: VoIP Detective is not designed to be internet-facing. Do not expose it directly to the internet or place it in your DMZ.

If you have any concerns about data privacy, please open a support ticket.