Security concepts & technical specs for all services.
Last updated: January 2026
Document Version: 1.1
Date: January 2026
Confidentiality: Internal
This document describes the architecture and security measures of our Remote Management System. The system enables secure remote maintenance and monitoring of workstations without dependence on third-party providers like AnyDesk or TeamViewer.
Simply explained: We have built our own system for IT support that runs on our own servers in Germany. No external company has access to your data. When we help you with a problem, it happens via a secure, encrypted connection - just like online banking.
Core Benefits:
Internet
│
┌─────────────┴─────────────┐
│ TLS 1.3 Encryption │
│ (Port 443/HTTPS) │
└─────────────┬─────────────┘
│
┌───────────────────┼───────────────────┐
│ │ │
▼ ▼ ▼
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ rmm.c4g7.com │ │ api.c4g7.com │ │ mesh.c4g7.com │
│ Web Dashboard │ │ API Server │ │ MeshCentral │
└────────┬────────┘ └────────┬────────┘ └────────┬────────┘
│ │ │
└───────────────────┴───────────────────┘
│
┌────────────┴────────────┐
│ HAProxy Cluster │
│ (High Availability, 2 Nodes)│
└────────────┬────────────┘
│
┌────────────┴────────────┐
│ Tactical RMM │
│ (Internal Server) │
└────────────┬────────────┘
│
┌──────────────────────┼──────────────────────┐
│ │ │
▼ ▼ ▼
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Office PC 1│ │ Office PC 2│ │ Office PC n│
│ MeshAgent │ │ MeshAgent │ │ MeshAgent │
│ TRMM Agent │ │ TRMM Agent │ │ TRMM Agent │
└─────────────┘ └─────────────┘ └─────────────┘
| Component | Function | Location |
|---|---|---|
| HAProxy | Load Balancer, SSL Termination | Germany |
| Tactical RMM | Central Management, Monitoring | Germany |
| MeshCentral | Remote Desktop, Remote Maintenance | Germany |
| MeshAgent | Client Agent on Workstations | Local |
| TRMM Agent | Monitoring Agent | Local |
Simply explained: Imagine you're sending a letter. Without encryption, it would be like a postcard - anyone could read it. With our encryption, it's like a sealed safe that can only be opened by the recipient. No one in between - no internet provider, no hacker, nobody - can see what's being transmitted.
All connections between clients and server are encrypted:
| Protocol | What does it mean? | Usage |
|---|---|---|
| TLS 1.3 | Latest encryption (like online banking) | All connections |
| TLS 1.2 | Older but still secure version | Legacy devices |
| WSS | Encrypted real-time connection | Remote maintenance |
Simply explained - TLS 1.3: This is the same security standard used by banks, PayPal, and Amazon. When you see the lock symbol in your browser, you're using this technology. Our connections are just as secure as your online banking session.
Cipher Suites (only modern, secure algorithms):
What are Cipher Suites? These are the mathematical procedures that encrypt your data. We only use the strongest and most modern procedures - the same ones used by governments and military.
Simply explained: "End-to-end" means: The data is encrypted on your computer and only decrypted on our server. Along the entire path in between - through your router, through the internet, through every server in between - NOBODY can read the data. It's like sending a message in a language that only you and we understand.
Simply explained - Certificates: A certificate is like a digital ID. It proves that you're really talking to our server and not to a fraudster. Let's Encrypt is a trusted organization that issues these IDs.
┌─────────────────────────────────────────────────────────────┐
│ Security Layers │
├─────────────────────────────────────────────────────────────┤
│ Layer 1: Firewall / HAProxy (only port 443 public) │
│ Layer 2: TLS Encryption (End-to-End) │
│ Layer 3: Authentication (API Keys, Certificates) │
│ Layer 4: Authorization (Role-based Access Rights) │
└─────────────────────────────────────────────────────────────┘
Simply explained: We store NONE of your personal data. No documents, no emails, no passwords - nothing. The system only checks if your computer is "healthy": Is it running fast enough? Is there enough storage free? Are all security updates installed? That's all. Like a doctor measuring your pulse, but not reading your diary.
The system only collects basic technical metrics:
| Category | Data | Why? |
|---|---|---|
| System | CPU, RAM, Hard drive | To see if your PC is slowing down |
| Network | Connection status | To check if your PC is reachable |
| Software | Installed programs | To find outdated software |
| Updates | Windows Update status | To detect security vulnerabilities |
Important: This data is only queried when needed (pull principle). We don't constantly look at your computer, only when a check is necessary.
Absolute guarantee - this data is NEVER collected:
| What we DON'T see | Why not? |
|---|---|
| Your documents and files | Technically not possible, not built into the system |
| Email contents | No access to email programs |
| Browser history | Not read out |
| Passwords | Technically not accessible |
| Private messages | No access to chat programs |
| Photos and videos | Not transmitted |
| Keyboard inputs | No keylogger, no recording |
Simply explained: Our system is like a mechanic who only looks under the hood. He checks oil, tires, and brakes - but he doesn't open your glove box and doesn't read your private letters.
| Data Type | Retention Period | What does it mean? |
|---|---|---|
| System Metrics | 30 days | Automatically deleted afterwards |
| Audit Logs | 90 days | Log of who accessed what and when |
| Session Data | Only during session | Gone immediately after end |
Simply explained: All technical data is automatically deleted after a short time. Nothing is stored permanently. After 30 days, it's as if the measurement never happened.
Simply explained: Nobody can access your computer without your permission. EVERY TIME an IT staff member wants to see your screen, a window appears on your computer. You decide: Yes or No. Without your "Yes", nothing happens. Also, you ALWAYS see when someone is connected - there are no hidden accesses.
┌──────────────────────────────────────────────────────────────┐
│ Remote Access Process │
├──────────────────────────────────────────────────────────────┤
│ │
│ 1. IT staff initiates remote access │
│ │ │
│ ▼ │
│ 2. System sends request to client │
│ │ │
│ ▼ │
│ 3. User receives popup notification: │
│ ┌────────────────────────────────────┐ │
│ │ IT Support wants to access your │ │
│ │ computer. │ │
│ │ │ │
│ │ [ Allow ] [ Deny ] │ │
│ └────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ 4. Only with consent: Connection is established │
│ │ │
│ ▼ │
│ 5. Visible icon in taskbar during session │
│ │
└──────────────────────────────────────────────────────────────┘
| Your Right | What does it mean? |
|---|---|
| Consent Required | No access possible without your OK |
| Visibility | Icon shows active connection |
| Cancel | You can disconnect at any time |
| Logging | All accesses are documented |
No secret accesses possible: It is technically impossible to access your computer without the popup. The system is built so that transparency is enforced - not as an option, but as a fundamental principle.
Simply explained: With AnyDesk or TeamViewer, all connections run through servers in America or other countries. This means: A foreign company could theoretically read along. With us, everything runs through our own server in Germany. Nobody except us has access. Your data never leaves Germany.
| Criterion | AnyDesk/TeamViewer | Our System |
|---|---|---|
| Where is the data? | USA/Abroad | Germany |
| Who has access? | Foreign company | Only us |
| GDPR? | Problematic | Fully compliant |
| Dependency | Yes - if provider fails, nothing works | No - own control |
| Costs | Monthly fees | One-time setup |
| Source Code | Secret (nobody knows what happens) | Open Source (verifiable) |
What does "Open Source" mean? The program code of our software is publicly viewable. Thousands of developers worldwide have reviewed it. Hidden backdoors or spy functions would have been discovered immediately. With TeamViewer, nobody knows what the software really does - we have to trust the manufacturer.
For the technically interested: This section contains details for IT professionals. The most important information for you: Our system is secured multiple times (2 servers), uses current security standards, and supports both old and new internet protocols.
| Parameter | Value | What does it mean? |
|---|---|---|
| Load Balancer | HAProxy 2.8 (2 Servers) | If one server fails, the other takes over |
| Failover Time | < 3 seconds | Outages are fixed immediately |
| Encryption | TLS 1.2 / TLS 1.3 | Most modern security standards |
| IPv4 + IPv6 | Yes | Works with all internet connections |
| Max Connections | 50,000 | More than enough capacity |
| Software | Version | License |
|---|---|---|
| Tactical RMM | Current | AGPL v3 (Open Source) |
| MeshCentral | Current | Apache 2.0 (Open Source) |
| HAProxy | 2.8+ | GPL v2 (Open Source) |
Simply explained - GDPR: The General Data Protection Regulation is an EU law that protects your personal data. Our system is fully GDPR compliant - that means we adhere to the strictest data protection laws in Europe.
What we guarantee:
Simply explained: Every access is logged. If someone asks "Who accessed my computer and when?", we can answer that exactly. These logs are tamper-proof.
What is logged:
No. Technically impossible. With every access attempt, a window appears on your screen. Without your consent, no connection is established. During a session, you'll also always see a symbol in the taskbar.
No. The system has no access to your documents, emails, or personal data. Only technical information about the state of your computer is collected (CPU, memory, updates).
Only authorized IT staff. All accesses are logged. It's always traceable who accessed which system and when.
Yes, banking standard. We use TLS 1.3 - the same encryption your bank uses for online banking. Nobody can eavesdrop on or manipulate the connection.
No permanent storage. Technical metrics are kept for a maximum of 30 days and then automatically deleted. Personal data is not collected at all.
| Promise | Guarantee |
|---|---|
| No access without your consent | Technically enforced via popup |
| No storage of personal data | Documents, emails etc. are not collected |
| Encryption | TLS 1.3 (banking standard) |
| Data location | Germany only |
| Transparency | All accesses are logged |
| Open Source | Software is verifiable |
For questions about system security or data protection, contact:
IT Department
Email: it@c4g7.com
This document is updated when significant changes are made to the system.