Don't trust us. Trust the packets.
Below are three independent ways to verify, in under five minutes, that Data Collage transmits no data to anywhere other than the Fusion pod you configured. Pick the one that matches your comfort level — they all reach the same conclusion.
The result you should see, no matter which method you use.
In every method below, the captured traffic from data-collage.exe
should hit exactly these hosts and nothing else:
-
*.oraclecloud.com— your configured Fusion pod (SOAP calls to BI Publisher, and the SSO login window if you picked SSO auth). - Your configured AI provider's API host — only if AI Assist is enabled and you've used it during the capture. Disabled by default.
- A version-check URL — once the auto-updater ships. None during v1.
If you see traffic to any other host (especially anything resembling
datacollage.app, newarcinc.com, or a
third-party analytics provider), that is a bug.
Tell us
and we'll publish a fix and a post-mortem.
Windows Resource Monitor
This is the fastest sanity check. Resource Monitor ships with Windows and shows, per-process, every TCP connection currently in flight. You don't need to download anything.
Steps
-
Press Win+R, type
resmon, hit Enter. Resource Monitor opens. - Switch to the Network tab.
-
Expand the TCP Connections table. Sort by
Image and find every row where Image =
data-collage.exe. - Open Data Collage. Test a connection, run a query, browse history — do whatever you'd normally do for a few minutes.
-
Watch the Remote Address column for
data-collage.exerows. Every entry should be your Fusion pod hostname or its CDN ranges, plus your AI provider's host if you used AI Assist.
website/public/security/resmon-network-tab.png Recommended: 1600×900 screenshot of Resource Monitor's Network tab, filtered to data-collage.exe rows showing only oraclecloud.com remote addresses.
Resource Monitor showing every TCP connection
data-collage.exe has open. Remote Address should be
your Fusion pod only.
What to look for
-
✅ Every
data-collage.exerow's Remote Address resolves to your Fusion pod or its CDN. - ✅ No connections to addresses outside your Fusion pod (and the AI host, if you used AI Assist).
- ⚠️ If you see traffic to anything else, click the Listening Ports or Network Activity panels to identify it, then email us.
Video walkthrough
<video> tag pointing at
/security/method-1-resmon.mp4 (90–120 seconds, no
audio needed, screen-only capture).
Fiddler Classic
Fiddler is a man-in-the-middle proxy for your own machine. With HTTPS decryption on, you don't just see that Data Collage made an HTTPS request — you see the full request and response body. This is the strongest single answer to "what is the app actually sending?"
One-time setup (~3 minutes)
- Download Fiddler Classic from telerik.com/fiddler/fiddler-classic and install it (free).
- In Fiddler: Tools → Options → HTTPS. Tick Capture HTTPS CONNECTs and Decrypt HTTPS traffic. Accept the prompt to install Fiddler's root CA into the Windows certificate store.
- Apply, restart Fiddler.
Running the capture
- Make sure Fiddler is Capturing (lower-left status shows "Capturing"). If not, hit F12.
-
In Fiddler's filter bar, type
process:data-collageto scope the view to traffic from the app only. - Open Data Collage and do a typical session: test a connection, run a few queries, save one to the library, switch tabs.
- Inspect each row. Click any request to see Host, full URL, headers, request body (the gzipped+base64 SQL payload to BIP), and decrypted response body.
website/public/security/fiddler-capture.png Recommended: full-window Fiddler screenshot showing the process filter set to data-collage and the request list populated only with rows where Host = your Fusion pod. Optionally a second screenshot showing one request's decrypted body (the SOAP envelope), with sensitive query text masked.
Fiddler filtered to data-collage.exe — the Host
column should show your Fusion pod on every row.
What to look for
- ✅ Host column is your Fusion pod on every row (and your AI provider, if you used AI Assist).
- ✅ Request bodies for BIP calls are SOAP envelopes containing the your SQL, encoded as gzip+base64.
- ✅ Response bodies are CSV results from BIP (or SOAP faults if your SQL had errors).
- ⚠️ No requests with Host equal to anything outside that allow-list. No requests with bodies containing usage telemetry, device IDs, or analytics payloads.
Video walkthrough
<video> tag pointing at
/security/method-2-fiddler.mp4 (3–5 minutes,
screen capture with optional voice-over walking through filter
setup, capture, and reading the SOAP body).
Wireshark
Wireshark captures raw network packets at the NIC. Unlike Fiddler, it doesn't intercept TLS, so you won't see request bodies — but you get something arguably stronger: a complete record of every TCP/IP connection the machine made during the capture window, on every interface. Nothing escapes Wireshark.
Setup
- Download Wireshark from wireshark.org/download.html and install it. Accept the prompt to install Npcap.
- Close other applications that make a lot of background network calls (browsers, Slack, Teams) to keep the capture readable. Optional but recommended for a clean trace.
Running the capture
- Launch Wireshark, pick your primary network interface (usually Wi-Fi or Ethernet), and hit the blue shark fin to start capturing.
-
In Wireshark's filter bar, paste:
This narrows the view to TLS Server Name Indication (which hosts your machine is opening TLS connections to) and DNS lookups.tls.handshake.extensions_server_name or dns - Open Data Collage and do a typical session: test a connection, run a few queries.
- Stop the capture (red square). Look at every Server Name (in TLS Client Hello packets) and every DNS Query Name.
Pro tip: scope to the app's process
Wireshark itself can't filter by process, but you can pair it with Process Monitor (Sysinternals) running side-by-side with the filter Process Name = data-collage.exe AND Operation = TCP Connect. Cross-reference the TCP connect log against Wireshark's TLS SNI list — matches confirm what the app initiated.
website/public/security/wireshark-sni-filter.png Recommended: Wireshark window showing the tls.handshake.extensions_server_name filter applied, with the SNI column visible. Highlight that every Server Name value is the Fusion pod or oraclecloud.com. Wireshark filtered to TLS handshakes — the Server Name column should be your Fusion pod for every Data Collage initiated TLS connection.
What to look for
-
✅ Every TLS Client Hello with
data-collage.exeas the originator (cross-referenced with Process Monitor) has a Server Name matching your Fusion pod or its CDN. - ✅ DNS queries from the app are only for the same hosts (plus your AI provider if you used it).
-
⚠️ Any TLS SNI or DNS query to an unrelated host originating from
data-collage.exeis a bug — tell us.
Video walkthrough
<video> tag pointing at
/security/method-3-wireshark.mp4 (5–7 minutes
including the Process Monitor cross-reference step).
Lock the egress at the firewall.
If your environment requires belt-and-suspenders, you can take any
verification a step further: lock data-collage.exe down at
the Windows Firewall to allow outbound traffic only to your
Fusion pod's IP range. Anything trying to talk anywhere else simply
won't reach the wire.
New-NetFirewallRule (PowerShell, Administrator) example:
# Allow outbound to your Fusion pod CIDR; block everything else from the app
New-NetFirewallRule -DisplayName "DataCollage allow Fusion" \
-Program "$env:LOCALAPPDATA\Programs\Data Collage\data-collage.exe" \
-Direction Outbound -Action Allow \
-RemoteAddress "203.0.113.0/24" # your Fusion CIDR here
New-NetFirewallRule -DisplayName "DataCollage block all other" \
-Program "$env:LOCALAPPDATA\Programs\Data Collage\data-collage.exe" \
-Direction Outbound -Action BlockWith these rules in place, the app literally cannot reach anything outside your Fusion pod — not Newarc, not a third party, not anyone. If the app still works after applying this, that's proof.
Found something you didn't expect?
Tell us. We treat unexpected network traffic as a security incident and will publish a fix and a write-up.