Introducing the TruePrivacy Endpoint Agent: PII Discovery for Employee Laptops
Employee laptops are the biggest blind spot in most data maps — exported CSVs, downloaded reports, and stray spreadsheets that cloud scanners never see. The new TruePrivacy Endpoint Agent scans macOS, Windows, and Linux devices locally and reports findings only: masked samples and hashes, never raw data.

The Blind Spot in Every Data Map
Ask a privacy team where personal data lives and they will point at the usual suspects: the CRM, the data warehouse, the support desk, the marketing stack. Modern DSPM tooling has become good at scanning these systems. But there is one surface almost every data map quietly ignores — the laptops and desktops your employees use every day.
Think about how data actually moves inside a company. An analyst exports a customer list to CSV to build a quick report. A support lead downloads a ticket dump to investigate a complaint. A recruiter saves a folder of CVs to their desktop. A finance manager keeps a payroll spreadsheet 'just in case'. None of this data appears in your RoPA. None of it is covered by your cloud scanner. And when a laptop is lost, stolen, or compromised, all of it becomes a reportable incident.
The TruePrivacy Endpoint Agent closes this gap. It is a lightweight, native agent for macOS, Windows, and Linux that discovers PII sitting in local files — and reports it to your DSPM dashboard without the raw data ever leaving the device.
Findings-Only Egress: Privacy-Preserving by Architecture
The obvious objection to endpoint scanning is that the scanner itself becomes a risk. If an agent uploads file contents to a vendor's cloud for analysis, you have not reduced your exposure — you have created a brand-new data flow to govern, assess, and add to your vendor risk register.
We designed the Endpoint Agent around a strict principle we call findings-only egress. All detection runs locally on the device, using the same detection engine that powers the rest of the TruePrivacy platform. After a scan, the agent reports only metadata: the file path, the type of PII detected, a masked sample (like j***@company.com or •••• 4242), and a keyed hash that lets the platform correlate the same value across devices without ever knowing what it is.
Raw file contents and raw PII values never leave the machine. There is nothing to breach in transit, nothing to subpoena from us, and nothing new for your DPIA to worry about. The transport layer matches the architecture: every device enrolls with a one-time key issued from your dashboard and receives its own mutual TLS certificate, so the collector accepts findings only from verified, enrolled endpoints.
Built to Be Ignored
An endpoint agent that slows down laptops gets uninstalled — by IT if you are lucky, by employees if you are not. So the Endpoint Agent is engineered to stay out of the way.
Scans are incremental: the first pass builds a snapshot, and every scan after that touches only new and modified files. Disk read throughput is capped by a configurable performance profile, so even a full-disk scan stays polite on a machine that is in active use. Sensible exclusions are built in — caches, node_modules, OS-internal folders, and credential stores like .aws are skipped automatically. Scheduled scans run from a lightweight background service with a menu bar or system tray icon, and employees can pause or cancel a running scan at any time.
Employees also get transparency, not surveillance. The agent includes a local findings browser where anyone can see exactly what was detected on their own machine — the same findings-only view the privacy team sees — and export it to CSV. In our experience, this transparency is what turns endpoint scanning from a fraught IT negotiation into a tool employees actually use to clean up their own data hygiene.
What It Detects
The agent detects more than 100 types of personal data out of the box — names, email addresses, phone numbers, national identifiers, payment card numbers, bank details, health identifiers, and more — across the file types where exported data actually lands: plain text, CSV, JSON, logs, Office documents (DOCX, XLSX, PPTX), and PDFs.
For organizations with deeper needs, an optional extraction sidecar adds legacy Office formats, OpenDocument files, and OCR for images and scanned documents, and an optional NER (named entity recognition) sidecar catches unstructured PII — like names in free text — that pattern matching alone would miss. Both sidecars follow the same rule as everything else: extraction and detection stay inside your environment.
From One Laptop to the Whole Fleet
Rolling out starts with a single enrollment key generated in the TruePrivacy dashboard (DSPM Scanner → Enroll Device). Install the agent, paste the key, and the device exchanges it for its mTLS certificate automatically. From there, the dashboard shows every enrolled endpoint, who uses it, when it last scanned, and its current PII exposure — aggregated alongside your SaaS, database, and cloud storage findings so you finally see your complete data footprint in one place.
For managed fleets, MSI and PKG installers support MDM deployment, and the agent keeps itself current by checking a signed release manifest and verifying every update's checksum before installing it — no packaging cycle required for routine updates.
The endpoint blind spot is real in every organization we have looked at, and it is usually larger than anyone expects. If you want to see what is sitting on your fleet, the Endpoint Agent is available now for TruePrivacy DSPM customers — book a demo and we will scan a test machine with you in under ten minutes.
Automate your privacy compliance
See how TruePrivacy can handle DSRs, consent, and breach response — all in one platform.
Free 14-day trial · No credit card required · Setup in minutes