QuietStewardship
All legal & trust documents

Security & Trust

Our security posture, the controls that back the privacy promise, and how to report a vulnerability. We'd rather show you how to verify than ask you to trust.

Last updated June 13, 2026

Architecture that minimizes risk

  • No server-side host data. The biggest security guarantee is the absence of a target: we never receive your diagnostics, so there is no central store to breach or compel.
  • Loopback-only agent. The local agent listens on 127.0.0.1 only and makes no outbound connections.
  • Browser → localhost, direct. The dashboard reads the agent in your browser; the website is not in the data path.

Controls you can inspect

  • Content-Security-Policy. The site ships a strict CSP whose connect-src permits only your loopback address (where host diagnostics are read) and our anonymous analytics endpoint (PostHog) — no advertising or cross-site tracking origins. Your host diagnostics are never placed into an analytics event; see Website Analytics. The browser blocks any other destination.
  • TLS everywhere. The site is HTTPS-only with HSTS. The agent serves HTTPS on localhost with a self-signed certificate generated on your machine (trusted once by you).
  • CORS allowlist + optional token. The agent answers only allowlisted web origins and can require a pairing token on its data endpoints.

How to verify

See Verify it yourself: the airplane-mode test for anyone, plus CSP / DevTools / firewall / netstat checks for the technically inclined. The agent is intentionally small, and we intend to publish its source for full auditability.

Responsible disclosure

Found a security issue? Please email security@quietstewardship.com with steps to reproduce. Please don’t publicly disclose until we’ve had a reasonable chance to fix it; we’ll acknowledge your report and keep you updated. A machine-readable contact is published at /.well-known/security.txt.

Honest status

QuietStewardship is early. We don’t yet hold third-party certifications (e.g. SOC 2, ISO 27001) that mature vendors publish in their trust centers. Our approach is to compensate with architectural minimization and verifiability— the less data exists off your device, the less there is to certify, breach, or misuse. We’ll add formal attestations as the project matures, and we’ll state plainly what we have and haven’t achieved.

Known limitations (stated plainly)

  • The agent’s localhost certificate is self-signed, so it requires a one-time trust step in your browser. A future release will ship a properly-trusted local certificate authority or a signed installer.
  • The downloadable agent is not yet code-signed/notarized; your OS may warn on first run. This is a planned follow-up.

This document is provided in good faith and modeled on common industry practice. It is not legal advice; QuietStewardship recommends review by qualified counsel before you rely on it. We’ll keep it current as the product evolves.