1. Who We Are
StriveBit Technologies Private Limited is a company incorporated in India, operating under the laws of Uttar Pradesh. We build and operate TroveSec, a cloud security platform that scans AWS environments and surfaces security findings through an AI-assisted dashboard.
For privacy matters, we act as the data controller for account and billing data, and as a data processor for your AWS scan findings (which remain owned by you).
This policy covers all TroveSec services including our website at trovesec.io, the web dashboard, the API, and the MCP server integration with Claude Desktop.
2. Data We Collect
We collect only what we need to run the service.
Account & Identity Data
When you sign up, we collect your name, work email address, and organisation name via our authentication provider (Clerk). If you sign in via Google or GitHub SSO, we receive only the profile data those services share with us.
Billing Data
Subscription payments are handled entirely by Stripe. We never see or store your card number, CVV, or bank details. We store only your Stripe Customer ID and subscription status so we can manage your plan.
AWS Configuration Data (Scan Findings)
When you connect an AWS account and trigger a scan, our scanner reads the configuration state of your AWS resources — things like whether an S3 bucket has public access enabled, or whether CloudTrail logging is active. We do not read or store the actual contents of your S3 buckets, databases, or application data. See Section 5 for full details.
API Keys
API keys you generate are hashed using bcrypt before storage. The raw key is shown exactly once at creation and is never retrievable again — not even by us.
Usage & Technical Data
We collect scan history, feature usage patterns, and error logs (via Sentry) to improve the service and diagnose issues. Error logs are anonymised — they reference internal IDs, not email addresses.
Communications
If you email us or fill in a contact form, we retain those records to respond and track support history.
3. How We Use Your Data
| Purpose | Legal basis (DPDP Act 2023 / IT Act 2000) |
|---|---|
| Provide, operate, and improve the service | Contract performance |
| Send transactional emails (scan complete, invite, billing) | Contract performance |
| Enforce plan limits and RBAC permissions | Contract performance |
| Detect and prevent fraud, abuse, and security incidents | Legitimate interest |
| Comply with tax, audit, and legal obligations | Legal obligation |
| Send product updates and security advisories (opt-out available) | Legitimate interest / consent |
We do not sell your personal data. We do not use your AWS scan findings to train AI models or share them with third parties for advertising.
4. Third-Party Processors
We use the following sub-processors to deliver the service. Each processes data only as instructed by us and under confidentiality obligations.
| Processor | Purpose | Location |
|---|---|---|
| Clerk | Authentication, organisation management, SSO | USA |
| Stripe | Payment processing, subscription management | USA |
| Railway | Cloud infrastructure, database hosting | USA |
| Resend | Transactional email delivery | USA |
| Sentry | Error monitoring and diagnostics | USA |
All data transfers to processors located outside India are governed by applicable data transfer mechanisms. We will update this list if we add or remove processors.
5. AWS Access & Scan Data
TroveSec accesses your AWS account using a read-only IAM role that you create and control. We use AWS STS AssumeRole — we never ask for or store AWS access keys or secret keys.
What we read: Resource configuration metadata — IAM policies, security group rules, S3 bucket ACLs, CloudTrail settings, RDS encryption status, and similar configuration attributes. Think of it as reading the settings panel, not the contents.
What we never read: The actual contents of your S3 objects, database rows, application files, secrets stored in AWS Secrets Manager, or any end-user data your application processes.
Ownership: Your scan findings belong to you. We store them on your behalf, display them to your authorised team members, and delete them when you close your organisation or request deletion.
You can revoke our access at any time by deleting the IAM role in your AWS console. This stops future scans but does not automatically delete already-stored findings — you can request deletion via hello@trovesec.io.
6. Data Storage & Security
All data is stored in PostgreSQL databases hosted on Railway infrastructure in the United States. Data is encrypted at rest and in transit (TLS 1.2+).
We take the following security measures:
- All database queries are scoped by organisation ID — one customer cannot access another's data.
- API keys are stored as bcrypt hashes; raw keys are shown once and never stored.
- AWS credentials are never stored — access uses short-lived STS tokens only.
- Role-based access control (viewer / member / admin / owner) is enforced at the API layer.
- Automated daily database backups are enabled.
- Error monitoring via Sentry excludes PII from log payloads.
No method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it responsibly to hello@trovesec.io.
7. Data Retention
| Data type | Retention period |
|---|---|
| Account & profile data | Duration of active account + 30 days after deletion request |
| AWS scan findings | Duration of active organisation + 30 days after deletion |
| Payment & billing records | 7 years (statutory tax compliance requirement) |
| Error logs (Sentry) | 90 days |
| Email communication records | 3 years |
| API key hashes | Deleted immediately on revocation or org deletion |
When an organisation is deleted via the dashboard, a cascade delete removes all connected accounts, scan history, findings, and API keys within 30 days. Billing records are retained for tax compliance only and are not accessible through the product.
8. Your Rights
Under the Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable Indian law, you have the following rights as a data principal:
- Right of access — request a copy of the personal data we hold about you.
- Right to correction — ask us to correct inaccurate or incomplete personal data.
- Right to erasure — request deletion of your personal data, subject to our legal retention obligations.
- Right to grievance redressal — raise a complaint with us and receive a response within a reasonable time.
- Right to nominate — nominate another individual to exercise your rights in the event of your death or incapacity.
To exercise any of these rights, email us at hello@trovesec.io with the subject line "Privacy Request". We will respond within 30 days. We may ask you to verify your identity before processing the request.
If you are unsatisfied with our response, you may lodge a complaint with the Data Protection Board of India once established under the DPDP Act 2023.
10. Children's Privacy
TroveSec is a business-to-business service intended for professionals and organisations. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor has provided us with personal data, contact us at hello@trovesec.io and we will delete it promptly.
11. Changes to This Policy
We may update this policy as the product evolves or as legal requirements change. When we make material changes, we will notify you by email (at the address on your account) at least 14 days before the changes take effect, and update the "Last updated" date at the top of this page.
Continued use of TroveSec after the effective date constitutes acceptance of the revised policy. If you disagree, you may close your account before the effective date.
12. Contact Us
For privacy questions, data requests, or complaints, contact us at:
StriveBit Technologies Private Limited
Uttar Pradesh, India
Email: hello@trovesec.io
Subject line: Privacy Request