Trust

Security

How we protect your code, data, and infrastructure.

Last updated · April 2026

Security is foundational to everything we build at TestForge. We handle your source code and repository data with the highest level of care. This page outlines the measures we take to keep your data safe.

1. Infrastructure Security

Our infrastructure is designed with defense-in-depth principles:

  • Hosted on leading cloud providers with SOC 2 Type II and ISO 27001 certifications
  • All data encrypted at rest using AES-256 and in transit using TLS 1.3
  • Network segmentation with private subnets for databases and internal services
  • Automated infrastructure provisioning with immutable deployments — no manual server access
  • DDoS protection and Web Application Firewall (WAF) at the edge
  • Regular penetration testing and vulnerability scanning

2. Authentication and Access Control

We implement robust authentication and access controls:

  • Passwords hashed with bcrypt using a cost factor of 12 — plaintext passwords are never stored
  • Time-based One-Time Password (TOTP) two-factor authentication available for all accounts
  • Secure session management with HTTP-only, Secure, SameSite cookies
  • OAuth 2.0 integration with GitHub — we request the minimum scopes necessary
  • Role-based access control (RBAC) for team and organization accounts
  • Automatic session expiration and idle timeout policies

3. Data Protection

Your code and data are protected at every layer:

  • Encryption at rest — all database records, backups, and stored files are encrypted with AES-256
  • Encryption in transit — all connections use TLS 1.3 with strong cipher suites; HSTS is enforced
  • Database encryption — PostgreSQL databases use transparent data encryption with encrypted backups
  • Ephemeral code processing — source code sent for AI analysis is processed in isolated environments and not persisted beyond the analysis session
  • Secrets management — API keys, tokens, and credentials are stored in a dedicated secrets manager, never in code or environment variables on disk

4. Application Security

We follow industry best practices for secure application development:

  • Protection against the OWASP Top 10 vulnerabilities, including injection attacks, XSS, and broken access control
  • Strict input validation on all API endpoints using Zod schemas
  • CSRF protection via SameSite cookies and origin verification
  • Content Security Policy (CSP) headers to prevent XSS and data injection
  • Rate limiting on authentication endpoints and API routes to prevent brute-force attacks
  • Dependency scanning with automated alerts for known vulnerabilities
  • Code review required for all changes before merging to production

5. Third-Party Security

We carefully vet and monitor all third-party integrations:

  • Stripe — PCI DSS Level 1 certified; we never handle or store raw payment card data
  • GitHub — OAuth tokens are encrypted at rest and scoped to the minimum required permissions
  • Anthropic (AI provider) — code sent for analysis is processed under strict data handling agreements and is not used to train AI models
  • All third-party vendors are evaluated for security certifications and data handling practices before integration

6. Vulnerability Reporting

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, please report it to us:

Email: security@testforge.dev

Our responsible disclosure policy:

  • Please provide sufficient detail for us to reproduce and verify the issue
  • Allow us reasonable time (up to 90 days) to address the vulnerability before public disclosure
  • Do not access, modify, or delete data belonging to other users
  • We will acknowledge your report within 48 hours and keep you updated on our progress
  • We do not pursue legal action against researchers who follow this policy

7. Compliance

We are committed to meeting industry compliance standards:

  • SOC 2 Type II — audit currently in progress, targeting completion in Q3 2026
  • GDPR — compliant with the EU General Data Protection Regulation, including data subject rights, data processing agreements, and breach notification procedures
  • CCPA — compliant with the California Consumer Privacy Act for users in California
  • Data Processing Agreements (DPAs) available for Enterprise customers upon request

8. Incident Response

We maintain a formal incident response plan to handle security events:

  • 24/7 monitoring and alerting for anomalous activity
  • Defined escalation procedures with clear roles and responsibilities
  • Affected users notified within 72 hours of a confirmed data breach, in compliance with GDPR requirements
  • Post-incident reviews with root cause analysis and remediation plans

Have a security question? Contact us:

Email: security@testforge.dev