1. Overview
TestForge is committed to maintaining the highest standards of security, availability, and data protection. We align our practices with the SOC 2 (System and Organization Controls 2) framework developed by the American Institute of Certified Public Accountants (AICPA).
SOC 2 evaluates an organization across five trust service criteria. Below we describe how TestForge addresses each principle through our infrastructure, processes, and policies.
2. Security
We protect against unauthorized access through multiple layers of defense:
- Encryption in transit and at rest. All data is encrypted using TLS 1.3 in transit and AES-256 at rest.
- Authentication controls. Bcrypt password hashing, TOTP-based two-factor authentication, and OAuth 2.0 via GitHub.
- Network security. Cloud-hosted infrastructure with DDoS protection, Web Application Firewall (WAF), and rate limiting on all API endpoints.
- Access management. Role-based access control (RBAC) for team accounts. Principle of least privilege for internal systems.
- Session management. Secure HttpOnly cookies with CSRF protection. Automatic session expiration and refresh token rotation.
3. Availability
TestForge is designed for high availability and resilience:
- Cloud-native architecture with auto-scaling and redundancy across availability zones.
- Automated health monitoring with alerting for service degradation.
- Regular automated backups with point-in-time recovery for PostgreSQL databases.
- Defined incident response procedures with escalation paths and post-mortem analysis.
- Enterprise plans include SLA guarantees for uptime commitments.
4. Confidentiality
We treat all customer data as confidential by default:
- Repository source code is accessed read-only through GitHub OAuth scopes and is never stored permanently on our servers.
- Test results, logs, and screenshots are scoped to the owning team and are not accessible by other customers.
- AI model interactions (test generation, fix proposals) are processed in isolated environments. Your code is not used to train models.
- Employee access to production systems requires multi-factor authentication and is logged in audit trails.
5. Processing Integrity
We ensure that system processing is complete, accurate, and authorized:
- Test executions run in clean, isolated browser environments (Chromium, Firefox, WebKit) to ensure consistent and accurate results.
- All API requests are validated using Zod schemas before processing.
- Webhook events from GitHub are verified using cryptographic signatures.
- Billing operations use Stripe webhook signature verification to prevent unauthorized transactions.
6. Privacy
Personal information is collected, used, retained, and disclosed in accordance with our Privacy Policy. Key practices include:
- We collect only the minimum personal data necessary to provide the service.
- Users can request data export or account deletion at any time.
- We do not sell personal data to third parties.
- Sub-processors are vetted for their own privacy and security practices.
7. Key Controls
The following controls are implemented across our organization:
- Change management. All code changes go through pull request review, automated testing, and staged deployment.
- Vulnerability management. Regular dependency scanning, static analysis, and responsible disclosure program.
- Logging and monitoring. Centralized logging, anomaly detection, and real-time alerting for security events.
- Business continuity. Documented disaster recovery procedures with regular testing.
- Vendor management. Third-party vendors assessed for security posture before integration.
8. Request Report
If you are evaluating TestForge for your organization and require detailed compliance documentation, please contact our team. We can provide:
- Security questionnaire responses
- Architecture and data flow documentation
- Sub-processor list
- Penetration test summary (under NDA)
Contact us at security@testforge.dev.