TestAI
Sign InGet Started
← Back to Home

Security Policy

Last Updated: January 16, 2026

1. Introduction

Security is fundamental to AI Agent Tester. This Security Policy outlines the measures we implement to protect your data, secure our infrastructure, and maintain the confidentiality, integrity, and availability of our Service.

We are committed to maintaining industry-leading security practices and continuously improving our security posture.

2. Security Framework

2.1 Compliance and Standards

Our security program aligns with industry-standard frameworks and regulations:

  • GDPR (General Data Protection Regulation)
  • CCPA (California Consumer Privacy Act)
  • SOC 2 Type II (in progress)
  • ISO 27001 (in progress)
  • OWASP Top 10 security best practices

2.2 Security Principles

We follow core security principles:

  • Defense in Depth: Multiple layers of security controls
  • Least Privilege: Minimum necessary access rights
  • Zero Trust: Verify all access requests regardless of source
  • Security by Design: Security integrated from the start
  • Continuous Monitoring: Ongoing security assessment and improvement

3. Data Security

3.1 Encryption

We protect data using industry-standard encryption:

  • In Transit: TLS 1.2+ for all data transmission
  • At Rest: AES-256 encryption for stored data
  • Secrets: Environment secrets encrypted with AES before storage
  • Database: Encrypted database connections and storage
  • Backups: Encrypted backup storage

3.2 Data Isolation

  • Multi-tenancy: Strict organization-level data isolation
  • Row-Level Security (RLS): Database-level access controls
  • API Authorization: Explicit membership verification on all endpoints
  • Role-Based Access Control (RBAC): Owner, admin, and member roles

3.3 Data Minimization

  • Collect only necessary data for Service provision
  • Automatic data retention and deletion policies
  • Secure deletion procedures for removed data
  • Regular data cleanup and archival

4. Authentication and Access Control

4.1 User Authentication

  • Email-based OTP: One-time password authentication via Supabase
  • Session Management: Secure session tokens with automatic expiration
  • Multi-Factor Authentication (MFA): Available for enhanced security
  • Password Requirements: Strong password policies when applicable

4.2 Authorization

  • Organization Membership: Verified on every API request
  • Role-Based Permissions: Owner, admin, and member roles with different privileges
  • Invitation System: Secure email-based invitation flow
  • API-Level Checks: Authorization enforced at the application layer

4.3 Internal Access

  • Strict access controls for employee access to production systems
  • Just-in-time (JIT) access for operational needs
  • Comprehensive audit logging of all administrative actions
  • Regular access reviews and revocations

5. Infrastructure Security

5.1 Cloud Infrastructure

We leverage secure cloud infrastructure providers:

  • Supabase: PostgreSQL database with built-in security features
  • Google Cloud Platform: Enterprise-grade infrastructure with SOC 2 and ISO 27001 compliance
  • Network Isolation: Private networks and VPCs for sensitive components
  • DDoS Protection: Cloud provider DDoS mitigation

5.2 Application Security

  • Secure Development: Security-focused development practices
  • Input Validation: Comprehensive validation of all user inputs
  • SQL Injection Prevention: Parameterized queries and ORM usage
  • XSS Protection: Output encoding and Content Security Policy (CSP)
  • CSRF Protection: Anti-CSRF tokens on all state-changing operations
  • Dependency Management: Regular updates and vulnerability scanning

5.3 API Security

  • Rate Limiting: Protection against abuse and brute-force attacks
  • Authentication Required: All API endpoints require valid authentication
  • Authorization Checks: Organization membership verified on every request
  • Input Validation: Strict validation of all API inputs
  • API Versioning: Controlled changes with backward compatibility

6. Security Monitoring and Incident Response

6.1 Continuous Monitoring

  • System Monitoring: 24/7 monitoring of system health and performance
  • Security Logging: Comprehensive logging of security-relevant events
  • Anomaly Detection: Automated detection of suspicious activities
  • Intrusion Detection: Network and application-level intrusion detection
  • Vulnerability Scanning: Regular automated vulnerability assessments

6.2 Incident Response

We maintain a comprehensive incident response plan:

  • Incident Response Team: Dedicated team for security incidents
  • Defined Procedures: Documented response procedures for various scenarios
  • Rapid Detection: Automated alerts for potential security incidents
  • Containment: Immediate action to contain and mitigate incidents
  • Investigation: Root cause analysis and forensics
  • Communication: Timely notification to affected customers
  • Remediation: Implementation of corrective measures
  • Post-Incident Review: Analysis and improvement of security measures

6.3 Data Breach Response

In the event of a data breach:

  • Notification to affected customers within 72 hours (when feasible)
  • Notification to regulatory authorities as required by law
  • Detailed information about the breach and affected data
  • Recommended actions for affected users
  • Transparent communication throughout the investigation

7. Third-Party Security

7.1 Vendor Risk Management

  • Security Assessments: Evaluation of third-party security practices
  • Contractual Obligations: Security requirements in vendor agreements
  • Regular Reviews: Ongoing assessment of vendor security posture
  • Limited Access: Minimum necessary data shared with vendors

7.2 Sub-processors

We only work with security-conscious sub-processors:

  • Supabase (SOC 2 Type II compliant)
  • Google Cloud Platform (SOC 2, ISO 27001, PCI DSS certified)
  • Resend (privacy-focused email service)
  • OpenAI (enterprise-grade security measures)

See our Data Processing Agreement for complete sub-processor details.

7.3 Integration Security

  • OAuth 2.0: Secure authorization for third-party integrations (Jira, etc.)
  • Scoped Access: Minimum necessary permissions requested
  • Token Security: Encrypted storage of OAuth tokens
  • Revocable Access: Users can disconnect integrations at any time

8. Business Continuity and Disaster Recovery

8.1 Backup and Recovery

  • Regular Backups: Automated daily backups of all data
  • Backup Encryption: All backups encrypted at rest
  • Geographic Redundancy: Backups stored in multiple geographic locations
  • Recovery Testing: Regular testing of backup restoration procedures
  • Retention Policy: Backups retained for up to 30 days

8.2 High Availability

  • Redundant Infrastructure: Multiple availability zones for critical components
  • Load Balancing: Distributed traffic across multiple servers
  • Automatic Failover: Automated failover to backup systems
  • Database Replication: Real-time database replication for resilience

8.3 Disaster Recovery Plan

  • Documented disaster recovery procedures
  • Recovery Time Objective (RTO): 4 hours for critical systems
  • Recovery Point Objective (RPO): 24 hours maximum data loss
  • Regular disaster recovery drills and tests

9. Personnel Security

9.1 Employee Practices

  • Background Checks: Verification for employees with data access
  • Confidentiality Agreements: All employees sign NDAs
  • Security Training: Mandatory security awareness training
  • Ongoing Education: Regular updates on security best practices
  • Access Termination: Immediate revocation of access upon departure

9.2 Contractor and Vendor Personnel

  • Contractual security and confidentiality obligations
  • Limited access based on role and necessity
  • Regular access reviews and audits

10. Physical Security

While we use cloud infrastructure, our cloud providers implement comprehensive physical security:

  • 24/7 monitored data centers
  • Multi-layer access controls and biometric authentication
  • Video surveillance and security personnel
  • Environmental controls (fire suppression, climate control)
  • Redundant power and network connectivity

11. Security Testing and Assessment

11.1 Regular Testing

  • Vulnerability Scanning: Automated weekly scans
  • Penetration Testing: Annual third-party penetration tests
  • Code Reviews: Security-focused code reviews for all changes
  • Security Audits: Regular internal and external audits

11.2 Continuous Improvement

  • Regular review and update of security policies
  • Incorporation of lessons learned from incidents
  • Tracking of emerging threats and vulnerabilities
  • Investment in new security technologies

12. Responsible Disclosure

12.1 Security Researcher Program

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue:

  • Email us at security@ai-agent-tester.com
  • Provide detailed information about the vulnerability
  • Allow us reasonable time to address the issue before public disclosure
  • Do not exploit the vulnerability or access user data

12.2 Our Commitment

  • Acknowledge receipt of your report within 48 hours
  • Investigate and validate the reported vulnerability
  • Keep you informed of our progress
  • Credit you for the discovery (unless you prefer to remain anonymous)
  • No legal action for good-faith security research

13. Customer Security Responsibilities

While we implement comprehensive security measures, customers also play a critical role:

13.1 Account Security

  • Use strong, unique passwords
  • Enable multi-factor authentication when available
  • Keep credentials confidential
  • Report suspicious activity immediately

13.2 Data Management

  • Classify and protect sensitive data appropriately
  • Grant minimum necessary access to team members
  • Regularly review and remove inactive users
  • Use test data rather than production data when possible

13.3 Compliance

  • Follow our Acceptable Use Policy
  • Ensure proper authorization before testing third-party systems
  • Comply with applicable laws and regulations

14. Security Certifications

We are working toward industry-recognized security certifications:

  • SOC 2 Type II: In progress (expected completion: Q2 2026)
  • ISO 27001: Planned for 2026
  • GDPR Compliance: Full compliance with GDPR requirements
  • CCPA Compliance: Compliance with California privacy laws

15. Updates to This Policy

We may update this Security Policy to reflect changes in our security practices or legal requirements. Material changes will be communicated via email or through the Service.

16. Contact Us

For security-related questions or to report security issues:

Company: [PLACEHOLDER_company_name]

Address: [PLACEHOLDER_street_address], [PLACEHOLDER_postal_code] [PLACEHOLDER_city], Netherlands

Security Team: security@[PLACEHOLDER_domain]

Abuse Reports: abuse@[PLACEHOLDER_domain]

Privacy Inquiries: privacy@[PLACEHOLDER_domain]