Decode AI-Powered Quality Engineering from AI & QA Leaders,Register for Free!
Privacy
At TestMu, we deeply value our user's privacy. We will put our best foot forward to protect and defend it. We truly believe in being transparent with our users so that both people and organizations can control their data and have the freedom to decide how their data can be used. We will empower and strongly defend the privacy choices of every customer who uses our platform.
In this period of rapid technological and regulatory change, it has never been more important to take a considered approach to protect personal data. From the European General Data Protection Regulation (GDPR) to new US state laws like the California Consumer Privacy Act (CCPA), we know how much effort it takes to assess and manage privacy risks. That’s why TestMu builds its products & services with an eye toward minimizing that effort for our customers.
Our Agentic AI Quality Engineering Platform services provide industry-leading functionality with a minimal collection of personal data and an emphasis on security. Privacy and security considerations are baked directly into our product development process so customers can focus on things that matter the most,i.e. their tests.
Overview
TestMu prioritizes customer trust. We know that the security and integrity of customer data are important to our customers’ values and operations.
TestMu's Commitment to Privacy & Data Protection
We're committed to protecting and honoring your privacy and rights through our product, infrastructure, and data governance practices.
We have a comprehensive global privacy and data protection compliance program that aligns our practices with regulations such as the General Data Protection Regulation, California Consumer Privacy Act, and other applicable privacy and data protection laws/acts, which take a unified approach to privacy and information governance to give Customers. TestMu helps customers maintain control of their privacy and data security in a myriad of ways:
- Product Security
- Cloud Security
- Data Security
- Application Security
Authentication Options
TestMu has several different authentication options: users can enable TestMu platform authentication, integrating in test scripts, integrating with GitHub, etc. And, also Single sign-on (SSO), and/or Enterprise SSO (SAML,) for user authentication options available.
Learn about user access
Learn about GitHub Integration Learn about SSO 2-Factor Authentication (2FA)
TestMu authentication for platforms available through the Manage Team offers 2-factor (2FA) authentication as well.
Service Credential Storage
TestMu follows secure credential storage best practices by never storing passwords in human-readable format and only as the result of a secure, one way hashing with a random salt using industry-standard techniques.
Role-Based Access Controls
Access to data within TestMu platforms is governed by role-based access control (RBAC) and can be configured to define granular access privileges. TestMu supports various permission levels for users (Admin, User, Guest).
Learn about user rolesIP Whitelisting
We provide two different strategies for IP whitelisting wherever it is required by the customer.
1. Whitelist the multiple IP which is shared in nature.
2. Just whitelist one IP, which is a dedicated IP for a customer, which comes at an extra cost shared in nature.
Tunnel
You can test your locally hosted pages and privately hosted pages at TestMu Selenium Test Automation Platform using the TestMu tunnel app. The TestMu tunnel allows you to connect your local system with TestMu servers via SSH-based integration tunnel
https://www.TestMu.com/support/docs/testing-locally-hosted-pages/Encryption in Transit
All communications with TestMu platforms and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and TestMu is secure during transit.
We also support http and TLS 1 for a few selenium frameworks which don’t support https or TLS.
Encryption at Rest
Data at rest is encrypted using AES-256 bit standards with keys being managed by key management services.
Tokenization
We use (DigiCert) certificates for domain management and ISRG Root X1 (chain of trust Let’s Encrypt) is the certificate authority. We are using email-based verification to obtain certificates. These certificates are managed via AWS ACM and DigiCert panel. The certificates are set to renew every 365 days. Nobody will view and download the certificate details except a few dedicated members of the Cloud Infrastructure team.
Dedicated Security Team
Our globally distributed Security Team is on call 24/7 to respond to security alerts and events.
Protection
Our network is protected through the use of key AWS security services, integration with our Cloudflare edge protection networks, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.
Architecture
Our network security architecture consists of multiple security zones. More restricted systems like database servers are protected in our most trusted zones. Other systems are housed in zones commensurate with their sensitivity, depending on function, information classification, and risk. Depending on the zone, additional security monitoring and access controls will apply. DMZs are utilized between the Internet and internally between the different zones of trust.
Network Vulnerability Scanning
Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.
Third-Party Penetration Tests
In addition to our extensive internal scanning and testing program, each year TestMu employs third-party security experts to perform a broad penetration test across the TestMu Production and Corporate Networks.
Security Incident Event Management
Our Security Incident Event Management (SIEM) system gathers extensive logs from important network devices and host systems. The SIEM alerts on triggers that notify the Security team based on correlated events for investigation and response.
Intrusion Detection and Prevention
Service ingress and egress points are instrumented and monitored to detect abnormal behavior. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats. This includes 24/7 system monitoring.
Threat Intelligence Programme
TestMu participates in several threat intelligence sharing programs. We monitor threats posted to these threat intelligence networks and take action based on risk.
DDoS Mitigation
TestMu has architected a multi-layer approach to DDoS mitigation. A core technology partnership with Cloudflare provides network edge defenses, while the use of AWS scaling and protection tools provides deeper protection along with our use of AWS DDoS-specific services.
Logical Access
Access to the TestMu Production Network is restricted by an explicit need-to-know basis, utilizes the least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the TestMu Production Network are required to use multiple factors of authentication.
Muti-Tenancy
Each application is serviced from an individual virtual private cloud and each customer is uniquely identified by a tenant ID. The application is engineered and verified to ensure that it always fetches data only for the logged-in-tenant. Per this design, no customer has access to another Customer’s data.
Security Incident Response
In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.
Facilities
TestMu hosts Customer data or Test data primarily in AWS and Azure data centers that have been certified as ISO 27001, 27701, PCI DSS Service Provider Level 1, and/or SOC 2 compliant.
Learn about Compliance at AWSAWS infrastructure services include backup power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data.
Learn more about Data Centre Controls at AWSData Hosting Location
TestMu hosts its products and associated customer data in the United States, Europe, and Asia Pacific region of AWS and Azure data centers which meet global standards and regulations.
On-Site Security
AWS on-site security includes a number of features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures.
Learn about AWS physical securityUptime
TestMu maintains a publicly available platform-health dashboard, which includes platform, or system availability details, scheduled maintenance, service incident history, and relevant security events.
Redundancy
TestMu employs service clustering and network redundancies to eliminate single points of failure. Our strict backup regime and/or our Disaster Recovery service offering allows us to deliver a high service availability, as customer or test data is replicated across availability zones.
Disaster Recovery
Our Disaster Recovery (DR) program ensures that our Services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment and creating Disaster Recovery plans and testing activities.
Enhanced Disaster Recovery
Our Disaster Recovery services add contractual objectives for Recovery Time Objective (RTO) and Recovery Point Objective (RPO). These are supported through our capability to prioritize operations of Enhanced Disaster Recovery customers during any declared disaster event.
In the event of a disaster, the following objectives apply:
i. 4-hour Recovery Time Objective (RTO): TestMu will aim to restore normal operations for your TestMu platform account within four hours from the time a disaster is declared, unless a disaster, or multiple disasters, impacts all of the Availability Zones used on an account.
ii. Under 1-hour Recovery Point Objective (RPO): TestMu will target one hour or less of data loss for your account. This is calculated from the point of the disruption, not from TestMu's disaster declaration.
TestMu minimizes risks associated with third-party vendors by performing security reviews on all vendors with any level of access to our Information systems or Customer data.
TestMu hosts its products and associated customer data in the United States, Europe, and Asia Pacific region of AWS and Azure data centers which meet global standards and regulations.
TestMu never discloses any Customer data, Test execution data, and Accounts data to any third parties 'unless' where disclosure is necessary to be provided for certain services or as required to respond to lawful requests from public authorities-- please check if this was the intended statement
TestMu has developed security protections and control processes to help our customers ensure a secure environment for their information. Independent third-party experts have confirmed TestMu's adherence to high industry standards.
TestMu provides advanced access using the least privilege principle and encryption features to help customers protect their information. We do not access or use customer content for any purpose other than providing, maintaining, and improving the TestMu Services and as otherwise required by law.
To verify that our privacy practices are appropriate, TestMu maintains a data inventory and flow of our product, documenting how data is processed and stored and what systems process PII or personal data, if any.
TestMu processes and stores Test execution data from its Customers while providing TestMu Services or transmitted via the TestMu platform by or on behalf of our Customers.
These data include reports, tests, networks, browser process logs, other artifacts, authentication, licensing, and test execution metadata (e.g. test status, duration, name, browsing sessions, search history) and other information that Customers may provide during testing.
All test execution data reports are available from the TestMu platform interface. Test execution data reports and other Test execution data are stored for 30 days and then automatically deleted. Customers who require longer data retention periods are encouraged to download their data directly.
Disposal of Data - Test execution data is disposed of in a method that renders the data unrecoverable, to the extent reasonably possible, in accordance with industry best practices for wiping off or cleaning up electronic media (e.g. NIST SP 800-88).
Secure Code Training
Secure coding guidelines based on OWASP Top 10 are shared with the engineering teams or engineers. The guidelines shall include but are not limited to Input Validation, Output Encoding, Session Management, Error Handling, and Logging. Engineers are also trained on the secure coding guidelines by the Application Security team at least on a yearly basis.
Framework Security Controls
TestMu leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), amongst others.
Quality Assurance
Our Quality Assurance (QA) team reviews and tests our code base. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code.
Separate Environments
Development, testing, and staging environments are logically separated from the Production environment. No Customer data or Test data is used in our development or test environments.
Version Control
Source Code is managed centrally with version controls and access restricted based on various teams that are assigned to specific sprints. Records are maintained for code changes and code check-ins and check-outs.
Dynamic Vulnerability Scanning
We employ third-party security tooling to continuously and dynamically scan our core platform applications against common web application security risks, including, but not limited to the OWASP Top 10 security risks. We maintain a dedicated in-house product security team to test and work with engineering teams to remediate any discovered issues.
Software Composition Analysis
We scan the libraries and dependencies used in our products to identify vulnerabilities and ensure the vulnerabilities are managed.
Third-Party Penetration Testing
In addition to our extensive internal scanning and testing program, TestMu employs third-party security experts to perform detailed penetration tests on different applications within our family of products.
Responsible Disclosure / Bug Reporting
TestMu takes the security of its systems and products seriously and values the security community. The responsible disclosure of security and privacy vulnerabilities helps TestMu in ensuring the security and privacy of its users. Bugs can be reported through email at [email protected].
Patch Management
TestMu patch management process is governed by the applicable policy and standard to ensure that all patches, security and otherwise, are deployed in accordance with defined SLAs.
Frequently asked questions
- TestMu Account data
- Test execution data
The second category of data consists of the data that our Customers uploaded to our Platform, or our Platform otherwise accesses that in the course of testing applications, reports, tests, networks, browsers process logs, other artifacts, authentication, licensing, and test execution metadata (e.g., test status, duration, name, browsing sessions, search history) and other information that Customers may provide during testing
In general, ‘Test execution data' means data stored or processes for delivery of Services we provide as a data processor and includes data stored for backup as well. 'Test execution data' need not contain any identifiable PII and sensitive PII regarding customer personnel, customers, end-users, or other third parties.
Please note that TestMu does not collect, nor does it require, any identifiable PII or sensitive data by default for its functioning.
From a privacy perspective, the Customer is the controller of Test execution data, and TestMu is a processor. This means that throughout the time that a customer subscribes to services with TestMu, the Customer retains ownership of and control over Test execution data in its account.
Test execution data’ means data stored for delivery of services we provide as a data processor and includes data stored for backup. TestMu hosts its products and associated data on Amazon Web Services (AWS) and Microsoft Azure (Azure) data center, qualified by global IT standards and regulations.
TestMu can host the data in the below-mentioned AWS locations (called regions as per AWS)
| Country | City | AWS Region |
|---|---|---|
| USA | Virginia | US East 1 |
| USA | Ohio | US East 2 |
| USA | California | US West 1 |
| USA | Oregon | US West 2 |
| EU/EEA | Frankfurt | EU Central 1 |
| EU/EEA | Ireland | EU West 1 |
| EU/EEA | London | EU West 2 |
| EU/EEA | Paris | EU West 3 |
| Australia | Sydney | Asia Pacific SouthEast 2 |
| Singapore | Singapore | Asia Pacific SouthEast 1 |
| India | Mumbai | Asia Pacific South 1 |
TestMu can host the data in the below-mentioned Microsoft Azure locations (called regions as per Azure).
| Country | City | AWS Region |
|---|---|---|
| USA | Virginia | US East |
| EU | Frankfurt | EU Central |
For example, TestMu servers are hosted at Tier IV or III+, SSAE-16, PCI DSS, or ISO 27001 compliant facilities. Additionally, we engage third-party security experts to perform detailed penetration tests on a periodic basis, and our Customer Success support team is on call 24/7 to respond to security alerts and events.
As data processors, we inform the concerned data controllers without undue delay. The Data Protection Officer is responsible for reporting security incidents /breaches to customers.
Customers will have a dedicated Customer Success Manager who will be the SPOC for reporting. The account owner/admin of the Customer’s TestMu platform will be notified of any security incident that has an impact on the Customer. If there are any email DLs, we will also be able to report the same. We are happy to contractually agree on such requirements with a mutual concurrence.
- TestMu does not disclose any Customer data except as necessary to provide its services to its customers and comply with the law as detailed in our Privacy Policy found here
- TestMu has achieved a number of internationally-recognized certifications and accreditations demonstrating compliance with third-party assurance frameworks as described on our Security site.
We may also share such information with relevant law enforcement agencies or public authorities if we believe the same to be necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Terms of Service, or as otherwise required by law.