Company

Security & Privacy at Testfully

At Testfully, our InfoSec team is the guardian of your trust. We craft robust policies, implement cutting-edge controls, and ensure airtight compliance. From vigilant monitoring to passing third-party audits with flying colors, we’re all about building a fortress of security around your data.

Foundations of Security: Our Guiding Principles

  1. Access Should Be Limited to Only Those with a Legitimate Business Need and Granted Based on the Principle of Least Privilege

    We ensure access is strictly role-based, granting employees only the permissions needed to perform their duties. Regular access reviews and MFA strengthen this principle, reducing exposure to insider threats and accidental data breaches.

  2. Security Controls Should Be Implemented and Layered According to the Principle of Defense-in-Depth

    By layering multiple security measures, we create a robust defense that addresses threats at every level. From firewalls and endpoint protection to application security and user authentication, each layer reinforces the next for comprehensive protection.

  3. Security Controls Should Be Applied Consistently Across All Areas of the Enterprise

    Uniform application of security measures ensures no weak links. Whether it’s infrastructure, applications, or workflows, consistent implementation minimizes risks and enhances overall resilience.

  4. The Implementation of Controls Should Be Iterative and Continuously Mature

    Security is a journey, not a destination. We continuously refine controls to improve effectiveness, make auditing easier, and reduce operational friction. This agile approach allows us to adapt to evolving threats while maintaining a seamless user experience.

Security and Compliance at Testfully

At Testfully, safeguarding your trust is our top priority. We’re dedicated to upholding the highest standards of security and compliance, ensuring that our platform remains secure, reliable, and resilient. Our InfoSec team is actively pursuing certifications like SOC 2 Type II, ISO 27001, and GDPR compliance, reflecting our commitment to protecting your data.

Stay tuned as we achieve these milestones and continue to raise the bar for security in the devtooling space!

Guardians of Data: Securing What Matters Most

Data at Rest: Fortified with Encryption from Core to Cloud

At Testfully, all datastores containing customer data are encrypted at rest. For sensitive collections and tables, we go a step further with row-level encryption. This means your data is encrypted even before it reaches the database, ensuring that neither physical nor logical access alone can compromise the most sensitive information.

Data in Transit: Secured Every Step of the Way

At Testfully, we ensure your data stays protected on the move. We utilize TLS 1.2 or higher for all data transmitted over potentially insecure networks.

Server TLS keys and certificates are expertly managed by AWS and deployed via Application Load Balancers, ensuring robust, enterprise-grade security at every point of transit.

Secret Management: Securing the Heart of Our Operations

At Testfully, we manage encryption keys with the utmost care using AWS Key Management System (KMS). Backed by Hardware Security Modules (HSMs), these keys are safeguarded against direct access—even by Amazon employees. Encryption and decryption are handled seamlessly through Amazon’s KMS APIs.

For application secrets, we rely on AWS Secrets Manager and Parameter Store, ensuring all sensitive data is encrypted and securely stored. Access to these values is tightly controlled, maintaining an uncompromising standard of security.

Product Security: Tested and Trusted

At Testfully, we prioritize product security by partnering with Australia’s leading penetration testing firms for annual assessments. Every aspect of the Testfully platform—product and cloud infrastructure alike—is thoroughly evaluated, with testers given full access to our source code. This ensures maximum coverage and effectiveness, leaving no stone unturned in safeguarding your data.

Vulnerability Scanning: Proactive Defense at Every Stage

At Testfully, we embed robust vulnerability scanning throughout our Secure Development Lifecycle (SDLC) to stay ahead of potential threats:

  • Static Analysis (SAST): Code is rigorously tested during pull requests and continuously thereafter.
  • Software Composition Analysis (SCA): We identify and address known vulnerabilities in our software supply chain.
  • Malicious Dependency Scanning: Preventing malware at the source by monitoring dependencies.
  • Dynamic Analysis (DAST): Ensuring running applications are secure and resilient.
  • Network Vulnerability Scanning: Periodic checks to identify and resolve weaknesses in our network.
  • External Attack Surface Management (EASM): Continuous monitoring to discover and secure new external-facing assets.

Vendor Security: Risk-Based and Resilient

At Testfully, we take a risk-based approach to vendor security, ensuring that every partnership meets our high standards. We evaluate vendors based on key factors, including:

  • Access to Customer and Corporate Data: Assessing the level and scope of data exposure.
  • Integration with Production Environments: Analyzing potential impacts on our operations.
  • Potential Brand Impact: Mitigating risks to Testfully’s reputation.

Using these criteria, we determine each vendor’s inherent risk rating, followed by a thorough security evaluation. This process results in a residual risk rating that informs our approval decision, ensuring our vendors align with our commitment to security and trust.

Testfully is a bootstrapped startup from Sydney, Australia.
We're funded by our supportive & amazing customers.

The word `testfully` is a registered trademark of Testfully Pty Ltd.