Security & compliance

TestingBot Trust Center

TestingBot runs your cross-browser and mobile tests on infrastructure built in the European Union. Encrypted at rest and in transit, GDPR & CCPA compliant, CSA STAR registered and audited from the network layer up.

Status & uptime Privacy policy Security whitepaper
Uptime SLA
99.99%
Hosting
EU only
Operating since
2012

Audited & certified

Star Level One certificate CSA STAR Level 1 GDPR ready GDPR ready
CCPA Compliant CCPA compliant
European data sovereignty

100% European infrastructure.

Every byte of your test data stays in Europe. TestingBot operates exclusively from EU datacenters, giving you full GDPR compliance and data sovereignty by default.

  • Test logs & reports

    All test execution logs and reports stored in EU datacenters.

  • Video recordings

    Test session videos recorded and stored within Europe.

  • Screenshots & artefacts

    All test artefacts securely hosted in EU infrastructure.

  • Test execution

    Tests run on browser and device fleets located in EU datacenters.

Vendors & suppliers

Subprocessors

The third parties TestingBot uses to deliver the service. We pick suppliers that align with our EU-first stance and that you would expect a SaaS vendor to use.

General subprocessors

Applicable to all TestingBot products.

Vendor Purpose Location
Sentry Error tracking 🇪🇺 Europe
Cloudflare CDN, security and storage 🇺🇸 USA
Unix-Solutions Hosting 🇪🇺 Europe
Hetzner Hosting 🇪🇺 Europe
Amazon Web Services, Inc.

410 Terry Avenue North, Seattle, WA 98109, United States

 Storage 🇪🇺 Europe
Google LLC (Google Cloud)

1600 Amphitheatre Parkway, Mountain View, CA 94043, United States

 Geolocation Testing + AI Testing 🇺🇸 Europe and USA
Stripe Inc. Payment processing 🇺🇸 USA
ActiveCampaign, LLC Email delivery 🇺🇸 USA
Intercom

55 2nd Street, 4th Fl., San Francisco, CA 94105, United States

 Customer support 🇺🇸 USA

Feature-specific subprocessors

Used only by specific features within TestingBot products.

Vendor Purpose Location
OpenAI, L.L.C. AI Testing 🇺🇸 USA
Downloads

Security & compliance documents

Everything procurement and security-review teams typically ask for, ready to download.

Privacy by default

Data we collect — and don't.

We keep the data footprint as small as possible. Below is the explicit list.

  • Employee business-card information

    Name, email, phone. Used to manage your account.

  • Customer personally identifiable information (PII)

    We do not collect end-user PII from your tests.

  • Credit card information

    Processed directly by Stripe. We never see your card.

  • Personal health information

    Out of scope. We are not a healthcare service.

  • Source code

    Not collected. Your test code stays in your CI/CD.

  • End-user passwords

    Not collected, not logged, not transcribed.

Frequently asked

Trust & security FAQ.

Quick answers procurement, security and engineering teams ask us most.

Where is TestingBot hosted and where does my data live?
TestingBot is built and hosted exclusively in the European Union. All test execution, video recordings, screenshots, logs and account data stay on EU infrastructure and never leave the region.
Is TestingBot GDPR compliant?
Yes. TestingBot is fully GDPR compliant. We provide a Data Processing Addendum (DPA) on request, support EU data residency by default and operate under the EU's data-protection regime.
What certifications does TestingBot hold?
TestingBot is registered with the Cloud Security Alliance STAR Level 1 program, GDPR compliant, CCPA compliant, and operates from ISO 27001 certified datacenters. Our control set is aligned with SOC 2 Type II practices.
Do you encrypt data at rest and in transit?
Yes. All data is encrypted at rest using AES-256 and in transit using TLS 1.2+ with modern ciphers. Test traffic between your network and our grid can be additionally tunnelled through the encrypted TestingBot Tunnel.
How long do you retain test artefacts?
Default retention is 30 days for test logs, video recordings and screenshots. Enterprise plans can configure custom retention windows per asset type, including immediate deletion after the test if required.
Do you have a bug bounty program?
We don't run a paid bug bounty program, but we welcome responsible disclosure. Please reach out to security@testingbot.com, every report is reviewed by our security team and we credit researchers in our hall of fame.
Can I access TestingBot via SSO and enforce 2FA?
Yes. Enterprise plans support SAML 2.0 SSO with Okta, Azure AD, OneLogin and any SAML provider, plus organisation-wide 2FA enforcement.

More questions for our security team?

Send your security review, vendor questionnaire or DPA request to security@testingbot.com. We typically respond within one business day.

Contact security View status page