Skip to main content
Security & compliance

TestingBot Trust Center

TestingBot runs your cross-browser and mobile tests on infrastructure built in the European Union. Encrypted at rest and in transit, GDPR & CCPA compliant, CSA STAR registered and audited from the network layer up.

Status & uptime Privacy policy Security whitepaper
Uptime SLA
99.99%
Hosting
EU only
Operating since
2012

Audited & certified

Star Level One certificate CSA STAR Level 1 GDPR ready GDPR ready
CCPA Compliant CCPA compliant
European data sovereignty

100% European infrastructure.

Every byte of your test data stays in Europe. TestingBot operates exclusively from EU datacenters, giving you full GDPR compliance and data sovereignty by default.

  • Test logs & reports

    All test execution logs and reports stored in EU datacenters.

  • Video recordings

    Test session videos recorded and stored within Europe.

  • Screenshots & artefacts

    All test artefacts securely hosted in EU infrastructure.

  • Test execution

    Tests run on browser and device fleets located in EU datacenters.

How we protect your data

Security controls

The technical and organizational controls we operate every day. Our control set is aligned with ISO 27001 and SOC 2 practices, and our datacenters are ISO 27001 certified.

Infrastructure security

  • AES-256 encryption at rest
  • TLS 1.2+ encryption in transit
  • EU-only datacenters and data residency
  • Unique production authentication
  • MFA enforced on administrative access
  • Encrypted, monitored backups
  • Network segmentation and firewalling

Product security

  • Single-use VMs and devices, wiped after every session
  • Encrypted TestingBot Tunnel for private networks
  • Vulnerability scanning and dependency monitoring
  • Secrets and PII masked before any AI processing
  • Least-privilege access to customer data

Organizational security

  • Role-based, least-privilege access control
  • Access granted on onboarding, removed on offboarding
  • Asset inventory maintained
  • Security awareness across the team
  • Vetted, EU-first subprocessor selection

Data & privacy

  • 30-day default retention for logs, video and screenshots
  • Configurable or immediate deletion on enterprise plans
  • Data deleted when an account is closed
  • No end-user PII, source code or passwords collected
  • Data Processing Addendum with EU SCCs available

Resilience & monitoring

  • 24/7 infrastructure monitoring and public status page
  • Documented incident response process
  • Business continuity & disaster recovery plan
  • Regular, tested backups
  • Independent security rating (Bitsight)
Vendors & suppliers

Subprocessors

The third parties TestingBot uses to deliver the service. We pick suppliers that align with our EU-first stance and that you would expect a SaaS vendor to use.

View the change log and subscribe to update notifications

Latest updates

  • June 2, 2026: Added Anthropic, PBC (USA) as a sub-processor for the AI Insights test failure analysis feature.

General subprocessors

Applicable to all TestingBot products.

Vendor Purpose Location
Sentry

Functional Software, Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105, United States

 Error tracking

Application error reports; may include an account email or IP address in stack-trace context. No test artefacts.

 🇪🇺 Europe
Cloudflare

101 Townsend Street, San Francisco, CA 94107, United States

 CDN, security and storage

Request metadata and IP addresses for CDN and WAF; cached static assets.

 🇺🇸 USA
Unix-Solutions

Hoge Wei 37, 1930 Zaventem, Belgium

 Hosting

Hosts our EU infrastructure; account and test data at rest, encrypted.

 🇪🇺 Europe
Hetzner

Industriestr. 25, 91710 Gunzenhausen, Germany

 Hosting

Hosts our EU infrastructure; account and test data at rest, encrypted.

 🇪🇺 Europe
Amazon Web Services, Inc.

410 Terry Avenue North, Seattle, WA 98109, United States

 Storage

Encrypted test artefacts (video, screenshots, logs) stored in the EU region.

 🇪🇺 Europe
Google LLC (Google Cloud)

1600 Amphitheatre Parkway, Mountain View, CA 94043, United States

 Geolocation Testing + AI Testing

Geolocation test routing; for AI features, masked text-only test logs. No model training.

 🇺🇸 Europe and USA
Stripe Inc.

354 Oyster Point Boulevard, South San Francisco, CA 94080, United States

 Payment processing

Billing contact and card handled by Stripe; we store the last 4 digits only, never the full card.

 🇺🇸 USA
ActiveCampaign, LLC

1 North Dearborn Street, 5th Floor, Chicago, IL 60602, United States

 Email delivery

Account name and email address for transactional and product emails.

 🇺🇸 USA
Intercom

55 2nd Street, 4th Fl., San Francisco, CA 94105, United States

 Customer support

Name, email address and the content of support conversations.

 🇺🇸 USA

Feature-specific subprocessors

Used only by specific features within TestingBot products.

Vendor Purpose Location
OpenAI, L.L.C. AI Testing

Masked, text-only test context for codeless AI test generation. Opt-in. No model training.

 🇺🇸 USA
Anthropic, PBC AI test failure analysis (AI Insights)

Masked, text-only failing-test logs for failure analysis. Opt-in. No model training; deleted within 30 days.

 🇺🇸 USA
Responsible AI

AI at TestingBot

TestingBot offers optional AI-powered features. They are off until you turn them on and are built to share as little of your data as possible.

  • AI Insights

    Explains why a test failed and suggests fixes.

  • Codeless AI testing

    Turns plain-language intent into automated test steps.

  • AI / MCP integrations

    Connect TestingBot to AI agents through our MCP server.

Read how AI Insights handles your data

Our AI data guarantees

  • Opt-in only

    AI features are off until the account owner explicitly enables them, and can be turned off any time.

  • No model training

    Our AI subprocessors do not use data sent through their commercial APIs to train their models.

  • Minimized & masked

    Only a small, text-only slice of the test is sent. Detectable secrets and PII are masked before anything leaves our servers.

  • Short retention

    The provider deletes inputs and outputs within 30 days; the generated analysis is pruned with the test on our side.

  • Named subprocessors

    Anthropic and OpenAI (United States), under their Data Processing Addenda with EU Standard Contractual Clauses.

Downloads

Security & compliance documents

Everything procurement and security-review teams typically ask for, ready to download.

Privacy by default

Data we collect — and don't.

We keep the data footprint as small as possible. Below is the explicit list.

  • Employee business-card information

    Name, email, phone. Used to manage your account.

  • Customer personally identifiable information (PII)

    We do not collect end-user PII from your tests.

  • Credit card information

    Processed directly by Stripe. We never see your card.

  • Personal health information

    Out of scope. We are not a healthcare service.

  • Source code

    Not collected. Your test code stays in your CI/CD.

  • End-user passwords

    Not collected, not logged, not transcribed.

Accessibility

We build the TestingBot dashboard to be usable by everyone and target conformance with the Web Content Accessibility Guidelines (WCAG) 2.1 level AA. Accessibility is an ongoing effort: if you encounter a barrier or need an accommodation, email info@testingbot.com and we will work with you on an alternative.

Responsible disclosure

Found a security issue? We welcome responsible disclosure. Email info@testingbot.com with the details and steps to reproduce. Every report is reviewed by our security team. We do not run a paid bug bounty, but we credit researchers in our hall of fame. Our machine-readable contact is published at /.well-known/security.txt.

Frequently asked

Trust & security FAQ.

Quick answers procurement, security and engineering teams ask us most.

Where is TestingBot hosted and where does my data live?
TestingBot is built and hosted exclusively in the European Union. All test execution, video recordings, screenshots, logs and account data stay on EU infrastructure and never leave the region.
Is TestingBot GDPR compliant?
Yes. TestingBot is fully GDPR compliant. We provide a Data Processing Addendum (DPA) on request, support EU data residency by default and operate under the EU's data-protection regime.
What certifications does TestingBot hold?
TestingBot is registered with the Cloud Security Alliance STAR Level 1 program, GDPR compliant, CCPA compliant, and operates from ISO 27001 certified datacenters. Our control set is aligned with ISO 27001 and SOC 2 Type II practices, and as an EU-based operator we are aligned with the EU Digital Operational Resilience Act (DORA).
Do you encrypt data at rest and in transit?
Yes. All data is encrypted at rest using AES-256 and in transit using TLS 1.2+ with modern ciphers. Test traffic between your network and our grid can be additionally tunnelled through the encrypted TestingBot Tunnel.
Do you use my test data to train AI models?
No. TestingBot's AI features are optional and off by default. The AI subprocessors we use (Anthropic and OpenAI) do not use data sent through their commercial APIs to train their models.
Which AI subprocessors do you use, and are AI features opt-in?
We use Anthropic and OpenAI (both United States), under their Data Processing Addenda with EU Standard Contractual Clauses. Every AI feature is opt-in: it is enabled per account by the account owner and can be disabled at any time.
How do you protect secrets and personal data when AI features run?
Before anything is sent for AI analysis, an automated masking step redacts detectable secrets and personal data such as API keys, tokens, passwords, authorization and cookie headers, private keys, email addresses and card-number-shaped values. Only a small, text-only slice of the test is sent, and the provider deletes inputs and outputs within 30 days.
How long do you retain test artefacts?
Default retention is 30 days for test logs, video recordings and screenshots. Enterprise plans can configure custom retention windows per asset type, including immediate deletion after the test if required.
Do you have a bug bounty program?
We don't run a paid bug bounty program, but we welcome responsible disclosure. Please reach out to info@testingbot.com, every report is reviewed by our security team and we credit researchers in our hall of fame.
Can I access TestingBot via SSO and enforce 2FA?
Yes. Enterprise plans support SAML 2.0 SSO with Okta, Azure AD, OneLogin and any SAML provider, plus organisation-wide 2FA enforcement.

More questions for our security team?

Send your security review, vendor questionnaire or DPA request to info@testingbot.com. We typically respond within one business day.

Contact security View status page