Security and compliance at TestDino

TestDino, operated by Alphabin Technology Consulting, holds an unqualified SOC 2 Type 2 opinion against the AICPA Trust Services Criteria for Security, Availability, and Confidentiality. We are also ISO 27001 certified and GDPR compliant. The product in scope is the TestDino test intelligence and observability platform for Playwright teams.

Data Protection

• Production databases are isolated within a private virtual network and not exposed to the public internet.
• Customer data is removed from TestDino systems on request or per contractual terms.
• Test artifacts and metadata are scoped to the customer that uploaded them and not shared across tenants.

Encryption

• Customer-facing traffic is served over HTTPS with TLS 1.2 or higher.
• Data at rest in our Azure databases and object storage is encrypted using Azure platform encryption (AES-256).
• Encryption keys are managed by Azure Key Management with rotation handled by the platform.

Data Access

• Customer test data and traces are not browsed by TestDino staff in normal operation.
• Support engineers can access a customer's test data only after the customer grants permission through a support ticket, and only for the duration needed to resolve the issue.
• Production access is restricted to a small number of engineers on a need-to-know basis under role-based access control.
• Access to customer data is logged.

AI Data and Privacy

• AI features use Microsoft Azure OpenAI Service and Azure AI Foundry, hosted within our Azure tenant. They are listed on our Subprocessors page.
• Microsoft does not use Customer Content sent through Azure OpenAI to train its foundation models, in line with the Azure OpenAI Service terms.
• We do not train TestDino-owned models on customer data by default. If a customer opts in to contribute test data, the scope is documented in writing and the opt-in can be revoked at any time.
• Enterprise customers can disable AI-powered features for their workspace.
• AI processing of customer data is covered by our Data Processing Agreement.

Access Control

• Role-based access with least-privilege defaults across the production environment and source code.
• Access is reviewed at planned intervals and revoked when an employee or contractor leaves.

Password and Credential Storage

• Credentials and authentication logic are protected by a well-known and established vendor.
• Passwords are never stored in plaintext. Secrets are encrypted and access is restricted on a need-to-know basis.

Infrastructure

• Hosted on Microsoft Azure, our SOC 2 audited subservice provider for data center services.
• Production systems sit behind a virtual private cloud with security groups acting as virtual firewalls.
• Infrastructure changes follow a documented SDLC with peer review and automated checks before release.

Failover and Disaster Recovery

• Azure provides redundant power, networking, and storage at the data center level.
• We maintain a disaster recovery plan covering data restoration and service recovery from backups.

Backups and Monitoring

• We run periodic backups of customer data and service metadata for reliable recovery.
• Backups are encrypted at rest and stored separately from production systems.
• Production systems are monitored with alerts on availability, error rates, and security events.

Uptime

We publish live service availability and incident history on our public status page. Subscribe to get notified about scheduled maintenance and unplanned incidents.

View status: testdino-uptime.instatus.com

Operations

• Documented incident response process with defined roles, escalation paths, and customer notification.
• Confidentiality and acceptable-use obligations apply to everyone with access to customer data.
• Security events surfaced by monitoring are triaged and tracked through to resolution.

Report a Vulnerability

If you believe you have found a security vulnerability in TestDino, email [email protected] with reproduction steps, affected endpoints, and any proof-of-concept material. We acknowledge reports within two business days and ask that you do not publicly disclose the issue until we've confirmed a fix.

For sensitive reports, request our PGP key by emailing [email protected] so you can encrypt the report in transit.

For privacy and data-handling questions, see our Privacy Policy and GDPR page.

Rules of Engagement

We support good-faith research and will not pursue legal action against researchers who follow these rules. To protect customer data and service availability, please do not:

• Run denial-of-service or distributed denial-of-service (DDoS) attacks of any kind, including brute-force or automated traffic floods.
• Social engineer TestDino employees, contractors, customers, or vendors. This includes phishing, vishing, and physical intrusion attempts.
• Access, modify, exfiltrate, or destroy data that does not belong to you, or pivot beyond what is needed to demonstrate the issue.
• Test on production accounts other than your own. Use a dedicated test account where possible.
• Run automated scanners that generate large amounts of traffic against the production environment.
• Publicly disclose, share, or sell vulnerability details before we have confirmed a fix and agreed on a disclosure timeline.

If a test could affect other users or production stability, contact us first at [email protected] so we can coordinate.

Disclosure

We acknowledge new vulnerability reports within two business days. After acknowledgment, we ask researchers to keep details confidential for up to 90 days while we investigate and ship a fix. If we need more time, we will coordinate an extended timeline with you in writing.

Have any questions?

If you have any questions or comments about this document, send us an email at [email protected] and we will reply within a reasonable timeframe.