VTest TIATIA← Back to home

Trust

Security

Last updated: June 24, 2026

Security is foundational to TIA. Because the platform connects to your repositories, issue trackers, and applications, we engineer for least privilege, strong isolation, and encrypted handling of secrets at every layer.

Authentication & access control

  • Sign-in is via Google Workspace OAuth 2.0 — we never store passwords.
  • Sessions are issued as signed JWTs and access is enforced on every protected endpoint.
  • Role-based access control across six roles (owner, admin, manager, tester, developer, viewer) applies least-privilege permissions.
  • Access is restricted to authorized Google Workspace domains.

Multi-tenant isolation

Every record that belongs to an organization is scoped to that organization and filtered on each query. Tenants cannot read or write across organization boundaries — isolation is enforced in the data layer, not just the UI.

Encryption

  • All traffic is encrypted in transit with TLS, with HSTS and a modern cipher suite.
  • Sensitive secrets — VCS access tokens, Jira API tokens, login credentials, and webhook secrets — are encrypted at rest using AES-256-GCM and are never stored in plaintext.

Isolated test execution

Generated tests run in ephemeral, sandboxed Docker containers with bounded resources and a strict cap on concurrent workers. Execution environments are torn down after each run, and artifacts (screenshots, traces) are stored in access-controlled object storage.

Platform hardening

  • Security headers (via Helmet), HSTS, and content protections on all responses.
  • Rate limiting to mitigate abuse and brute-force attempts.
  • Signed webhooks: inbound deployment and Jira triggers are verified with HMAC-SHA256.
  • Edge protection and DDoS mitigation through our network provider.

AI data handling

TIA sends only the context required to generate tests and analyze failures to its AI provider (Anthropic). We do not sell your data and do not use your private content to train third-party foundation models. See our Privacy Policy for details.

Operational practices

  • Audit logging of significant user and system actions.
  • Encrypted, retained database backups for recovery.
  • Principle of least privilege for internal access to production systems.

Responsible disclosure

We welcome reports from the security community. If you believe you have found a vulnerability, please email [email protected] with details and steps to reproduce. Please give us a reasonable opportunity to remediate before any public disclosure, and do not access or modify data that is not yours.

Contact

For any security question, reach us at [email protected].