Endtest Security
1. Security Overview
Companies large and small trust Endtest to provide a secure platform for testing web and mobile applications. Protecting our customers' data is of paramount importance to us. This document is an overview of the technology, processes and security operations that govern the Endtest Platform.
2. Compliance
Endtest has received the ISO 27001 certification. ISO 27001 is the international standard that is recognized globally for managing risks to the security of information you hold.
Endtest is also compliant with the European General Data Protection Regulation (GDPR). Our cloud-based testing platform does not require the use of customer PII, PHI, or other sensitive data. The use of sanitized or synthetic data for testing is, in fact, considered a best practice in QA testing. With the passing of the 2018 EU General Data Protection Law (GDPR), Endtest classifies itself as a data processor with respect to its customers' Test Data and as a data controller with respect to its customers' Account Data.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a US federal law that establishes data privacy and security requirements for organizations that are charged with safeguarding individuals' protected health information (PHI). These organizations meet the definition of “covered entities” or “business associates” under HIPAA. Our platform meets the requirements under HIPAA and complies with HIPAA regulations.
Endtest continues to mature its governance program to support the evolving regulatory landscape.
3. Data processor operations
Endtest receives two categories of data from its customers.
The first category consists of data about our customers' access to and use of our service, and includes information about the specific customer employees or contractors that use our service. We refer to this data as "Account Data".
The second category consists of the data that our customers upload to our service or that is otherwise accessed by our service in the course of testing customer applications, and the reports, logs, and other artifacts of such testing that are generated by our service. Our service operates by processing what a user's computer or device would process when accessing and using a web or native mobile application, which typically includes the customer's compiled web application rendered in a browser or executable native mobile application installed in a real or virtual device, and the test script or commands and data inputs to manipulate the browser or application that is being tested, to mimic user behavior. Our service also generates artifacts from tests that are run, including images and videos of the application as the test is conducted, and reports, logs and analysis of the test results. We refer to this data as "Test Data".
In general, Test Data need not and should not include any sensitive or personal data regarding customer personnel, customers or end users.
Endtest service is a test execution environment and is not intended as a production environment or "system of record" for any customer data (beyond data related to the tests themselves). All test logs, images and videos of applications being tested, related reports and analysis, are automatically deleted from our service 6 months after they are generated by default, and our customers have access to and the ability to manually delete any or all such data at any time.
Endtest has implemented and maintains a data privacy compliance program intended to comply with applicable requirements of the GDPR.
Additionally, we:
- Maintain policies, procedures and protocols to ensure that we only process personal data lawfully, fairly, transparently, and in accordance with other privacy standards set forth in the GDPR;
- Select vendors that have implemented robust data protection measures and execute data processing and sub-processing agreements with them as appropriate;
- Offer assistance to customers to give effect to data subject rights and comply with relevant requirements under the GDPR as appropriate;
- Design our services and internal systems with data privacy principles in mind; and,
- Implement and maintain reasonable and appropriate technical, physical and organizational security measures to protect the data that we process.
We can provide additional information about our data privacy practices on request.
4. Data Controls
3rd Party Access to Data
Endtest does not share customer data or provide 3rd parties access to production systems. Contractual agreements are in place with specific vendors/partners who provide support services to Endtest (e.g., hosting and code repositories). All such agreements are reviewed at least annually by the Endtest legal team.
Security of Data in Testing
Endtest encourages customers to test using only non-sensitive or sanitized datasets. Endtest considers all data as sensitive and therefore encrypts data at rest (AES256) and in motion (TLS 1.2).
Production Access Security
Production access is limited to dedicated VLANs, systems, and admin privileges using multi-factor authentication. All activity is logged and reviewed on an ongoing basis. Any abnormal activity may trigger an incident to be reviewed by Security Operations
Device Security
Browser/OS combinations or emulator/simulator devices are provisioned on demand in virtual machines and destroyed at the end of every test execution.
Device Retention
Endtest collects test data assets from individual tests that are being run on our platform. These assets include Selenium/Appium logs, screenshots, a video of the test, and metadata. All test execution reports are available from the Endtest user interface. Test execution reports and other Test Data assets are stored for 6 months and then automatically deleted. Customers who require longer data retention periods are encouraged to download their data directly.
5. Architecture
Cross Browser Web Testing
Endtest gives users the ability to run automated functional tests written with our Codeless Test Editor across multiple browser and OS combinations. The platform eliminates the need to build and maintain an on-premise test grid, and provides the ability to run cross-browser tests in parallel, significantly reducing the time it takes to execute these tests. Results can be analyzed using videos, screenshots, log files and Test Analytics to quickly identify test patterns and resolve defects, enabling faster release cycles.
Cross Browser Web Testing
Endtest gives users the ability to run automated functional tests written with our Codeless Test Editor across multiple browser and OS combinations. The platform eliminates the need to build and maintain an on-premise test grid, and provides the ability to run cross-browser tests in parallel, significantly reducing the time it takes to execute these tests. Results can be analyzed using videos, screenshots, log files and Test Analytics to quickly identify test patterns and resolve defects, enabling faster release cycles.
Mobile App Testing
Endtest users can test mobile native, hybrid and web apps across real devices as well as hundreds of iOS simulators and Android emulators. Mobile app tests are automated using our Codeless Test Editor. Mobile tests can be run on a public real device cloud across thousands of devices, or on a private cloud, with unique devices dedicated to individual customers.
Database
All database access is managed through an object relational and service application model. Users are assigned a unique ID and access key. Data access is limited to data associated with a specific account.
6. Connectivity Options
Customers can access our platform only through a Secured HTTPS connection. Two-Factor Authentication (2FA) is available for all customers. All the servers and test machines from our network are protected by Firewalls and properly configured Security Groups. Whitelisting can be used in order to establish a connection between applications hosted on an internal server and the Endtest virtual machines or real devices that are used for testing.
Details are provided in our FAQ and Documentation sections.
7. Data Center Security
Endtest leverages multiple data center locations in the US. Data centers are owned by Amazon Web Services and MacStadium. The videos, screenshots and log files are stored in AWS S3 buckets.
8. Access Control
In addition to the physical security, Endtest operations has implemented access control measures restricting access to customers' environments to only those support personnel that have a documented, current business need. Furthermore, all physical and electronic access to data centers is logged and audited routinely.
Application access is managed by the customer designated administrator through the Teams function within the Endtest UI. Teams allows for the authorization of individuals and roles to access the customer's specific instance of Endtest and report data.
9. Change and Patch Management
Endtest updates all security tools and software, as needed, using appropriate patches. All critical patches are installed based on risk, per the Endtest Change Management Policy, and with approval from the Endtest change management team. Changes are efficiently and securely planned, reviewed, tested, implemented, and validated to ensure that all environments are protected.
10. Testing and Scanning
Endtest performs multiple types of testing including:
- Vulnerability scans performed using both internal resources and 3rd-party services.
- Whitebox penetration testing performed at least annually.
- Static and dynamic code analysis testing performed for all code releases.
- Customers may perform or contract their own testing with prior coordination and approval from Endtest Security.
11. Data Recovery / Data Backup
Endtest provides backup and redundancy for customer data to ensure full recovery in the event of service disruption or failure. Our primary data centers are facilities with 24x7 physical security, redundant power, HVAC, ISP connections, and fire protection. Primary databases are backed up daily to satisfy our Recovery Point Objective (RPO) of 24 hours maximum. Our Recovery Time Objective (RTO) to restore data in a catastrophic data loss situation is 48 hours.
The Endtest disaster recovery, incident response, contingency planning and recovery procedures are tested and validated annually. Endtest simulates customer disaster declaration scenarios that cover failures and recoveries of each of our critical systems, and then analyzes the results to continuously improve our operations. Testing is performed periodically, as needed.
12. Incident Response
Endtest incident response and management includes the Endtest Customer Support, Operations, and Security teams. Team members are on call 24x7 to respond to customer support requests and incidents. The Endtest Support team consists of tiers of technical and engineering staff to provide incident response, triage, root cause analysis, and resolution.
Response procedures include the use of standard operating procedures that are maintained and kept current in a knowledge base, escalation to higher-expertise tiers and supporting teams, and bridge calls for collaboration.
This team is responsible for managing incident severity, impact, and type classification for effective prioritization of support requests and assignment of qualified experts, with supervised monitoring of support request status and progress. The Endtest operations team provides contingency and disaster recovery plan activation and escalation, in the event of a major incident affecting multiple customers. In addition, partner and vendor incident response support as needed for triage and resolution.
Reporting and analysis of incident response performance metrics are used to achieve SLAs.