Endtest Security

1. Security Overview

Companies large and small trust Endtest to provide a secure platform for testing web and mobile applications. Protecting our customers' data is of paramount importance to us. This document is an overview of the technology, processes and security operations that govern the Endtest platform.

2. Compliance

Endtest has received the ISO 27001 certification. ISO 27001 is the international standard that is recognized globally for managing risks to the security of information you hold.

Endtest is also compliant with the European General Data Protection Regulation (GDPR). Our cloud-based testing platform does not require the use of real user account PII, PHI, or other sensitive data. The use of sanitized or synthetic data for testing is, in fact, considered a best practice in QA testing. With the passing of the 2018 EU General Data Protection Law (GDPR), Endtest carefully has taken extra precautions with respect to its customers' Test Data and as a data controller when necessary to its customers' Account Data.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a US federal law that establishes data privacy and security requirements for organizations that are charged with safeguarding individually protected health information (PHI). These organizations meet the definition of "covered entities" or "business associates" under HIPAA. Our platform meets the requirements under HIPAA and complies with HIPAA regulations.

Endtest continues to mature its governance program to support the evolving regulatory landscape.

3. Data Processor Operations

Endtest receives two categories of data from its customers:

The first category consists of data about our customers' access to and use of our service, and includes information about the specific customer employees or other individuals that use our service. We refer to this data as “Account Data”.

The second category consists of the data that our customers upload to our service or that is collected through our service in the course of using our services. This data may be associated with individuals and we refer to it as “Test Data”. Endtest acts as a data processor for the second category of data pursuant to Endtest's written SaaS template or other service vendor process that references or incorporate our terms of service. In other words, we function as a data processor for our customers with respect to the personal data that customers use or manage when they are using or testing the Endtest services. We also act as the data controller for the data that is being tested, to the extent necessary to manage the environment, test coverage, test library, and run scheduling. We adopt and maintain an internal data privacy compliance program intended to respect data subject rights and privacy regulations that is reviewed, assessed, and updated on a periodic basis to ensure that personal data processing activities are aligned with the compliance requirements.

We will remove or delete such information if requested by the customer or when it is no longer necessary to provide services to the customer as described in our Terms of Service. We will also assist customers with fulfilling data subject requests, as required by law.

Endtest adheres to the following principles when processing personal data: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.

We maintain policies, procedures, and protocols to ensure that we only process personal data securely, fairly, transparently, and in accordance with other privacy standards. We take appropriate technical and organizational measures to protect personal data.

We offer assistance to customers to give effect to data subject rights and comply with their responsibilities under these privacy laws as appropriate. We design our services and internal systems with data privacy principles in mind, and implement and maintain reasonable and appropriate technical, physical and organizational security measures to protect the data we process.

We can provide additional information about our data privacy practices on request.

4. Data Controls

3rd Party Access to Data

Endtest does not share customer data or provide 3rd parties access to production systems. Contractual agreements are in place with specific vendors/partners who provide support services to Endtest (e.g., hosting and code repositories). All such agreements are reviewed at least annually by the Endtest legal team.

Security of Data in Testing

Endtest encourages customers to test using only non-sensitive or sanitized data sets. Endtest enforces TLS 1.2+ at service and therefore encrypts data at rest (AES256) and in transit.

Production Access Security

Production access is limited to dedicated VLANs, systems, and admin privileges using multi-factor authentication. All activity is logged and reviewed on an ongoing basis. Any abnormal activity is immediately investigated by the Security Operations.

Device Security

Browser-based emulators or emulated/simulator devices are provisioned on demand in virtual machines and destroyed at the end of every test session.

Device Retention

Device retention means all data assets from individual tests that are being run on our platform are stored in a secure S3/Amazon/RAID group, screenshots, a video of the test, and metadata from successful tests that indicates which features were tested or not, and includes session data so that it can be displayed properly in the user interface. All logs will remain accessible to the user for 30 days after the test. Data stored beyond these retention periods are encrypted at rest using AES256. Customers that require shorter data retention periods are encouraged to download their data so that they maintain final control.

5. Architecture

Cross Browser Web Testing

Endtest gives users the ability to run automated functional tests written with our Codeless Test Editor across multiple browser and OS combinations. The platform eliminates the need to build and maintain an on-premise test grid, and provides the ability to run cross-browser tests in parallel, significantly reducing the time it takes to execute these tests. Results can be analyzed using videos, screenshots, log files and Test Analytics to quickly identify test patterns and resolve defects, enabling faster release cycles.

Native App Testing

Endtest users can test mobile native, hybrid and web apps across real devices as well as hundreds of iOS simulators and Android emulators. Mobile App tests are also automated using our Codeless Test Editor. Mobile tests can be run on a public real device cloud across thousands of devices, or on a private cloud, with unique devices dedicated to individual customers.

Database

All database access is managed through an object relational and service application model. Users are assigned a unique ID and access key. Data access is limited to data associated with a specific account.

6. Connectivity Options

Customers can access our platform only through a Secured HTTPS connection. Two-Factor Authentication (2FA) is available for all accounts. The server and events that we receive from our system are piped by Endtest's Federated and proprietary Federated Security Groups. Whitelisting can be used in order to establish a connection between applications based on an internal static private network / virtual machines or real devices that are used for testing. Further details are provided in our FAQ and Documentation sections.

7. Data Center Security

Endtest maintains multiple data center locations in the US. Data centers are owned by Amazon Web Services (AWS) in the Netherlands. The Videos, screenshots and log files are stored in S3 and RDS in US East Region.

8. Access Management

Endtest's platform has a built-in role-based access control mechanism that is designed to function within the Endtest UI. Teams allows for the authorization of individuals and roles to have the customer's specified instance access.

9. Change and Patch Management

Endtest applies all security tools and software, as needed, using appropriate patches. All critical patches are installed based on risk, per the Endtest Change Management Policy, and with approval from the Endtest change management team. Changes are efficiently and properly planned, reviewed, tested, implemented, and validated to ensure that all systems remain protected.

10. Testing and Scanning

Endtest performs multiple types of testing including:

• Vulnerability scans performed using both internal resources and 3rd-party services.
• Whitebox penetration testing performed at least annually.
• Static and dynamic code analysis testing performed for all code releases.
• Customers may perform or contract their own testing with prior coordination and approval from Endtest Security.

11. Data Recovery and Data Backup

Endtest provides data redundancy and redundancy for customer data to ensure full recovery in the event of service disruption or failure. Our primary data center uses facilities with 24x7 physical security, multi-layer power, HVAC, ISP connections, and fire protection. Primary database is backed up daily to an identity AWS Recovery Point Objective (RPO) of 24 hours maximum; Our Recovery Time Objective (RTO) to restore data in a catastrophic data loss is around 24 to 48 hours.

The Endtest disaster recovery, incident response, emergency planning and recovery processes are tested and validated annually. Endtest simulates customer disaster declaration scenarios for code failures and recovers each of our critical systems, and then analyzes the results to continuously improve our operations. Testing is performed in periodic, as needed increments.

12. Incident Response

Endtest incident response and management includes the Endtest Customer Support, Operations, and Security teams. Team members are on call 24x7 to respond to customer support requests and incidents. The Endtest Support team consists of tiers of technical and engineering staff to provide incident response, triage, root cause analysis, and resolution.

Escalations include the issue of standard operating procedures that are maintained internally to ensure knowledge base, escalation to higher-expertise tiers and supporting resources, and a plan for collaboration.

Once an incident is validated by our security, network, and dev operations team for a data event, Endtest releases a post-mortem report. The post-mortem documents the nature of the incident, the incident's resolution status and progress. The Endtest operations team identifies lessons learned, if any, from the incident, and incorporates them into an incident response plan. We incorporate improvements to our monitoring systems, runbooks, and operational processes to continually improve our overall ability to handle incidents.