Trust & Security

Security at TestPlanIt

Your test data is critical to your development process.
We take its protection seriously—whether you self-host or use our hosted service.

Infrastructure

Hosting & Infrastructure

Hosted TestPlanIt instances run on dedicated infrastructure managed by our team.

Hosting
Hosted instances run on dedicated servers with Kubernetes orchestration. Each customer workspace runs in its own isolated namespace.
Tenant isolation
Every hosted customer gets a dedicated database, dedicated search index, and isolated compute resources. No shared data stores between tenants.
Backups
Automated daily backups with retention periods by plan: 1 year (Essentials), 2 years (Team), 3 years (Professional), custom (Dedicated).
Monitoring
Infrastructure and application health are monitored continuously. Critical alerts trigger immediate response from our operations team.
Updates
Security patches and updates are applied promptly. Dedicated tier customers receive updates in a staging environment before production.

Encryption

Data Encryption

Data is protected both in transit and at rest.

In transit
All connections use TLS 1.2 or higher. HTTPS is enforced for all web traffic and API calls. Internal service-to-service communication is encrypted.
At rest
Database storage and backups are encrypted at rest using AES-256. Sensitive configuration values are stored as encrypted secrets.
API tokens
API tokens are hashed before storage. Only the token prefix is stored in plain text for identification.

Application

Application Security

Security controls built into every layer of the application.

Authentication
SSO via Google, Microsoft, Apple, and SAML 2.0. Magic link passwordless login. Two-factor authentication (TOTP) with organization-wide enforcement.
Authorization
Role-based access control with custom roles. Fine-grained project-level permissions. Users only see projects they have been granted access to.
Audit logging
Comprehensive audit trail tracking user actions with before/after change details. Retention varies by plan, up to unlimited on Dedicated tier.
Session management
Secure, HTTP-only session cookies. Sessions expire after configurable inactivity periods. Admins can revoke active sessions.
Bot protection
Public forms are protected by Cloudflare Turnstile challenge verification and disposable email blocking to prevent abuse.
Input validation
All user inputs are validated server-side using schema-based validation. Parameterized queries prevent SQL injection. Output encoding prevents XSS.

Product Features

Security Features for Your Team

Security capabilities available on every plan, including self-hosted.

Single Sign-On

Google, Microsoft, Apple, and SAML 2.0 identity provider integration. Included on every plan at no extra cost.

Two-Factor Authentication

TOTP-based 2FA with support for authenticator apps. Organization admins can enforce 2FA for all users.

Custom Roles & Permissions

Define custom roles with granular permissions. Control access at the organization, project, and feature level.

Audit Logs

Track who did what and when, with full before/after change history for compliance and troubleshooting.

API Token Management

Create API tokens with optional expiration dates. Tokens can be scoped and revoked at any time.

Share Link Controls

Share reports via authenticated, public, or password-protected links with configurable expiration and access logging.

Self-Hosted

Self-Hosted Deployments

TestPlanIt is open source and free to self-host. When you run TestPlanIt on your own infrastructure, you have complete control.

  • All data stays on your servers—we never have access to self-hosted instances
  • Deploy with Docker in your own data center, private cloud, or air-gapped environment
  • All security features (SSO, 2FA, RBAC, audit logs) are available with no feature gating
  • Configure your own backup schedules, network policies, and access controls
  • Connect your own AI providers—including local models via Ollama for complete data privacy
  • Source code is publicly auditable under AGPL-3.0 license
Self-hosted customers are responsible for their own infrastructure security, patching, and backups. We provide documentation and community support to help you maintain a secure deployment.

Privacy

Data Privacy & Ownership

Your data belongs to you. Period.

Data ownership
You retain full ownership of all data at all times. We will never sell, share, or mine your data for any purpose.
Data residency
Hosted instances are located in the United States. Dedicated tier customers can discuss specific data residency requirements.
Data export
Export your data at any time via the application or REST API. After cancellation, you have a 30-day window to export before deletion.
Data deletion
We permanently delete all customer data within 30 days of account cancellation. Dedicated tier customers can request immediate deletion.
Minimal data collection
Our marketing website uses privacy-focused analytics (Plausible). No third-party trackers, no Google Analytics, no advertising cookies.
Sub-processors
We use a minimal set of third-party services: Stripe for payment processing and transactional email delivery. A full sub-processor list is available upon request.

Incident Response

Security Incidents

We take a transparent approach to security incidents.

Notification
Confirmed security incidents affecting customer data are communicated within 72 hours of discovery via email to account administrators.
Response
Our team investigates and remediates security issues as the highest priority. We provide affected customers with a clear description of the incident, its impact, and steps taken.
Reporting vulnerabilities
If you discover a security vulnerability in TestPlanIt, please report it responsibly to [email protected]. We appreciate the security research community and will acknowledge your contribution.

Documentation

Documents Available Upon Request

We can provide the following documents to prospective and current customers evaluating our security posture.

Security Questionnaire

Pre-filled responses to common security assessment questionnaires (SIG Lite, CAIQ, or your custom format).

Data Processing Agreement

DPA covering GDPR and other data protection requirements for customers processing personal data.

Sub-processor List

Complete list of third-party sub-processors with their purpose, data accessed, and location.

Architecture Overview

Technical overview of our infrastructure, security controls, and data flow for security review.

Contact us at [email protected] to request any of these documents.

FAQ

Frequently Asked Questions

Is TestPlanIt SOC 2 certified?

We are not SOC 2 certified at this time. As a growing company, we are building toward formal compliance certifications. We are happy to share our current security controls and practices in detail upon request.

Where is my data hosted?

Hosted customer data is stored in the United States on infrastructure managed by our team. Dedicated tier customers can discuss specific hosting location requirements.

Do you perform penetration testing?

We conduct periodic security assessments of our application and infrastructure. Our source code is also publicly available under AGPL-3.0, enabling community security review. We welcome responsible disclosure of any findings.

Can I run TestPlanIt in an air-gapped environment?

Yes. TestPlanIt can be deployed with Docker in fully air-gapped environments. All features work offline, including AI capabilities when using local models via Ollama.

How do you handle GDPR compliance?

We offer Data Processing Agreements (DPAs) for customers who require them. Self-hosted customers maintain full control over data residency and processing. We collect minimal personal data and use privacy-focused analytics.

Do you support SSO and 2FA on all plans?

Yes. SSO (Google, Microsoft, Apple, SAML 2.0) and TOTP-based two-factor authentication are included on every plan, including self-hosted. We do not charge extra for security features.

TestPlanIt LLC

Questions about security? Reach us at [email protected]

The TestPlanIt software is free and open source under AGPL-3.0.
Last updated: February 2026