Skip to main content

Data Bugzy accesses

Bugzy accesses two categories of data to perform QA testing:
  • Repository code — read access to your repository contents for test generation; write access to commit generated Playwright tests to a separate test repository
  • Application URL — Bugzy runs a real Chromium browser against your application to explore UI flows and execute tests
Bugzy does not access databases, internal APIs, or infrastructure beyond the application URL you provide.

GitHub access scopes

When you connect GitHub, Bugzy requests the following scoped permissions via GitHub OAuth:
PermissionAccessPurpose
Repository contentsRead/WriteRead source code for context; commit generated tests
WebhooksRead/WriteReceive PR, push, and deployment events to trigger test runs
Pull requestsRead/WritePost test results as PR comments
MetadataReadList repositories and branches
Bugzy commits generated tests to a separate test repository. Write access to your main repository is limited to PR comments.

Encryption

LayerMethod
In transitTLS 1.2+ for all communications
At restAES-256 via Google Cloud KMS
SecretsEncrypted with Cloud KMS, stored in Supabase with Row Level Security
Credentials (API tokens, SSH keys, environment variables) are encrypted before storage and decrypted only at runtime inside ephemeral containers.

Test execution isolation

Every test execution runs in an isolated, ephemeral Google Cloud Run container:
  • No persistent state — containers are destroyed after task completion; no data, files, or credentials remain
  • Per-repository SSH keys — each repository connection uses a unique SSH key pair; keys are not shared across projects or teams
  • Network isolation — containers access only the target application URL and required cloud services
  • Pre-installed browsers — Chromium is pinned to a specific Playwright version to prevent supply-chain drift

Authentication and authorization

  • User authentication — GitHub OAuth via Supabase Auth; no passwords stored
  • API authorization — JWT tokens with expiration, validated on every request
  • Webhook verification — all inbound webhooks (GitHub, Slack, Stripe) are verified using HMAC signature validation
  • Team-level isolation — all data is scoped to teams via Row Level Security; users can only access projects belonging to their team

Database security

Bugzy’s database runs on Supabase (PostgreSQL) with the following protections:
  • Row Level Security (RLS) — enforced on all tables; every query is scoped to the authenticated user’s team
  • Encrypted connections — all database connections use TLS
  • No direct access — the database is not exposed to the public internet; access is restricted to application services

Compliance

GDPR

Bugzy complies with the EU General Data Protection Regulation (Articles 5-34):
  • Lawful basis — data processing is based on contractual necessity (Article 6(1)(b))
  • Data minimization — only data necessary for test generation and execution is accessed
  • Right to access, rectification, and erasure — submit requests to privacy@bugzy.ai
  • Data Processing Agreement — available at bugzy.ai/legal/dpa
  • EU-only processing — all data is processed and stored within the European Union

Bulgarian PDPA

Bugzy complies with the Bulgarian Personal Data Protection Act as a data processor registered in Bulgaria.

Sub-processors

Sub-processorPurposeData processed
SupabaseDatabase, authenticationUser accounts, project metadata, test results
AnthropicAI model (Claude)Test plans, test code, triage decisions
Google CloudContainer execution, KMS encryptionTest artifacts, encrypted secrets
VercelWeb application hostingDashboard sessions
StripePayment processingBilling and subscription data
NangoOAuth token managementIntegration access tokens
AblyReal-time messaging (MCP tunnel)Webhook payloads for on-prem integrations

Data retention

Data typeRetention
Active account dataRetained while account is active
Deleted accounts30-day soft delete, then permanent removal
Database backupsMaximum 90 days, then purged
Execution logs30 days
Ephemeral container dataDestroyed immediately after task completion

Incident response

  • Regulatory notification — the Commission for Personal Data Protection (CPDP) is notified within 72 hours of a confirmed data breach, per GDPR Article 33
  • Customer notification — affected customers are notified within 24 hours for high-risk breaches involving personal data
  • Post-incident review — root cause analysis and remediation steps are documented and shared with affected parties

Contact

PurposeContact
GDPR and privacy requestsprivacy@bugzy.ai
Security issues and vulnerability reportssecurity@bugzy.ai
General supportsupport@bugzy.ai