Documentation Index
Fetch the complete documentation index at: https://www.bugzy.ai/docs/llms.txt
Use this file to discover all available pages before exploring further.
Data Bugzy accesses
Bugzy accesses two categories of data to perform QA testing:
- Repository code — read access to your repository contents for test generation; write access to commit generated Playwright tests to a separate test repository
- Application URL — Bugzy runs a real Chromium browser against your application to explore UI flows and execute tests
Bugzy does not access databases, internal APIs, or infrastructure beyond the application URL you provide.
GitHub access scopes
When you connect GitHub, Bugzy requests the following scoped permissions via GitHub OAuth:
| Permission | Access | Purpose |
|---|
| Repository contents | Read/Write | Read source code for context; commit generated tests |
| Webhooks | Read/Write | Receive PR, push, and deployment events to trigger test runs |
| Pull requests | Read/Write | Post test results as PR comments |
| Metadata | Read | List repositories and branches |
Encryption
| Layer | Method |
|---|
| In transit | TLS 1.2+ for all communications |
| At rest | AES-256 via Google Cloud KMS |
| Secrets | Encrypted with Cloud KMS, stored in Supabase with Row Level Security |
Test execution isolation
Every test execution runs in an isolated, ephemeral Google Cloud Run container:
- No persistent state — containers are destroyed after task completion; no data, files, or credentials remain
- Per-repository SSH keys — each repository connection uses a unique SSH key pair; keys are not shared across projects or teams
- Network isolation — containers access only the target application URL and required cloud services
- Pre-installed browsers — Chromium is pinned to a specific Playwright version to prevent supply-chain drift
Authentication and authorization
- User authentication — GitHub OAuth via Supabase Auth; no passwords stored
- API authorization — JWT tokens with expiration, validated on every request
- Webhook verification — all inbound webhooks (GitHub, Slack, Stripe) are verified using HMAC signature validation
- Team-level isolation — all data is scoped to teams via Row Level Security; users can only access projects belonging to their team
- Agent capability control — each subagent role is restricted to specific tools, regardless of the underlying token’s scopes. See Permissions & Access Control for details
Database security
Bugzy’s database runs on Supabase (PostgreSQL) with the following protections:
- Row Level Security (RLS) — enforced on all tables; every query is scoped to the authenticated user’s team
- Encrypted connections — all database connections use TLS
- No direct access — the database is not exposed to the public internet; access is restricted to application services
Compliance
GDPR
Bugzy complies with the EU General Data Protection Regulation (Articles 5-34):
- Lawful basis — data processing is based on contractual necessity (Article 6(1)(b))
- Data minimization — only data necessary for test generation and execution is accessed
- Right to access, rectification, and erasure — submit requests to privacy@bugzy.ai
- Data Processing Agreement — available at bugzy.ai/legal/dpa
- EU-only processing — all data is processed and stored within the European Union
Bulgarian PDPA
Bugzy complies with the Bulgarian Personal Data Protection Act as a data processor registered in Bulgaria.
Sub-processors
| Sub-processor | Purpose | Data processed |
|---|
| Supabase | Database, authentication | User accounts, project metadata, test results |
| Anthropic | AI model (Claude) | Test plans, test code, triage decisions |
| Google Cloud | Container execution, KMS encryption | Test artifacts, encrypted secrets |
| Vercel | Web application hosting | Dashboard sessions |
| Stripe | Payment processing | Billing and subscription data |
| Nango | OAuth token management | Integration access tokens |
| Ably | Real-time messaging (MCP tunnel) | Webhook payloads for on-prem integrations |
Data retention
| Data type | Retention |
|---|
| Active account data | Retained while account is active |
| Deleted accounts | 30-day soft delete, then permanent removal |
| Database backups | Maximum 90 days, then purged |
| Execution logs | 30 days |
| Ephemeral container data | Destroyed immediately after task completion |
Incident response
- Regulatory notification — the Commission for Personal Data Protection (CPDP) is notified within 72 hours of a confirmed data breach, per GDPR Article 33
- Customer notification — affected customers are notified within 24 hours for high-risk breaches involving personal data
- Post-incident review — root cause analysis and remediation steps are documented and shared with affected parties
| Purpose | Contact |
|---|
| GDPR and privacy requests | privacy@bugzy.ai |
| Security issues and vulnerability reports | security@bugzy.ai |
| General support | support@bugzy.ai |
