Security Overview

At Testpad, we manage security with a layered approach that reflects our Software as a Service (SaaS) framework. We have made it a priority to protect your data and to provide you with choices about controlling it. We understand your concerns about how we use and protect your data, so we put this page together as an overview to our security approach.

We use highly respected cloud-service providers to manage data and provide our service to you (primarily AWS), and use an independent third-party (Fastspring) to process payments.

We have implemented regular automated vulnerability scans, annual penetration tests, regular software updates, and have SOC2/i certification for 3rd-party verification of our security processes (we are currently in the process of obtaining SOC 2/ii certification).

Is my data sent securely?

Yes. Whenever your data is in transit between you and us, everything is encrypted and sent using HTTPS. Within our firewalled private networks, data may be transferred unencrypted.

Is my data stored securely?

Yes, your customer data is securely stored on Amazon Web Services, our infrastructure provider for our Services. Data security is one of the reasons we chose Amazon Web Services - to see all the steps Amazon takes to protect the data saved on its services, take a look at the extensive Security And Compliance Center and the security-related white papers. AWS is ISO/IEC 27002 certified.

We also have our own practices in place, which follow industry best practices. We only give access to our servers to senior Testpad security experts, we keep our servers up to date with security fixes, we use 2-factor authentication whenever possible, and more.

Should our systems get compromised, we will replace the server(s) that have been hacked with new ones. If this doesn’t stop the attack, we’ll shut down the service until we can fix the vulnerability.

Do you test for security?

We conduct regular penetration tests of our system, conducted by security professionals, to test for security weaknesses. Any weaknesses found are corrected as appropriate.

You can download our latest penetration test certificate here, and a copy of our latest penetration test report here.

If you discover a security concern, please email us at stef@testpad.com. We’ll work with you to make sure that we understand the scope of the issue, and that we fully address your concern. We consider security correspondence as our highest priority, and we work to address any issues that arise as quickly as possible.

Are you SOC2 compliant?

Yes, we have obtained SOC2 Type 1 certification and are in the process of obtaining Type 2 certification.

Developed by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality and privacy.

Type 1 certifies compliance on the date of the audit. Type 2 certifies continuous compliance during a prolonged audit window.

How do you protect our billing information?

All confidential payment data is processed by our payment processor, FastSpring. FastSpring is a globally established processor with extensive security mechanisms, including PCI DSS compliance.

Can you share your responses to the VSA Questionaire?

We have adopted the Vendor Security Alliance Questionnaire (VSAQ) security standard, which covers a lot you might want to know about our information security practices. Please contact support to request a copy of our responses.

The VSAQ was created by a coalition of companies committed to improving Internet security. It is a well-known and highly respected security questionnaire.