Your Data, Protected
Security is built into every layer of TestKase — from encrypted data at rest and in transit, to strict access controls and continuous monitoring. Your test management data is safe with us.
Multi-Layered Access Control
Every request is authenticated, every action is authorized. Multiple layers of security protect your account.
Enterprise-grade authentication, built in.
- JWT tokens: 1-day access, 14-day refresh with secure rotation
- OTP-based 2-step login — 6-digit code, 5-minute expiry
- bcrypt-12 password hashing with per-user salts
- Account lockout after 5 failed login attempts
- Google & Microsoft OAuth 2.0 single sign-on
- RBAC: owner, project_admin, user, guest roles
- Personal Access Tokens: SHA256 + bcrypt dual-hash, max 10/user, optional expiry
Secure by Infrastructure
Every layer of our stack is hosted on SOC 2 compliant platforms with encryption, isolation, and automated backups.
Vercel
Frontend Hosting
- SOC 2 Type II certified
- Global edge CDN
- Automatic SSL/TLS
- Built-in DDoS protection
- Instant deployment rollbacks
Railway
Backend Services
- Isolated containers per service
- Private networking
- Encrypted environment variables
- Automatic TLS termination
- Zero-downtime deployments
PostgreSQL
Database
- Hosted on Railway with SSL
- Automated daily backups
- Point-in-time recovery
- synchronize: false — no auto-schema changes
- Network-isolated access
Hardened at Every Endpoint
From input validation to security headers, every API endpoint is protected against OWASP Top 10 threats.
Input Validation
class-validator with whitelist mode on all DTOs. Disposable email blocking on signup.
Parameterized Queries
TypeORM with parameterized queries throughout — no raw SQL string concatenation.
CORS Whitelist
Strict origin whitelist for API access. Only authorized frontends can communicate.
Rate Limiting
200 req/min global, 10/min signup, 15/min AI endpoints. Brute-force protection built in.
reCAPTCHA v3
Score ≥ 0.5 required on signup, contact, and newsletter forms. Automated bot protection.
Webhook Verification
HMAC-SHA256 signature verification on all incoming webhooks (Razorpay, integrations).
Upload Security
MIME type whitelist enforcement. Maximum 50MB file size. Secure S3 presigned URLs.
Security Headers
HSTS, X-Frame-Options, X-Content-Type-Options, Content-Security-Policy enforced.
Your Data, Your Control
Every piece of data is encrypted, access-controlled, and handled with zero-trust principles.
Encryption in Transit
- TLS 1.2+ enforced on all endpoints
- SSL database connections
- HTTPS-only API communication
Encryption at Rest
- bcrypt-12 for passwords
- AES-256 for secrets & tokens
- OAuth tokens encrypted before storage
Secrets Management
- Environment variables via Vercel & Railway — never in source
- S3 presigned URLs for file access (time-limited)
- Webhook secrets rotatable per integration
Data Privacy
- PAT raw token shown once — dual-hashed (SHA256 + bcrypt) storage
- OAuth tokens stored with minimum-scope permissions
- No selling or sharing of user data with third parties
Always Watching
Continuous monitoring, detailed audit trails, and a structured incident response process ensure rapid detection and resolution.
Real-Time Monitoring
Automated health checks with instant alerts for downtime, latency spikes, or anomalous behavior.
Comprehensive Audit Logging
Every request logged with IP, geolocation, correlation ID, user, role, and access decision.
Sensitive Field Redaction
Passwords, tokens, secrets, api_key, and authorization headers are automatically redacted in all logs.
Maintenance Mode
Instant system-wide lockdown capability to protect user data during active security events.
Incident Response Process
Start Testing for Free
Sign up instantly and begin using TestKase with all core features, completely free for up to 3 users.