Trust Center
Security, privacy, and compliance are foundational to everything we build at bugAgent. This page provides transparency into our security posture, data handling practices, and compliance status.
Compliance & Certifications
SOC 2 Type II
In ProgressWe are actively working toward SOC 2 Type II certification. Our security controls are designed to meet the Trust Services Criteria for Security, Availability, and Confidentiality.
GDPR
In ProgressWe are implementing GDPR compliance measures including data processing agreements, data subject rights workflows, and privacy-by-design architecture. EU customer data is processed in EU regions.
ISO 27001
In ProgressWe are building our Information Security Management System (ISMS) toward ISO 27001 certification, covering risk assessment, access controls, and incident management.
Security Controls
Encryption at Rest
All data stored in AES-256 encrypted databases via Supabase (powered by PostgreSQL). Storage buckets encrypted at rest.
Encryption in Transit
All connections use TLS 1.2+. API endpoints enforce HTTPS. No plaintext data transmission.
Authentication
Multi-factor authentication support. JWT-based session management with secure, httpOnly cookies. OAuth 2.0 integrations.
Access Control
Role-based access control (RBAC) with owner, manager, and contributor roles. Row-level security (RLS) on all database tables.
API Security
API key authentication with scoped permissions. Rate limiting. Webhook signature verification (HMAC-SHA256).
Data Isolation
Multi-tenant architecture with team-scoped data access. All queries filtered by team_id. No cross-tenant data leakage.
Vulnerability Scanning
Regular dependency auditing (npm audit). Pre-commit security hooks scan for secrets, SQL injection, XSS, and insecure patterns.
Error Monitoring
Application errors tracked via Sentry with PII scrubbing. No sensitive data in error reports.
Domain Verification
DNS TXT record verification required before security scanning, performance testing, or exploratory AI can target a domain.
Secure Development
Pre-commit security hooks check every commit for hardcoded secrets, SQL injection patterns, XSS vulnerabilities, and insecure configurations.
Resources
- Security Whitepaper
- Penetration Test Summary
- Data Processing Agreement (DPA)
- Business Continuity Plan
- Vendor Security Questionnaire
Subprocessors
The following third-party services process data on behalf of bugAgent to deliver the platform.
| Subprocessor | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase | Database, authentication, file storage | User accounts, bug reports, files, session data | US (AWS) |
| Anthropic (Claude) | AI classification, code review, exploratory AI | Bug report content, code diffs, page screenshots | US |
| Stripe | Payment processing | Billing info, subscription data | US |
| Resend | Transactional email | Email addresses, notification content | US |
| GitHub | OAuth, code review webhooks | GitHub usernames, repository data, PR diffs | US |
| Atlassian (Jira) | Issue synchronization | Bug report data synced to Jira | US / EU |
| Slack | Notifications | Team names, channel IDs, notification content | US |
| BrowserStack | Cross-browser and mobile testing | Test scripts, screenshots, device logs | US / India |
| Grafana Cloud (k6) | Load testing | Performance metrics, test configurations | US / EU |
| ScrapFly | Geo-targeted screenshots | URLs, screenshot images | EU |
| Sentry | Error monitoring | Application errors (PII scrubbed) | US |
| Railway | Application hosting | Application code, environment variables | US |
| GitHub Pages | Static website hosting | Public website content | US |
| OpenAI | Voice transcription | Audio recordings for note dictation | US |
Frequently Asked Questions
Where is my data stored?
Your data is stored in Supabase (PostgreSQL) hosted on AWS in the US region. File attachments are stored in Supabase Storage with AES-256 encryption at rest. EU data residency options are planned.
Who can access my data?
Only authenticated members of your team can access your data. All database queries are scoped to your team_id with row-level security (RLS) policies. bugAgent staff access is restricted to authorized personnel for support purposes only.
How is my data encrypted?
All data is encrypted at rest using AES-256 via Supabase/PostgreSQL. All data in transit is encrypted with TLS 1.2+. API keys and secrets are stored encrypted and never logged.
Can I delete my data?
Yes. You can delete individual bug reports, notes, automations, and projects from the dashboard. Account deletion removes all associated data. Contact support for full data export before deletion.
Do you sell my data?
No. We never sell, rent, or share your data with third parties for marketing purposes. Data is only shared with subprocessors listed above as necessary to provide the service.
How do you handle security vulnerabilities?
We run automated security scans on every commit via pre-commit hooks. Dependencies are audited regularly. Vulnerabilities are triaged by severity and patched promptly. Report security issues to security@bugagent.com.
Is bugAgent open source?
The bugAgent platform is proprietary. However, our MCP server protocol is based on the open Model Context Protocol standard, and we publish documentation for all APIs.
Have security questions?
For security inquiries, vulnerability reports, or compliance documentation requests, reach out to our security team.
security@bugagent.com