Skip to main content
Trust Center

Trust Center

Security, privacy, and compliance are foundational to everything we build at bugAgent. This page provides transparency into our security posture, data handling practices, and compliance status.

Compliance & Certifications

SOC 2 Type II

In Progress

We are actively working toward SOC 2 Type II certification. Our security controls are designed to meet the Trust Services Criteria for Security, Availability, and Confidentiality.

GDPR

In Progress

We are implementing GDPR compliance measures including data processing agreements, data subject rights workflows, and privacy-by-design architecture. EU customer data is processed in EU regions.

ISO 27001

In Progress

We are building our Information Security Management System (ISMS) toward ISO 27001 certification, covering risk assessment, access controls, and incident management.

ISO 9001

Roadmap

Establishing a quality management system toward ISO 9001 certification — the foundational QMS standard the regulated manufacturers we serve (ISO 13485, AS9100) build on. Covers process control, change management, internal audit, and corrective & preventive action.

Regional Compliance — Singapore & SEA

Singapore PDPA

In Progress

We are aligning to Singapore's Personal Data Protection Act — consent, purpose limitation, the Transfer Limitation Obligation, a designated Data Protection Officer, and the mandatory data-breach notification regime (the PDPC notified within 3 calendar days of a notifiable breach).

CSA Cyber Trust

In Progress

We are working toward the Cyber Security Agency of Singapore's Cyber Trust mark at the Promoter (Tier 3) tier — a risk-based certification closely aligned with ISO 27001, covering governance, risk, and cybersecurity preparedness.

CSA Cyber Essentials

Roadmap

The entry-level CSA Cyber Essentials mark is on our roadmap as a stepping-stone — covering asset inventory, secure configuration, access control, patch management, and backups.

MAS TRM Alignment

Documented

For Singapore-regulated financial institutions, our existing controls are mapped to the MAS Technology Risk Management Guidelines (chapters 3–18 + Annex A) as a vendor self-attestation supporting outsourcing due diligence. bugAgent is not directly MAS-regulated; the alignment document is available to FI customers under NDA.

Healthcare Services Act 2020

Documented

For Singapore healthcare-sector customers, our sectoral addendum documents that bugAgent is not a licensed healthcare service, does not integrate with NEHR or HealthHub, and provides guidance on de-identifying test data. The healthcare customer remains the regulated party; we support their due diligence.

Spam Control Act 2007

Aligned

Transactional and service messages sit outside the Spam Control Act. Marketing email is sent only after explicit opt-in, with a working unsubscribe in every message; no marketing SMS or telemarketing is directed at Singapore phone numbers, so the PDPA Do Not Call provisions are not engaged.

Security Controls

Encryption at Rest

All data stored in AES-256 encrypted databases via Supabase (powered by PostgreSQL). Storage buckets encrypted at rest.

Encryption in Transit

All connections use TLS 1.2+. API endpoints enforce HTTPS. No plaintext data transmission.

Authentication

Multi-factor authentication support. JWT-based session management with secure, httpOnly cookies. OAuth 2.0 integrations.

Access Control

Role-based access control (RBAC) with owner, manager, and contributor roles. Row-level security (RLS) on all database tables.

API Security

API key authentication with scoped permissions. Rate limiting. Webhook signature verification (HMAC-SHA256).

Data Isolation

Multi-tenant architecture with team-scoped data access. All queries filtered by team_id. No cross-tenant data leakage.

Vulnerability Scanning

Regular dependency auditing (npm audit). Pre-commit security hooks scan for secrets, SQL injection, XSS, and insecure patterns.

Error Monitoring

Application errors tracked via Sentry with PII scrubbing. No sensitive data in error reports.

Domain Verification

DNS TXT record verification required before security scanning, performance testing, or exploratory AI can target a domain.

Secure Development

Pre-commit security hooks check every commit for hardcoded secrets, SQL injection patterns, XSS vulnerabilities, and insecure configurations.

Resources

Available on Request
  • Standing Security Questionnaire CAIQ v4 structure, 17 control domains incl. Singapore-specific. We complete CAIQ / SIG-Lite / VSA / custom workbooks from this answer set — typical turnaround 5 business days. Email security@bugagent.com.
  • MAS TRM Alignment Document Vendor self-attestation mapping bugAgent controls onto the MAS Technology Risk Management Guidelines (chapters 3–18 + Annex A). Available to Singapore FI customers under NDA.
  • Data Processing Agreement (DPA) Customer DPA covering PDPA Transfer Limitation, GDPR processor obligations, and standard confidentiality terms — provided at contracting.
Coming Soon
  • Security Whitepaper
  • Penetration Test Summary
  • Business Continuity Plan

Subprocessors

The following third-party services process data on behalf of bugAgent to deliver the platform.

Subprocessor Purpose Data Processed Location
Supabase Database, authentication, file storage User accounts, bug reports, files, session data US (AWS)
Anthropic (Claude) AI classification, code review, exploratory AI Bug report content, code diffs, page screenshots US
Stripe Payment processing Billing info, subscription data US
Resend Transactional email Email addresses, notification content US
GitHub OAuth, code review webhooks GitHub usernames, repository data, PR diffs US
Atlassian (Jira) Issue synchronization Bug report data synced to Jira US / EU
Slack Notifications Team names, channel IDs, notification content US
BrowserStack Cross-browser and mobile testing Test scripts, screenshots, device logs US / India
Grafana Cloud (k6) Load testing Performance metrics, test configurations US / EU
ScrapFly Geo-targeted screenshots URLs, screenshot images EU
Sentry Error monitoring Application errors (PII scrubbed) US
PostHog Product usage analytics Feature usage events (user ID, team ID, email — no customer content) EU
Railway Application hosting Application code, environment variables US
GitHub Pages Static website hosting Public website content US
OpenAI Voice transcription Audio recordings for note dictation US

Frequently Asked Questions

Where is my data stored?

Your data is stored in Supabase (PostgreSQL) hosted on AWS in the US region. File attachments are stored in Supabase Storage with AES-256 encryption at rest. For customers with data-residency requirements — including Singapore and the wider SEA region — an in-region or on-premise deployment is available on Enterprise plans. EU data residency options are also planned.

Are you compliant with Singapore's PDPA?

We are actively aligning to Singapore's Personal Data Protection Act (PDPA). Most of its obligations are already met through our GDPR program. We have designated a Data Protection Officer as required under PDPA s.11(3), and our compliance framework documents the Singapore-specific 3-calendar-day PDPC breach-notification timeline. For data-protection enquiries, contact dpo@bugagent.com.

Are you suitable for Singapore-regulated financial institutions?

Yes — for non-material outsourcing out of the box, and with contractual safeguards for material outsourcing. bugAgent is not directly MAS-regulated, but our existing security and operational controls are mapped to the MAS Technology Risk Management Guidelines (chapters 3–18 + Annex A) as a vendor self-attestation. For material outsourcing arrangements, we offer audit and inspection rights, prior subprocessor-change notice, and an Enterprise termination-assistance plan on request. Contact security@bugagent.com for the alignment document.

Can healthcare-sector customers in Singapore use bugAgent?

Yes. bugAgent is not a licensed healthcare service under the Singapore Healthcare Services Act 2020 and does not integrate with the National Electronic Health Record (NEHR), HealthHub, or any MOH-administered digital-health platform. The healthcare customer remains the regulated party under HCSA. We recommend customers use synthetic or de-identified test data in any artifact uploaded to bugAgent; no identifiable patient data is required for any product function. Inadvertent uploads can be deleted on request via dpo@bugagent.com with a 24-hour SLA.

How do I get a security questionnaire completed?

We maintain a standing CAIQ-style answer set covering 17 control domains including Singapore-specific items, and complete CAIQ v4, SIG-Lite, VSA, or custom procurement questionnaires from it on request. Typical turnaround is 5 business days — faster for active enterprise procurement. Email security@bugagent.com with the questionnaire attached.

Who can access my data?

Only authenticated members of your team can access your data. All database queries are scoped to your team_id with row-level security (RLS) policies. bugAgent staff access is restricted to authorized personnel for support purposes only.

How is my data encrypted?

All data is encrypted at rest using AES-256 via Supabase/PostgreSQL. All data in transit is encrypted with TLS 1.2+. API keys and secrets are stored encrypted and never logged.

Can I delete my data?

Yes. You can delete individual bug reports, notes, automations, and projects from the dashboard. Account deletion removes all associated data. Contact support for full data export before deletion.

Do you sell my data?

No. We never sell, rent, or share your data with third parties for marketing purposes. Data is only shared with subprocessors listed above as necessary to provide the service.

How do you handle security vulnerabilities?

We run automated security scans on every commit via pre-commit hooks. Dependencies are audited regularly. Vulnerabilities are triaged by severity and patched promptly. Report security issues to security@bugagent.com.

Is bugAgent open source?

The bugAgent platform is proprietary. However, our MCP server protocol is based on the open Model Context Protocol standard, and we publish documentation for all APIs.

Have security questions?

For security inquiries, vulnerability reports, or compliance documentation requests, reach out to our security team.

security@bugagent.com