Security designed for teams that ship
Last updated: May 2026
Layered encryption, isolated browser-capture architecture, scoped access control and Cloudflare-protected infrastructure — built to safely support QA and release workflows at scale.
At a glance
Our security posture, in one view.
How Bugzy is built
Six pillars across the platform.
Data protection
- Multi-layer encryption at rest — database, object storage and application layer
- TLS 1.2+ enforced on all customer-facing traffic, with HSTS
- Data scoped per organisation, project and environment
- Soft-delete with a 30-day account recovery window
Widget — what runs on your customers' sites
- Cross-origin iframe isolation, served with SubResource Integrity
- Authentication, billing and payment endpoints excluded from capture
- Sensitive form fields masked in session replay by default
- Screen recording only when the user explicitly opts in
- No third-party trackers or analytics in the widget bundle
Browser extension
- Manifest V3 with minimal API permissions
- Isolated-world content scripts — no host-page JavaScript access
- HTTPS-only authentication via browser cookies on bugzy.io
- Production builds minified; no sourcemaps shipped
Access control
- Argon2 password hashing with enforced complexity
- Server-side sessions with secure, http-only, scoped cookies
- Seven-tier role-based access control across the dashboard
- Membership and permission checks on every project-scoped request
- Cryptographic signature verification on inbound webhooks
Infrastructure
- Compute on DigitalOcean, isolated from the public internet
- Cloudflare for DNS, WAF, DDoS protection, TLS termination and CDN
- MongoDB Atlas with AES-256 volume-level encryption and daily backups
- Cloudflare R2 for object storage — assets never touch app servers' disk
Privacy & data handling
- GDPR-aligned data processing terms; DPA available on paid plans
- Subprocessor list maintained on this page
- Captured session data is scoped to the project that captured it
- Sensitive query parameters and request bodies redacted before capture
Compliance & roadmap
Where we are, and where we're going.
Today
- GDPR-aligned data processing
- Data Processing Addendum (DPA) on paid plans
- Published privacy, data protection and cookies notices
- Subprocessor list maintained on this page
- Multi-layer encryption at rest, TLS 1.2+ in transit
On the roadmap
- Multi-factor authentication
- SAML / SSO for enterprise plans
- Customer-exportable audit log
- SOC 2 Type II readiness
- Customer-configurable retention windows
- Customer-held-key E2EE for regulated-industry plans
- Public bug bounty program
Responsible disclosure
Found something? Tell us.
Email [email protected] with a proof-of-concept, the affected component and the impact you observed. We acknowledge reports within one business day and triage within five.
Good-faith research conducted under this policy will not result in legal action by Bugzy. Out of scope: DoS against production, social engineering, and any testing against other customers' data.
Subprocessors
The vendors we rely on.
| Subprocessor | Purpose |
|---|---|
| Cloudflare | DNS, WAF, DDoS protection, TLS, CDN, object storage (R2) |
| DigitalOcean | Application compute |
| MongoDB Atlas | Primary database |
| Stripe / Paddle | Payment processing |
| Amazon SES / SendGrid | Transactional email |
| OAuth sign-in | |
| OpenAI, Anthropic | AI-assisted features (only when a customer enables them) |
Evaluating Bugzy for a regulated environment? Write to [email protected] for a current security questionnaire response, DPA, or detailed architecture review.