Security designed for teams that ship

Last updated: May 2026

Layered encryption, isolated browser-capture architecture, scoped access control and Cloudflare-protected infrastructure — built to safely support QA and release workflows at scale.

At a glance

Our security posture, in one view.

Encryption in transitTLS 1.2+
Encryption at restAES-256, multi-layer
Role-based access controlEnabled
Project & environment isolationEnabled
Cloudflare WAF & DDoSEnabled
Isolated widget captureEnabled
Sensitive-endpoint exclusionDefault-on
GDPR-aligned data processingYes
Multi-factor authenticationIn progress
SAML / SSOOn roadmap
SOC 2 Type IIOn roadmap
Customer-held-key E2EEOn roadmap

How Bugzy is built

Six pillars across the platform.

Data protection

  • Multi-layer encryption at rest — database, object storage and application layer
  • TLS 1.2+ enforced on all customer-facing traffic, with HSTS
  • Data scoped per organisation, project and environment
  • Soft-delete with a 30-day account recovery window

Widget — what runs on your customers' sites

  • Cross-origin iframe isolation, served with SubResource Integrity
  • Authentication, billing and payment endpoints excluded from capture
  • Sensitive form fields masked in session replay by default
  • Screen recording only when the user explicitly opts in
  • No third-party trackers or analytics in the widget bundle

Browser extension

  • Manifest V3 with minimal API permissions
  • Isolated-world content scripts — no host-page JavaScript access
  • HTTPS-only authentication via browser cookies on bugzy.io
  • Production builds minified; no sourcemaps shipped

Access control

  • Argon2 password hashing with enforced complexity
  • Server-side sessions with secure, http-only, scoped cookies
  • Seven-tier role-based access control across the dashboard
  • Membership and permission checks on every project-scoped request
  • Cryptographic signature verification on inbound webhooks

Infrastructure

  • Compute on DigitalOcean, isolated from the public internet
  • Cloudflare for DNS, WAF, DDoS protection, TLS termination and CDN
  • MongoDB Atlas with AES-256 volume-level encryption and daily backups
  • Cloudflare R2 for object storage — assets never touch app servers' disk

Privacy & data handling

  • GDPR-aligned data processing terms; DPA available on paid plans
  • Subprocessor list maintained on this page
  • Captured session data is scoped to the project that captured it
  • Sensitive query parameters and request bodies redacted before capture

Compliance & roadmap

Where we are, and where we're going.

Today

  • GDPR-aligned data processing
  • Data Processing Addendum (DPA) on paid plans
  • Published privacy, data protection and cookies notices
  • Subprocessor list maintained on this page
  • Multi-layer encryption at rest, TLS 1.2+ in transit

On the roadmap

  • Multi-factor authentication
  • SAML / SSO for enterprise plans
  • Customer-exportable audit log
  • SOC 2 Type II readiness
  • Customer-configurable retention windows
  • Customer-held-key E2EE for regulated-industry plans
  • Public bug bounty program

Responsible disclosure

Found something? Tell us.

Email [email protected] with a proof-of-concept, the affected component and the impact you observed. We acknowledge reports within one business day and triage within five.

Good-faith research conducted under this policy will not result in legal action by Bugzy. Out of scope: DoS against production, social engineering, and any testing against other customers' data.

Subprocessors

The vendors we rely on.

SubprocessorPurpose
CloudflareDNS, WAF, DDoS protection, TLS, CDN, object storage (R2)
DigitalOceanApplication compute
MongoDB AtlasPrimary database
Stripe / PaddlePayment processing
Amazon SES / SendGridTransactional email
GoogleOAuth sign-in
OpenAI, AnthropicAI-assisted features (only when a customer enables them)

Evaluating Bugzy for a regulated environment? Write to [email protected] for a current security questionnaire response, DPA, or detailed architecture review.