Table of Contents
Bugster Security Practices
Last updated: September 2025
At Bugster, we take the security and privacy of customer code and data very seriously. Below you'll find an overview of our hosting, code privacy, and security controls. For any additional questions, reach out to ignacio@bugster.dev.
Hosting and Architecture
Bugster is available exclusively as a cloud-based SaaS.
Infrastructure Providers
- AWS for core compute and storage
- GCP for auxiliary services
LLM Providers
- OpenAI and Anthropic for inference
- All traffic is encrypted in transit (TLS 1.2/1.3)
Monitoring and Observability
Langfuse is used for LLM observability and prompt monitoring
Our providers maintain certifications such as SOC 2 Type II, ISO 27001, and are GDPR-ready.
Code Handling and Storage
No persistent storage of customer code
Bugster does not store source code in any database.
Ephemeral access
Code is fetched from GitHub only during runtime for test execution, then discarded.
Evidence artifacts
Test runs may produce logs, screenshots, and videos. These are stored in AWS S3, with a default retention of 30 days and full deletion available on demand.
Machine Learning and Data Usage
- Customer code and artifacts are never used to train or fine-tune models.
- Model prompts and responses are session-scoped.
- Langfuse logs are anonymized and used strictly for debugging and reliability monitoring.
- Bring Your Own Key (BYOK) option is planned for December 2025, enabling customers to run LLM calls through their own providers.
Confidentiality and Security Controls
Access Control
Only authorized Bugster engineers can access production systems. All access is logged.
Employee Policies
All staff are bound by confidentiality agreements and receive security training.
Customer Confidentiality
Bugster team members will never access customer data unless explicitly authorized for support.
Data Deletion
Customers can delete test results, logs, and artifacts at any time. Data is removed from active systems within 24 hours and from backups within 30 days.
Monitoring and Observability
- Continuous monitoring for reliability, latency, and security incidents
- Automated dependency and container vulnerability scanning
- Incident response protocols to quickly mitigate risks
Compliance and Roadmap
- Bugster leverages the compliance of its providers (AWS, GCP) which hold SOC 2, ISO 27001, and GDPR certifications
- Bugster itself is not yet SOC 2 certified — a SOC 2 readiness assessment is planned for 2026
- Data processing is GDPR-aligned, including customer deletion rights and retention policies
Contact
Questions about our security practices?
📩 Email us at ignacio@bugster.dev
Related documents: Privacy Policy • Terms of Service
Bugster Security Practices
Last updated: September 2025
At Bugster, we take the security and privacy of customer code and data very seriously. Below you'll find an overview of our hosting, code privacy, and security controls. For any additional questions, reach out to ignacio@bugster.dev.
Table of Contents
Hosting and Architecture
Bugster is available exclusively as a cloud-based SaaS.
Infrastructure Providers
- AWS for core compute and storage
- GCP for auxiliary services
LLM Providers
- OpenAI and Anthropic for inference
- All traffic is encrypted in transit (TLS 1.2/1.3)
Monitoring and Observability
Langfuse is used for LLM observability and prompt monitoring
Our providers maintain certifications such as SOC 2 Type II, ISO 27001, and are GDPR-ready.
Code Handling and Storage
No persistent storage of customer code
Bugster does not store source code in any database.
Ephemeral access
Code is fetched from GitHub only during runtime for test execution, then discarded.
Evidence artifacts
Test runs may produce logs, screenshots, and videos. These are stored in AWS S3, with a default retention of 30 days and full deletion available on demand.
Machine Learning and Data Usage
- Customer code and artifacts are never used to train or fine-tune models.
- Model prompts and responses are session-scoped.
- Langfuse logs are anonymized and used strictly for debugging and reliability monitoring.
- Bring Your Own Key (BYOK) option is planned for December 2025, enabling customers to run LLM calls through their own providers.
Confidentiality and Security Controls
Access Control
Only authorized Bugster engineers can access production systems. All access is logged.
Employee Policies
All staff are bound by confidentiality agreements and receive security training.
Customer Confidentiality
Bugster team members will never access customer data unless explicitly authorized for support.
Data Deletion
Customers can delete test results, logs, and artifacts at any time. Data is removed from active systems within 24 hours and from backups within 30 days.
Monitoring and Observability
- Continuous monitoring for reliability, latency, and security incidents
- Automated dependency and container vulnerability scanning
- Incident response protocols to quickly mitigate risks
Compliance and Roadmap
- Bugster leverages the compliance of its providers (AWS, GCP) which hold SOC 2, ISO 27001, and GDPR certifications
- Bugster itself is not yet SOC 2 certified — a SOC 2 readiness assessment is planned for 2026
- Data processing is GDPR-aligned, including customer deletion rights and retention policies
Contact
Questions about our security practices?
📩 Email us at ignacio@bugster.dev
Related documents: Privacy Policy • Terms of Service