TestreamTestreamBack to home

Security Policy

Last updated: February 17, 2026

1. Scope

This Security Policy applies to the Testream platform, including the web dashboard, backend API, CI/CD test reporters, Atlassian Forge app (Testream for Jira), and supporting infrastructure.

2. Security contact and reporting

To report a security issue or suspected vulnerability, contact contact@testream.app.

Please include reproduction steps, impact details, affected environment, and relevant Jira site information. Reports are reviewed and triaged based on severity.

3. Authentication and access control

  • The web dashboard uses JWT-based session authentication with access and refresh tokens.
  • CI/CD test reporters authenticate via project-scoped API keys sent in the X-API-KEY header.
  • The Forge app uses Atlassian permissions and Forge scopes for product access.
  • Backend endpoints used by the Forge app require API key authentication via X-API-KEY.

4. Credential and secret handling

  • API keys are generated with cryptographically secure randomness and shown in full only at creation/regeneration time.
  • Backend systems store API key hashes and display prefixes, not plaintext API keys.
  • User passwords are hashed with BCrypt.
  • Refresh tokens are generated randomly, stored as hashes, and rotated on renewal.

5. Data storage in Atlassian

For Testream for Jira, data stored in Atlassian systems includes:

  • Forge Storage entries for project-scoped API key metadata and selected project references.
  • Jira project property key jira-test-manager.linked-test-runs for release to run linkage.

Testream does not persist Jira user profile details in Jira entity properties.

6. Platform data storage

  • Test results, run metadata, and account information are stored in managed PostgreSQL.
  • Data is isolated per project, with access enforced at the API layer.
  • No raw credentials are stored in the database — only cryptographic hashes and non-sensitive references.

7. Artifact and file security

  • Artifacts are stored in S3-compatible object storage with server-side encryption.
  • Artifact uploads use short-lived pre-signed upload URLs.
  • Artifact downloads use time-limited tokenized links scoped to the requested run and project context.

8. Payment security

  • Payments are processed via Stripe.
  • Testream does not store credit card numbers or payment credentials.
  • Billing data is managed by Stripe. Testream stores only subscription status and Stripe customer references.

9. CI/CD integration security

  • Test reporters transmit results over HTTPS to the Testream backend API.
  • Authentication is performed via project-scoped API keys.
  • No source code or repository credentials are collected — only test output in CTRF format.

10. Transport security

Service endpoints are served over HTTPS, and production web and backend deployments enforce HTTPS at the edge.

11. Infrastructure security

  • Services run on managed cloud hosting with automatic TLS termination.
  • The database is hosted on managed PostgreSQL with encryption at rest.
  • Object storage uses server-side encryption.
  • Application deployments use containerized builds.

12. Monitoring and incident handling

Testream uses application and infrastructure logging to support troubleshooting, abuse detection, and security event investigation. Security events are reviewed and mitigated based on severity.

13. Policy updates

We may update this Security Policy as the product evolves. Material updates are published on this page with an updated "Last updated" date.