Customers trust mabl with sensitive internal data, and we take protecting this data very seriously. This article outlines the standards, policies, and encryption practices that mabl takes to ensure your data is secure.
Security and privacy standards
Mabl is a cloud-native application built using security and privacy best practices, including minimum communication paths between services, limited use of public IPs, role-based group access, and minimum privilege. We maintain a robust security program and undergo multiple audits on an annual basis:
- Mabl is SOC 2 Type II certified. SOC 2 compliance audits the functioning of our security program, including proper handling of customer data, workforce training, mitigation of cyber risks, and compliance with privacy regulations.
- Mabl adheres to SSAE16 / ISAE 3402 Type II standards.
Mabl’s Information Security and Technology Team regularly conducts internal audits of our security policies and practices, including key management.
Data protection agreements (DPAs)
Mabl doesn’t publish a common DPA, but we are happy to work with customers to review and sign their DPA.
Data retention policy
Mabl uses technical information about your testing environments to provide insights on application performance metrics and to improve the mabl app. Technical information may also be aggregated to create industry benchmarks.
In active workspaces, mabl retains test run data for 13 months.
Mabl retains workspace data for 30 days after a workspace is deleted. Trial workspaces are automatically deleted 90 days after the expiration of the trial.
Data encryption
Mabl encrypts customer data in transit and at rest to ensure that only your team has access to your workspace data.
Data in transit
All customer data that is transmitted to and from mabl is encrypted using TLS and HTTPS protocols. Any customer data that is transmitted within mabl uses the same encryption practices.
Data at rest
Customer data stored at rest is encrypted using AES-256 encryption keys managed by Google Cloud KMS, a widely-used hosted key management service. Learn more about Google Cloud’s default encryption policies here.
For sensitive customer data, mabl generates a workspace-specific symmetric encryption key in Google Cloud KMS. At a minimum, workspace-specific encryption keys are used for the following:
- All test artifacts collected during a test run such as screenshots, HAR logs and DOM snapshots
- Credentials
- API keys
- Link agent certificates
- Environment variables
- Custom HTTP headers
Key management and strength
Mabl’s global and workspace level encryption keys are stored in Google Cloud KMS. The keys are generated by and stored in Cloud KMS as customer-managed encryption keys, managed by mabl. The keys cannot be exported from Google Cloud KMS.
All mabl-managed keys use AES256-GCM. More details can be found in the Cloud KMS documentation.
Customer keys can be rotated or deleted on request. Removal of keys or key versions may result in permanent loss of access to any data encrypted with them.