Rainforest QA is committed to high standards for security, protecting our customers’ data before, during, and after testing.
Our main application, API, and databases are powered by Google Cloud Platform (GCP). As a result, Rainforest inherits all of the benefits of Google Cloud’s security model and worldscale infrastructure.
Rainforest’s security policies define who can access customer data and are enforced. Access to customer data is only allowed if necessary.
Rainforest application security consists of several components, including:
All changes to the Rainforest QA product are reviewed and are continuously scanned for security issues. All of our engineers regularly receive security training. Access to production environments is granted on a least-privilege basis.
Rainforest's handling of customer data in the context of artificial intelligence (AI) abides by our Terms of Service, Privacy Policy, and the security policies detailed in this document.
We use a Retrieval Augmented Generation (RAG) pipeline to augment the training of 3rd-party LLM models. For that augmentation, we use an abstracted version of data generated by plain-English tests executed by our crowd of manual testers.
Rainforest's AI uses OpenAI’s API, which has been audited and certified for SOC 2 Type 2 compliance. OpenAI encrypts all data at rest (AES-256) and in transit (TLS 1.2+), and uses strict access controls to limit who can access data.
OpenAI does not use data sent to their API to train their models, and does not own any of the inputs or outputs of their API. Any rights OpenAI has to the input and output are only those necessary to provide their services, comply with applicable law, and enforce their policies.
You can learn more about their privacy policies here.
All Rainforest tests — whether they’re executed by automation or by human testers from our tester community — are executed within our virtual machines (VMs). We’ve designed our virtual machines to provide consistent and reliable testing environments, and we take multiple security measures to keep customer data secure within these VMs.
Because Rainforest testers interact with your webpage or application via our VMs, not directly from their own computers, we’re able to monitor every interaction.
Virtual machines don't allow users to use the copy & paste function outside the VM itself. As a result, while testers can paste information into the VM and interact normally within the VM, they can't copy any information out of the VM to use after the test has concluded.
The VMs are ephemeral and created on-demand for every test execution. Once a test execution is complete, the environment is destroyed, removing access to any test data from our testers. All testing data is logged for auditing and research purposes.
Rainforest uses a set of static IP addresses for all of our testing environments, which makes it easy for customers to whitelist our testing IPs. Having a set of static IP addresses ensures that access to our customers’ environments are controlled by Rainforest, and all access is logged and traceable. This also prevents testers from starting a test or accessing a customer environment outside of the VM. Dedicated IPs are also available for added security.
Rainforest offers VPN as an alternative to IP whitelisting for customers who wish to add an additional layer of security to their testing process.
Our virtual machines run on servers provided by Hetzner Online GMbH (Hetzner security measures) and LeaseWeb (LeaseWeb security measures).
We take tester training and management seriously, and hold the testers from our tester community to high standards for both test quality and professionalism.
Only testers who have met our standards for compliance are able to execute tests for HIPAA-regulated Rainforest customers.
Before any new tester can start running tests for Rainforest customers, they must both meet initial experience requirements, plus complete a rigorous Rainforest Tester Training School. This includes an expanding set of courses they must pass, including ones specifically dedicated to how they should interact with any customer data they engage with in the course of executing tests.
All Rainforest testers must sign a non-disclosure agreement (NDA) to ensure they don’t share any information they learn about our customers’ products. For customers with specific privacy needs, we offer custom NDAs, which require testers to adhere to your organization’s standards for discretion before they can accept any work. Rainforest uses industry-standard HelloSign to collect e-signatures, which are required before testers receive your work.
Testers only have access to your application during the test run. We use machine learning algorithms and statistics to ensure that each test run meets our standards for quality. Every tester action is monitored closely and recorded, and we take prompt actions to address any suspicious or unusual activity. We manually review test execution on a regular basis to ensure our algorithmic assessments of quality are accurate.
Testers working on HIPAA-regulated customer accounts are required to submit regular malware scan logs. Customers who are not HIPAA-regulated may request that their tester pool is limited to testers who have submitted valid malware scan logs in the past 6 months.
Testers have the option of securing their account with 2-factor authentication. Customers may require that only testers with this feature enabled have access to tests.