Security

Rainforest QA is committed to high standards for security, protecting our customers’ data before, during, and after testing.

SOC 2 Type II Certification
HIPAA Compliance
ISO 27002 Compliance

Platform security

Our main application, API, and databases are powered by Google Cloud Platform (GCP). As a result, Rainforest inherits all of the benefits of Google Cloud’s security model and worldscale infrastructure. 

Rainforest’s security policies define who can access customer data and are enforced. Access to customer data is only allowed if necessary.

Application security

Rainforest application security consists of several components, including: 

  • SSL protocol for industry-standard encryption of all network data 
  • DDoS protection provided by CloudFlare 
  • Single Sign-On using Security Assertion Markup Language (SAML) or against Github’s Oauth IDP 
  • API access via rotating key authentication 
  • All data stored by Rainforest is encrypted at rest and communication between all components is encrypted via TLSv1.2 or later
  • Customer data stored in databases is backed-up and recovery is regularly tested
  • Customer data not stored in databases is stored in Amazon S3 across multiple zones

Secure software development lifecycle

All changes to the Rainforest QA product are reviewed and are continuously scanned for security issues. All of our engineers regularly receive security training. Access to production environments is granted on a least-privilege basis.

Artificial Intelligence

Rainforest's handling of customer data in the context of artificial intelligence (AI) abides by our Terms of Service, Privacy Policy, and the security policies detailed in this document.

We use a Retrieval Augmented Generation (RAG) pipeline to augment 3rd-party LLM models. For that augmentation, we use an abstracted version of data generated by plain-English tests executed by our crowd of manual testers.

  • Our RAG pipeline only includes data from plain-English tests executed by our manual testers and thumbs-up/-down customer feedback from automated tests.
  • No customer data is ever used verbatim in the the RAG pipeline to improve our AI’s performance. Our RAG pipeline abstracts a set of data into an instruction for the agent.

Rainforest's AI uses OpenAI’s API, which has been audited and certified for SOC 2 Type 2 compliance. OpenAI encrypts all data at rest (AES-256) and in transit (TLS 1.2+), and uses strict access controls to limit who can access data.

OpenAI does not use data sent to their API to train their models, and does not own any of the inputs or outputs of their API. Any rights OpenAI has to the input and output are only those necessary to provide their services, comply with applicable law, and enforce their policies.

You can learn more about their privacy policies here.

Virtual machines 

All Rainforest tests — whether they’re executed by automation or by human testers from our tester community — are executed within our virtual machines (VMs). We’ve designed our virtual machines to provide consistent and reliable testing environments, and we take multiple security measures to keep customer data secure within these VMs.

Limited interactions to stop data leaks 

Because Rainforest testers interact with your webpage or application via our VMs, not directly from their own computers, we’re able to monitor every interaction. 

Virtual machines don't allow users to use the copy & paste function outside the VM itself. As a result, while testers can paste information into the VM and interact normally within the VM, they can't copy any information out of the VM to use after the test has concluded. 

A clean VM for every run 

The VMs are ephemeral and created on-demand for every test execution. Once a test execution is complete, the environment is destroyed, removing access to any test data from our testers. All testing data is logged for auditing and research purposes.

IP whitelisting 

Rainforest uses a set of static IP addresses for all of our testing environments, which makes it easy for customers to whitelist our testing IPs. Having a set of static IP addresses ensures that access to our customers’ environments are controlled by Rainforest, and all access is logged and traceable. This also prevents testers from starting a test or accessing a customer environment outside of the VM. Dedicated IPs are also available for added security.

Virtual private networks (VPNs) 

Rainforest offers VPN as an alternative to IP whitelisting for customers who wish to add an additional layer of security to their testing process.

Trusted infrastructure

Our virtual machines run on servers provided by Hetzner Online GMbH (Hetzner security measures) and LeaseWeb (LeaseWeb security measures).

Manual testers 

We take tester training and management seriously, and hold the testers from our tester community to high standards for both test quality and professionalism. 

Only testers who have met our standards for compliance are able to execute tests for HIPAA-regulated Rainforest customers. 

Sourced and trained testing professionals 

Before any new tester can start running tests for Rainforest customers, they must both meet initial experience requirements, plus complete a rigorous Rainforest Tester Training School. This includes an expanding set of courses they must pass, including ones specifically dedicated to how they should interact with any customer data they engage with in the course of executing tests. 

Tester non-disclosure agreements

All Rainforest testers must sign a non-disclosure agreement (NDA) to ensure they don’t share any information they learn about our customers’ products. For customers with specific privacy needs, we offer custom NDAs, which require testers to adhere to your organization’s standards for discretion before they can accept any work. Rainforest uses industry-standard HelloSign to collect e-signatures, which are required before testers receive your work. 

Using machine learning to catch unusual activity 

Testers only have access to your application during the test run. We use machine learning algorithms and statistics to ensure that each test run meets our standards for quality. Every tester action is monitored closely and recorded, and we take prompt actions to address any suspicious or unusual activity. We manually review test execution on a regular basis to ensure our algorithmic assessments of quality are accurate. 

Tester malware scans 

Testers working on HIPAA-regulated customer accounts are required to submit regular malware scan logs. Customers who are not HIPAA-regulated may request that their tester pool is limited to testers who have submitted valid malware scan logs in the past 6 months. 

Tester account 2-factor authentication 

Testers have the option of securing their account with 2-factor authentication. Customers may require that only testers with this feature enabled have access to tests.