Security and Compliance

Security is a core part of how Testiny is built, operated, and supported. Testiny is developed by Mategra GmbH in Austria and is designed for teams that need a reliable, professional test management platform without giving up control over their data.

This page summarizes the public security, privacy, and resilience measures behind Testiny. Additional security and compliance information is available to eligible customers on request.

Testiny is used and trusted by companies across many sectors, including highly regulated and security-critical environments such as healthcare, finance, insurance, pharmaceuticals, software, manufacturing, and technology. These teams rely on Testiny to manage testing work with strong access controls, traceability, data protection, and operational resilience.

Security Facts at a Glance

1 isolated database per customer organization to support tenant separation.
Backups every 2 hours for production customer data.
All backups are stored offsite, with an additional daily synchronization to a separate offsite location.
Testiny customer data is stored in the EU and is not transferred outside the EU by Testiny Cloud.
3 non-production validation stages — development, testing, and staging — before release to production.
3 MFA option categories: authenticator apps, email codes, and hardware security keys or passkeys.
DIN ISO/IEC 27001 certified Hetzner data center operations for Testiny Cloud infrastructure.
GDPR-aligned data processing.

Security Principles

Testiny's security program is built around practical controls that protect customer data, personal data, source code, infrastructure, and service availability.

Core principles include:

least-privilege access;
need-to-know handling of customer data;
secure configuration and change management;
encryption for data in transit, stored data, and backups where applicable;
monitoring and alerting for service health and security-relevant events;
regular backups and restore testing;
documented incident response and business continuity processes;
risk-based review of vendors and subprocessors;
continuous improvement based on incidents, audits, vulnerability reports, and customer feedback.

Personnel Security

Security also depends on the people operating the service. Employees and contractors with access to Testiny systems are required to handle credentials, devices, customer data, personal data, source code, and confidential business information responsibly.

Personnel security practices include:

confidentiality and data protection obligations where relevant;
security awareness for employees and relevant contractors;
MFA for production, administrative, source-code, CI/CD, cloud, and other critical systems where supported;
least-privilege and need-to-know access to sensitive systems and data;
periodic access reviews for critical systems;
access removal or adjustment after role changes or the end of employment or engagement.

Hosting and Infrastructure

Testiny Cloud is hosted with Hetzner in Germany. Hetzner’s data center operations are certified in accordance with DIN ISO/IEC 27001. More information is available on Hetzner’s certification overview and in the ISO certificate PDF.

Testiny customer data is stored in the European Union and is not transferred outside the EU by Testiny Cloud. Mategra GmbH is based in Austria and processes data in line with GDPR, Austrian data protection law, applicable customer agreements, and applicable data processing terms.

The Testiny Cloud architecture is designed for security, availability, and resilience:

production infrastructure is monitored continuously;
critical services use redundant architecture where practical;
resources can be scaled to support reliable performance;
infrastructure changes are handled through controlled deployment and provisioning processes;
service availability is tracked on the Testiny status page.

Testiny does not operate its own data centers. Data center certifications therefore apply to the hosting provider's facilities and operations, while Mategra GmbH remains responsible for the secure design, configuration, operation, and development of Testiny.

Testiny Server

For customers with strict infrastructure, data residency, or internal network requirements, Testiny is also available as Testiny Server. Testiny Server can be deployed in a customer-managed environment, including on-premises or private infrastructure.

With Testiny Server, the customer controls the hosting environment and is responsible for infrastructure security, network security, system hardening, backups, monitoring, and operational continuity in that environment. Testiny provides the application, product security features, and documentation needed to operate the server deployment.

Data Isolation

Each Testiny customer organization uses an isolated database. This separation improves both security and performance and helps prevent one organization from accessing another organization's data.

Access to customer data is limited to legitimate business purposes, such as support, troubleshooting, operating and securing the service, investigating incidents, and meeting legal or contractual obligations.

Data Export and Portability

Customers can export their Testiny data for reporting, archiving, migration, or internal compliance needs.

Export options include:

test case exports to Excel or CSV;
test run exports to Excel or CSV;
PDF reports for test runs and other reporting views;
REST API access for programmatic exports and integrations;
audit log export as JSON.

These export options help customers keep local archives, support audits, integrate Testiny with internal systems, and retain control over their test management data.

Encryption and Backups

Testiny protects data in transit using HTTPS/TLS. Stored data and backups are protected with encryption or equivalent provider-backed security controls where applicable.

Backups are part of Testiny's resilience strategy:

production data is backed up regularly;
backup execution is monitored;
all backups are stored offsite and separately from primary systems;
regular two-hourly backups are stored in a separate physical location;
backups are synchronized daily to an additional offsite location;
backup restore procedures are tested periodically.

Backups support recovery from operational failures, data corruption, data loss, and security incidents. Recovery procedures are documented internally and tested as part of Testiny's business continuity and disaster recovery practices.

Application Security

Testiny includes product-level security features that help customers control access and trace important changes.

Key application controls include:

role-based permissions for granular access control;
organization security policies, including password and MFA requirements;
two-factor authentication with authenticator apps, email codes, hardware security keys, and passkeys;
single sign-on for Business and Enterprise customers;
audit logs for security-relevant administrative activity;
detailed entity history for test cases, test runs, test plans, milestones, and related test management objects;
API key controls and administrator restrictions for API key creation.

These controls help teams apply least privilege, keep account access secure, and maintain traceability across testing workflows.

Secure Development and Change Management

Testiny is developed with practical secure development and change management controls.

These include:

source code version control;
peer review for relevant code and configuration changes;
review of security-relevant or production changes where practical;
testing in 3 non-production environments — development, testing, and staging — before release to production;
a large amount of automated testing to validate functionality and reduce regressions;
traceability of deployments and production changes;
continuous dependency, vulnerability, and malicious-library monitoring;
secure handling of secrets and credentials;
emergency change handling when needed to protect security, availability, or customer data.

Changes are first developed and validated outside production. Before a release reaches customers, Testiny uses multiple non-production environments to verify application behavior, integrations, data handling, and deployment steps. Automated tests are an important part of this process and are complemented by peer review, manual review, and targeted checks where appropriate.

Monitoring and Vulnerability Management

Testiny maintains monitoring and logging appropriate to the service's risk profile. Monitoring may cover service availability, system performance, application errors, infrastructure health, backup execution, and security-relevant events.

Vulnerability management is risk-based and may use:

automated security scans;
continuous dependency and malicious-library monitoring;
vendor advisories;
public vulnerability information;
reports from customers, employees, contractors, or security researchers;
regular independent external security audits and penetration tests.

Security findings are triaged based on severity, exploitability, affected systems, and customer impact. Critical issues affecting production systems or customer data are handled with rapid mitigation processes, including patching, configuration changes, dependency updates, credential rotation, or temporary compensating controls where appropriate.

Recent external security audit or penetration test results can be provided to eligible customers on request under appropriate confidentiality terms.

Incident Response

Mategra GmbH maintains a documented incident response process for security and operational incidents affecting Testiny.

The process covers:

identification and severity assessment;
containment and mitigation;
technical investigation;
remediation and recovery;
validation before returning affected systems to normal operation;
customer communication where appropriate;
post-incident review and corrective actions.

If an incident may involve personal data, Mategra GmbH assesses notification obligations under GDPR, Austrian law, customer agreements, and applicable data processing terms. Where legally or contractually required, affected customers and authorities are notified without undue delay.

If you discover a vulnerability or security issue affecting Testiny, please report it through the security reporting channel linked on the Testiny data security page.

Business Continuity and Disaster Recovery

Testiny maintains documented business continuity and disaster recovery practices to support service resilience.

These practices include:

regular backups;
restore testing;
monitoring and alerting;
infrastructure and application recovery procedures;
continuity planning for critical third-party providers;
customer communication processes for relevant incidents;
post-incident or post-test improvement actions.

The detailed disaster recovery plan, recovery procedures, internal escalation paths, and operational recovery targets are not published publicly. They may be discussed with eligible customers as part of a structured vendor review.

Mategra GmbH is based in Austria and processes data in line with GDPR, Austrian data protection law, applicable customer agreements, and applicable data processing terms. Testiny customer data is stored in the European Union and does not leave the EU in normal Testiny Cloud operations.

Testiny follows a minimum-data approach and is intended for software testing workflows such as test cases, test runs, test results, comments, attachments, reports, and related project information. Customers control the content they enter into Testiny and should avoid storing unnecessary production data, sensitive personal data, secrets, or credentials in test management content.

For details about personal data processing, please see the Testiny privacy policy and the Testiny Data Processing Agreement.

Customer Responsibilities

Customers remain responsible for how they configure and use Testiny within their organization.

Important customer responsibilities include:

assigning appropriate roles and permissions;
enabling MFA or SSO policies where required by internal security rules;
protecting API keys and integration credentials;
reviewing user access periodically;
avoiding unnecessary production data, sensitive personal data, secrets, credentials, or confidential information in test cases, comments, attachments, or automated test results;
for Testiny Server, operating and securing the underlying infrastructure, network, backups, and monitoring.

Third-Party Providers

Testiny uses selected third-party providers where necessary to operate, secure, support, or improve the service. Providers are assessed based on risk and purpose, including the type of data processed, processing location, availability relevance, contractual safeguards, data protection terms, published security measures, certifications, subprocessors, and incident notification commitments.

Where required by GDPR or contract, appropriate data processing terms or an equivalent legal basis are used.

A current subprocessor list is available to eligible customers on request.

Contractual terms for using Testiny are available in the Testiny Terms of Use.

Vendor Reviews and Security Documentation

Security questionnaires and vendor reviews are common for enterprise software. Testiny can provide additional security and compliance information to eligible customers, including selected internal policy summaries or evidence where appropriate.

Depending on the request and plan, available materials may include:

security overview and technical and organizational measures;
Data Processing Agreement and data processing information;
subprocessor list and subprocessor information;
recent external security audit results;
incident response, business continuity, and disaster recovery summaries;
SLA information where applicable.

Some documents are provided only under appropriate confidentiality terms because publishing detailed operational procedures would reduce security.

For security, privacy, compliance, or vendor review questions, please contact Testiny support.

Frequently Asked Questions

Where is Testiny Cloud hosted?

Testiny Cloud is hosted with Hetzner in Germany. Hetzner’s data center operations are certified in accordance with DIN ISO/IEC 27001. See Hetzner’s certification overview and ISO certificate PDF for details.

Mategra GmbH processes data in line with GDPR, Austrian data protection law, applicable customer agreements, and applicable data processing terms. Testiny customer data is stored in the European Union and is not transferred outside the EU by Testiny Cloud.

Does Testiny hold its own security certification?

Mategra GmbH does not currently publish its own security certification for Testiny. Testiny Cloud is hosted with Hetzner, whose data center operations are certified in accordance with DIN ISO/IEC 27001. Testiny also maintains internal security policies, operational controls, and independent external security audits and penetration tests.

Is Testiny available for self-hosted or on-premises use?

Yes. Testiny Server is available for customers that want to deploy Testiny in their own infrastructure. In that deployment model, the customer is responsible for the underlying infrastructure, network security, backups, monitoring, and operational continuity.

Can customers export their data?

Yes. Customers can export test cases and test runs to Excel or CSV, export audit logs as JSON, and use the REST API for programmatic exports and integrations.

How is customer data separated?

Each Testiny customer organization uses an isolated database.

Does Testiny support SSO and MFA?

Yes. Testiny supports MFA for user accounts and SSO for Business and Enterprise customers. Administrators can also configure organization-level security policies.

Does Testiny provide audit logs?

Yes. Testiny provides audit logs for security-relevant administrative activity and detailed history for changes to test management entities.

Can we receive security audit results?

Recent independent external security audit results may be provided to eligible customers on request under appropriate confidentiality terms.

Does Testiny offer an SLA?

Paid plans may include service-level and support commitments depending on the plan and agreement. Enterprise SLA information is available on request.

Request Additional Information

For additional security documentation, compliance information, or vendor-review materials, please contact Testiny.

Security Facts at a Glance​

Security Principles​

Personnel Security​

Hosting and Infrastructure​

Testiny Server​

Data Isolation​

Data Export and Portability​

Encryption and Backups​

Application Security​

Secure Development and Change Management​

Monitoring and Vulnerability Management​

Incident Response​

Business Continuity and Disaster Recovery​

Privacy and GDPR​

Customer Responsibilities​

Third-Party Providers​

Vendor Reviews and Security Documentation​

Frequently Asked Questions​

Where is Testiny Cloud hosted?​

Is Testiny GDPR compliant?​

Does Testiny hold its own security certification?​

Is Testiny available for self-hosted or on-premises use?​

Can customers export their data?​

How is customer data separated?​

Does Testiny support SSO and MFA?​

Does Testiny provide audit logs?​

Can we receive security audit results?​

Does Testiny offer an SLA?​

Request Additional Information​