Security and data protection built into every workflow.
AxonQA is designed to protect your projects, requirements, test cases, automation code, screenshots, reports, API data, and AI-assisted workflows.
Trust principles
The principles behind the platform.
Clear commitments, applied consistently across test creation, automation, API testing, and every AI-assisted workflow.
Data ownership
Your projects, tests, automation code, and artifacts remain your data. They are never sold and never used to train AI models.
Task-based AI
Every AI feature sends only the context needed for the selected task, nothing more.
Data minimisation and secret scrubbing
Secrets and PII are stripped from content before any AI call leaves the platform.
Encrypted credentials
Integration tokens and test credentials are encrypted at rest with AES-256-GCM.
Encryption in transit
All traffic between your browser, the platform, and your integrations is protected with TLS.
Protected artifacts
Screenshots and videos are tenant-isolated and served only through short-lived signed URLs after an authorisation check.
Access controls
Organisation-scoped data isolation keeps tenants separated, with role-based access controls inside each organisation.
Audit trails
Assistant actions, MCP tool calls, and API-testing security events such as production-run confirmations and secret access are all logged.
Local agent for private apps
The local agent is outbound-only, pairs with one-time codes, and stores device keys hashed. No inbound ports are ever opened.
Session protection
Short-lived sessions, sign-out-everywhere revocation, and verified email sign-up protect every account.
Protected access
Every artifact passes an access check.
Screenshots, videos, and traces are never public. Each request is checked against your organisation and role, then served through a short-lived signed link scoped to a single run, so access cannot be shared or replayed later.
- Tenant isolationData is scoped to your organisation, and any request that reaches across a boundary is refused.
- Authorisation on every requestAccess to a run and its artifacts is checked against your role before anything is served.
- Short-lived signed linksArtifact URLs expire quickly and cannot be reused or shared to grant standing access.
Artifact requested
Run #4821 · checkout screenshot
Authorisation check
Organisation and role verified
Signed link issued
Scoped to this run only
Access granted for this run only.
Our approach
How we think about your data.
Four commitments that shape how AxonQA is built and operated.
Your data remains yours
Your requirements, test cases, automation code, run results, and artifacts belong to you. We never sell your data, and we never use it to train AI models. It exists to serve your team and no one else.
AI with controlled context
AI features work on a task basis. Failure analysis, for example, uses the failed step and the context relevant to it, not your whole workspace. Secrets and PII are scrubbed before content reaches any model, and AI usage is metered per plan so consumption stays visible.
Private app support
Applications on private networks stay private. The AxonQA local agent runs inside your environment and connects outbound only, so there are no inbound ports to open and no public exposure. Pairing uses one-time codes, and device keys are stored hashed.
Human control
AI accelerates the work while people stay in charge. Generated tests, healing fixes, and risky assistant actions are reviewable, the assistant asks a clarifying question instead of guessing, and destructive actions always require your explicit confirmation.
Security FAQ
Common questions, answered directly.
Straight answers about how AxonQA handles your data, your applications, and AI.
Questions about security?
We are happy to walk your team through how AxonQA protects your data, and to share our security documents.