Read through our security policies for testing sessions, Local Testing, application security and privacy.
Remote testing session
Remote sessions establish a connection between your computer and the BrowserStack cloud, thus allowing you to test your website on secure virtual machines and physical mobile devices. Each virtual machine is a fresh instance, restored to its original settings, guaranteeing not only a tamper-proof environment, but also a consistent baseline for test scenarios. Read more about our virtual machine security policies here. Similarly, each physical device is restored to its factory settings after each testing session. Read detailed security policies regarding the physical mobile devices and tablets on the cloud here.
To make testing as easy as possible, we use VNC protocol to transfer the data from your machine to the server. This data is encrypted, so as not to be accessible whilst in transit. Also, there is no additional setup required on the client end, since all the transactions take place from within the browser itself.
In the event that you are testing from behind a firewall, BrowserStack does not require any special rules to operate successfully. We use HTTPS and WSS, both of which are standard web protocols, allowed universally by firewalls. Therefore, your existing security is left altogether intact.
Local Testing enables you to test local folders and internal servers. We use custom-designed Chrome and Firefox extensions, with WSS (secure WebSockets) to connect your machine to the cloud. WebSockets allows extensive interaction between the client browser and the servers and devices. To protect the privacy of transferred data during the testing session, we use WSS exclusively. WSS uses SSL over port 443 for transport and therefore only transmits encrypted data.
When testing an private server, we forge a connection between the server you have specified, and our virtual machines or physical devices. The mechanism is set up to forward requests and responses back and forth, and nothing else. Similarly for local folder testing, the BrowserStack cloud only has access to the folder mentioned during the setup of the connection. Our infrastructure cannot access anything else on your filesystem.
Virtual machines privacy and security
Each time a new testing session is created, the BrowserStack cloud assigns the user a pristine virtual machine. Our machines are restored to their original states, which means they are stripped of their registry contents, caches are erased, cookies are deleted, and all running processes are killed. Additionally, users do not have the privileges to install any programs on the machines. Therefore, after the restoration process is complete, the virtual machines are guaranteed to be tamper-proof. The advantage is that each time a test is run, the default settings are restored, thus providing an ideal test scenario.
Once the restoration process is complete, the virtual machine is then put through a series of validation checks, as a fail-safe mechanism. In the rare case that the virtual machine fails even a single check, it is taken off the infrastructure altogether. The machines themselves are in a secure network, and behind strong firewalls to present the safest environment possible.
At any given time, you have sole access to a virtual machine. Your testing session cannot be seen or accessed by other users, including BrowserStack administrators. Once you release a virtual machine, it is taken off the grid, and restored to its initial settings. All your data is destroyed in this process.
Physical mobile device security
BrowserStack only uses unboxed mobile devices and tablets within its cloud infrastructure. Each device is brand new, and not been used before, thus guaranteeing a testing session on devices with factory settings.
Moreover, after each test session is complete, the devices are restored to their original settings, obliterating the smallest remnants of data from the device.
The physical devices are stored in locations with top-rate security policies and procedures, with stringent access controls. Only authorized personnel are allowed to handle the devices at all, and that too for routine tasks such as maintenance and upkeep.
Secure testing and TSP adherence with HTTPS and SOC 2
To ensure that users run their tests more securely, we have implemented HTTPS by default. This means that every time you communicate with BrowserStack, you will be redirected through a secure connection using HTTPS. It uses a Transport Layer Security (TLS), formerly known as Secure Sockets Layer (SSL), and makes the communication between your browser and BrowserStack servers more secure.
BrowserStack has achieved Service Organisation Control (SOC) 2 Report compliance certification to comply with the Trust Service Principles (TSP) that covers the important non-financial reporting controls like security, availability, processing integrity, and confidentiality or privacy of a system.
Our restoration mechanisms for remote mobile and desktop browsers is stringent and extremely thorough, ensuring that even the smallest scrap of browsing data is erased. This list includes user installed apps, the temporary cache of files, the browsing history, any cookies generated during the testing session, passwords and other form data, testing logs, and all downloads. We guarantee to our users that we do not have any mechanism to view or store their browsing data. All data is wiped out as soon as the session ends.
Secure hosting for virtual machines and physical devices
BrowserStack partners with only with the best hosting providers across the globe, and our machines and devices are located in secure locations in the US, Europe, Singapore, and Australia. Our selection process is exacting, focussing on excellent service records and established security policies.
Each service provider has implemented security with the view to protect all those using their cloud. Many have had their security policies independently audited from an external authority, and have been certified under major compliance regulators. One of our providers is AWS, and you can read more about their security here.
We ensure that the BrowserStack infrastructure is protected from ground up. Starting from physical security, we constantly improve security policies as the threat landscape changes. Our priority is to protect the integrity of your data, and guard against any service interruptions.
Secure storage of BrowserStack credentials
Your account information: username, logins, password, access keys, and account details, are stored in an encrypted format on our systems. We use SSL to transmit information back and forth from our servers. BrowserStack cannot view any of your credentials, so much so that if you lose your password, it must go through the reset procedure for your account to be accessible again.
Access control systems
Our sophisticated Identity Access Management systems log every entry into the cloud infrastructure. BrowserStack has limited access to client instances, therefore ensuring a completely secure testing environment.
In addition to these mechanisms, we provide a role-based administration system for the user accounts as well. There are 3 roles: owner, admin, and user; each with different permissions. The administrators of the account (owner and other admins) can control user activity at will, even to the extent of prohibiting team members from accessing products.
Usage logs and test history
All BrowserStack products generate usage logs, which are used for analytical purposes. These usage logs do not contain any personal data about the user nor any browsing data generating during tests.
Screenshots and Automate both generate test history, in the form of screenshots and log data respectively. In Automate, log data is created during the test sessions and subsequently displayed on the user's dashboard. Screenshots saves earlier test session results for easy retrieval. Test history is stored in a secure database on our cloud. The access mechanism is highly encrypted, and is therefore only accessible to you, via your BrowserStack account.