Be careful with
- Do not show saved API tokens back in plaintext.
- Do not trust browser-supplied context as source of truth.
- Do not treat AI output as an automatic release decision.
- Do not recommend pasting passwords or live credentials into notes.
Security & Privacy
Built so teams can trust project memory.
QAtalyst works with sensitive QA context: tickets, product notes, generated reports, bug handoffs, and integration settings. The beta security model is simple: validate access server-side, keep secrets masked, and make AI output reviewable before handoff.
Beta security postureProject isolation checks active
Core Project Brain, saved report, bug collection, AI context, and TestRail sync paths are built around account-scoped access.
Plain-English summary
Security is part of the workflow, not a separate promise.
QAtalyst should help teams move faster without turning project memory, tokens, or AI handoff into a blind spot.
QAtalyst is designed to
- Validate ownership before reading saved project context.
- Mask saved Jira and TestRail tokens in the UI.
- Use review-first creation for Jira/TestRail handoff.
- Block cross-user raw-ID access to private QA data.
What QAtalyst stores
Only the context needed to support your QA workflow.
Project-aware QA is useful because the product history follows the ticket. That context is scoped to the account that owns it.
Project profile, product notes, QA rules, terminology, risks, and Source Vault entries
Generated QA reports, bug collection items, and saved test coverage you choose to keep
Jira and TestRail connection settings needed for integrations
Account, session, credit ledger, and checkout records needed to operate the app
How project memory is protected
The browser is not the security boundary.
Saved context is read, injected, synced, and used from server-authorized data instead of trusting client-supplied text.
Account-scoped project memory
Project Brain, Source Vault, saved reports, bug collection items, and integration settings are tied to the signed-in account that created them.
Server-side context rebuilding
The browser can request a project, but QAtalyst rebuilds AI context on the server from data that user is authorized to access.
Masked integration secrets
Jira and TestRail tokens are encrypted at rest and shown back only as masked values. Plaintext secrets are not returned after save.
Review-first AI workflows
Generated QA output is meant to be inspected before it is saved, copied, exported, synced, or created in Jira.
User controls
Manage the places where private QA data is created.
Use these controls to clean up beta test data, remove old context, or disconnect external tools.
Beta safety guidance
Use sanitized context when the stakes are high.
QAtalyst is built for QA planning context, not for storing live credentials or unnecessary sensitive customer data.
- Do not paste production passwords, API keys, signing secrets, or live credentials into tickets or source notes.
- Avoid uploading sensitive customer PII during beta unless you have approval from your organization.
- Use sanitized examples when testing confidential workflows.
- Treat AI output as drafting and QA planning support, not a replacement for human judgment.
Current verification
Security regression checks are part of beta hardening.
The current checks focus on the highest-risk beta surfaces: saved project memory, report ownership, AI context injection, and integration handoff.
Cross-user project context access is covered by regression checks.
Saved reports, sources, bug items, and TestRail sync paths are ownership-scoped.
AI routes rebuild Project Brain context from authorized server-side data.
Saved Jira and TestRail secrets are masked and protected from plaintext redisplay.