Security

Built for teams that take
security seriously.

Your test data stays scoped to your QAI organisation and workspace. This page answers the questions your IT and security team will ask during the private pilot.

🏠
Deployment
Hosted private pilot
🔑
Token access
Read-focused access
📡
Outbound traffic
Configured CI/CD provider APIs
📊
Telemetry
No product analytics in pilot
🗄️
Database
Managed application database
📋
Data model
Database-backed workspace data
🗄️ Data Storage & Privacy
Where is our test data stored?
In the hosted private pilot, QAI stores application data in a managed application database used by the QAI service. For enterprise or self-hosted deployments, storage can be configured for the customer's approved environment.
What data does QAI store?
QAI stores: test run records (test name, suite name, status, duration, failure message, timestamp), computed scores (stability, risk, confidence, trend), connection credentials used for read access, and user accounts (name, email, and password authentication metadata). QAI does not require source code access for scoring, and the pilot is focused on test execution data.
Is data encrypted at rest?
The hosted pilot uses the storage protections provided by the deployment platform and managed database. Passwords are stored as hashes, and source connection credentials are treated as sensitive application secrets. For enterprise deployments, encryption and credential handling should be reviewed against the customer's internal security requirements.
Is data encrypted in transit?
The hosted pilot is served over HTTPS. Communication between QAI and supported CI/CD providers uses HTTPS API calls.
Does QAI send any data to LUDU or external servers?
During the hosted private pilot, your QAI workspace is hosted by LUDU QAI and stores the data needed to operate the product. QAI does not send product analytics to a separate tracking service. The main outbound traffic from the application is the API calls QAI makes to your configured CI/CD provider to fetch test run data during sync.
Can QAI support enterprise deployment requirements?
For the private pilot, QAI is hosted by LUDU QAI. Enterprise or self-hosted deployment requests can be reviewed separately based on the customer's network, security, and CI/CD setup. Cloud-hosted CI/CD providers require outbound HTTPS access to their APIs.
🔑 Required Token Permissions

QAI is designed to use read-focused access for syncing pipeline and test result data. Below are the typical permissions needed for the currently supported pilot platforms.

Azure DevOps (ADO)
Create a Personal Access Token (PAT) with the following read-focused scopes:
ScopePermission levelUsed for
BuildReadList pipelines, fetch pipeline run results
Test ManagementReadFetch test run results and test case details
Project and TeamReadList projects in the organisation (connect wizard)
CodeNot requiredQAI does not read source code
Work ItemsNot requiredQAI does not read work items or boards
For enterprise authentication requirements, OAuth and SSO options can be discussed during onboarding.
GitHub Actions
Create a fine-grained Personal Access Token or classic PAT with:
ScopePermission levelUsed for
ActionsReadList workflow runs and fetch job results
ChecksReadFetch check run status and annotations
MetadataReadRepository metadata (required by GitHub for all tokens)
ContentsNot requiredQAI does not read repository files or code
Pull requestsNot requiredQAI does not read pull request data
GitLab CI
Create a Project Access Token or Personal Access Token with:
ScopePermission levelUsed for
read_apiReadAccess pipeline and job data via GitLab API
read_repositoryNot requiredQAI does not read repository contents
write_repositoryNot requiredQAI does not need repository write access
For self-hosted GitLab, the GitLab instance URL can be reviewed during onboarding.
📡 Network Requirements
What inbound ports does QAI need?
For the hosted private pilot, users access QAI through the approved HTTPS URL. For enterprise or self-hosted deployments, inbound access should follow the customer's standard web application and network controls.
What outbound connections does QAI make?
During a sync, QAI makes HTTPS API calls to the CI/CD provider configured by the customer, such as Azure DevOps, GitHub, or GitLab. The pilot does not use third-party product analytics.
📋 Compliance & Certifications
Is QAI SOC 2 certified?
QAI is currently in an early access pilot and is not SOC 2 certified. We are a small team and will pursue certifications as the product matures. If your organisation requires SOC 2, please contact us to discuss your requirements.
GDPR compliance
QAI is in an early access pilot. User account data is limited to the people approved or invited into the platform. If you have specific privacy, retention, or regional hosting requirements, please contact us directly.
Security vulnerability reporting
Report security issues to subashludu@gmail.com. Please do not post security issues publicly.
🚧 Current Pilot Scope
Which platforms are enabled during the private pilot?
The private pilot currently focuses on Azure DevOps, GitHub Actions, and GitLab CI. Other CI/CD connectors, enterprise SSO, advanced AI recommendations, exports, and deeper release reporting are planned after pilot validation.

Evaluating QAI?

Request private pilot access or contact us to discuss your data, network, and deployment requirements.

Request pilot access → Contact us