Security
Built for teams that take
security seriously.
Your test data stays scoped to your QAI organisation and workspace. This page answers the questions your IT and security team will ask during the private pilot.
🏠
Deployment
Hosted private pilot
🔑
Token access
Read-focused access
📡
Outbound traffic
Configured CI/CD provider APIs
📊
Telemetry
No product analytics in pilot
🗄️
Database
Managed application database
📋
Data model
Database-backed workspace data
🗄️ Data Storage & Privacy
Where is our test data stored?
In the hosted private pilot, QAI stores application data in a managed application database
used by the QAI service. For enterprise or self-hosted deployments, storage can be configured
for the customer's approved environment.
What data does QAI store?
QAI stores: test run records (test name, suite name, status, duration,
failure message, timestamp), computed scores (stability, risk, confidence,
trend), connection credentials used for read access, and
user accounts (name, email, and password authentication metadata). QAI does not
require source code access for scoring, and the pilot is focused on test execution data.
Is data encrypted at rest?
The hosted pilot uses the storage protections provided by the deployment platform and managed
database. Passwords are stored as hashes, and source connection credentials are treated as
sensitive application secrets. For enterprise deployments, encryption and credential handling
should be reviewed against the customer's internal security requirements.
Is data encrypted in transit?
The hosted pilot is served over HTTPS. Communication between QAI and supported CI/CD providers
uses HTTPS API calls.
Does QAI send any data to LUDU or external servers?
During the hosted private pilot, your QAI workspace is hosted by LUDU QAI and stores the
data needed to operate the product. QAI does not send product analytics to a separate
tracking service. The main outbound traffic from the application is the API calls QAI makes
to your configured CI/CD provider to fetch test run data during sync.
Can QAI support enterprise deployment requirements?
For the private pilot, QAI is hosted by LUDU QAI. Enterprise or self-hosted deployment
requests can be reviewed separately based on the customer's network, security, and CI/CD
setup. Cloud-hosted CI/CD providers require outbound HTTPS access to their APIs.
🔑 Required Token Permissions
QAI is designed to use read-focused access for syncing pipeline and test result data. Below
are the typical permissions needed for the currently supported pilot platforms.
Azure DevOps (ADO)
Create a Personal Access Token (PAT) with the following read-focused scopes:
| Scope | Permission level | Used for |
| Build | Read | List pipelines, fetch pipeline run results |
| Test Management | Read | Fetch test run results and test case details |
| Project and Team | Read | List projects in the organisation (connect wizard) |
| Code | Not required | QAI does not read source code |
| Work Items | Not required | QAI does not read work items or boards |
For enterprise authentication requirements, OAuth and SSO options can be discussed during onboarding.
GitHub Actions
Create a fine-grained Personal Access Token or classic PAT with:
| Scope | Permission level | Used for |
| Actions | Read | List workflow runs and fetch job results |
| Checks | Read | Fetch check run status and annotations |
| Metadata | Read | Repository metadata (required by GitHub for all tokens) |
| Contents | Not required | QAI does not read repository files or code |
| Pull requests | Not required | QAI does not read pull request data |
GitLab CI
Create a Project Access Token or Personal Access Token with:
| Scope | Permission level | Used for |
| read_api | Read | Access pipeline and job data via GitLab API |
| read_repository | Not required | QAI does not read repository contents |
| write_repository | Not required | QAI does not need repository write access |
For self-hosted GitLab, the GitLab instance URL can be reviewed during onboarding.
📡 Network Requirements
What inbound ports does QAI need?
For the hosted private pilot, users access QAI through the approved HTTPS URL. For enterprise
or self-hosted deployments, inbound access should follow the customer's standard web
application and network controls.
What outbound connections does QAI make?
During a sync, QAI makes HTTPS API calls to the CI/CD provider configured by the customer,
such as Azure DevOps, GitHub, or GitLab. The pilot does not use third-party product analytics.
📋 Compliance & Certifications
Is QAI SOC 2 certified?
QAI is currently in an early access pilot and is not SOC 2 certified. We are a small
team and will pursue certifications as the product matures. If your organisation requires
SOC 2, please
contact us to discuss your requirements.
GDPR compliance
QAI is in an early access pilot. User account data is limited to the people approved or
invited into the platform. If you have specific privacy, retention, or regional hosting
requirements, please
contact us directly.
Security vulnerability reporting
🚧 Current Pilot Scope
Which platforms are enabled during the private pilot?
The private pilot currently focuses on Azure DevOps, GitHub Actions, and GitLab CI.
Other CI/CD connectors, enterprise SSO, advanced AI recommendations, exports, and deeper
release reporting are planned after pilot validation.