Security

Yes. Feel free to request access to our trust center or contact us.

We work with a limited set of trusted third-party service providers to help us provide, improve, and secure our services:

Yes, we provide mechanisms for permanent data deletion, as governed by our Terms.

We appreciate the work of security researchers and take all reports seriously. Security vulnerabilities can be reported confidentially to security [at] heal.dev..

We follow responsible disclosure practices and will:

• Acknowledge receipt of your report within 24 hours
• Provide an initial assessment within 72 hours
• Work diligently to verify and address valid vulnerabilities
• Keep you informed of our progress

We do not have a compensated bug bounty program yet (stay tuned!). For now, we're very happy to celebrate researchers who submit security findings publicly on social media.

Researchers may report vulnerabilities using the following channels:

• Email: security [at] heal.dev
• PGP key: available upon request for encrypted communication

• For our multi-tenant offering, row-level security enforces hard multitenancy.
• For our single-tenant offering, each customer has their own cluster, database, and (upon request) single-tenant LLM deployment.

We store only the artifacts required to generate, execute, and debug tests — test steps, test variables,logs, screenshots, and (optionally) API keys or seeded credentials.

• At rest: Data lives in our cloud provider’s encrypted block storage (AES-256), with AWS/GCP managed keys.
• In transit: All traffic flows over TLS 1.2/1.3 with modern cipher suites.

Testing is automated with Heal!

We also run exploratory QA on all new features to inform what Heal should automate!

Yes, we conduct regular external security audits and assessments to ensure the security and integrity of our platform. Our security program includes:

• Annual penetration testing by independent third-party security firms
• Quarterly vulnerability assessments
• Continuous automated security scanning
• Regular code reviews with security focus

Summary reports of our security audits are available to enterprise customers under NDA.

Heal.dev is SOC2 type 1, and currently in the observation window for type 2.

Additional details can be found on our trust center.

Yes, for enterprise customers with specific compliance or security requirements, we offer single-tenant deployment option, including single-tenant LLM services. This provides dedicated AI resources that are isolated from other customers' environments. Please contact our sales team to discuss your specific requirements and available options for single-tenant LLM solutions.

Contact support [at] heal.dev if you need Single Sign-On via Security Assertion Markup Language (SAML) or other enterprise-grade authentication controls for your organization.

Heal.dev does not access customer source code. It uses a browser to interacty with your app just as a user would. The only data Heal sees is what the browser sees.

• When explicitly requested by the customer for troubleshooting or support
• When necessary to address critical security vulnerabilities3
• As required to fulfill specific contracted services

Any access to customer source code is:

• Limited to the minimum necessary for the specific purpose
• Conducted only by authorized personnel
• Subject to strict access controls and logging
• Handled in accordance with our confidentiality obligations

Customers maintain full ownership and control of their source code at all times.