Security

Security is important to us, even as a free tool. This document outlines our security practices and data handling.

Quick Links

Data Handling

What data we collect, how we store it, and retention policies.

Compliance

Our security practices and current compliance status.

Security Overview

Data We Collect

Spekra collects only the data necessary to provide test observability:

Data Type	Purpose	Retention
Test results	Track pass/fail/flaky status	30 days
Test metadata	File paths, suite names, tags	30 days
Error messages	Debug test failures	30 days
Playwright traces	Debug failures with full context	30 days
Git metadata	Branch, commit, author	30 days
CI metadata	Job URLs, workflow names	30 days

Data We Do NOT Collect

Source code or test code content
Environment variables or secrets
Personal user data beyond authentication

Minimal data collection

We only collect what's necessary to provide the service.

Infrastructure

Hosting

Web app: Hosted on Vercel
Database: Supabase (PostgreSQL)
Storage: Supabase Storage for trace files
All data encrypted in transit (TLS)

Database Security

Row-level security (RLS) policies
No direct database access from internet
Parameterized queries (no SQL injection)

Access Control

Role-based access within organizations
API keys scoped to single organization
API keys hashed, never stored in plain text

API Security

Authentication

All API requests require an API key:

x-api-key: sk_your_api_key_here

API keys are:

Scoped to a single organization
Revocable at any time
Never stored in plain text

Rate Limiting

Basic rate limiting is in place to prevent abuse.

Development Practices

Input validation on all endpoints
Output encoding to prevent XSS
Dependency updates via Dependabot
No secrets in code or logs

Reporting Security Issues

If you discover a security vulnerability:

Do not disclose it publicly
Open a private security advisory on GitHub
We'll review and respond as quickly as possible

Next Steps

Data Handling - Detailed data policies
Compliance - Current compliance status
API Keys - Key management

Security Overview

Data We Collect

Spekra collects only the data necessary to provide test observability:

Data Type	Purpose	Retention
Test results	Track pass/fail/flaky status	30 days
Test metadata	File paths, suite names, tags	30 days
Error messages	Debug test failures	30 days
Playwright traces	Debug failures with full context	30 days
Git metadata	Branch, commit, author	30 days
CI metadata	Job URLs, workflow names	30 days

Data We Do NOT Collect

Source code or test code content

Environment variables or secrets

Personal user data beyond authentication

Minimal data collection

We only collect what's necessary to provide the service.

Infrastructure

Hosting

Web app: Hosted on Vercel

Database: Supabase (PostgreSQL)

Storage: Supabase Storage for trace files

All data encrypted in transit (TLS)

Database Security

Row-level security (RLS) policies

No direct database access from internet

Parameterized queries (no SQL injection)

Access Control

Role-based access within organizations

API keys scoped to single organization

API keys hashed, never stored in plain text