Trust

Security & Trust

Certyn is designed to make browser-based QA automation inspectable. We run real browser sessions, preserve evidence, and describe the system in concrete terms rather than black-box claims.

Last updated: March 26, 2026

Execution Model

Certyn launches browser sessions in isolated containerized environments. Each session has its own runtime, browser context, and evidence stream so you can review what happened during a run.

real browser execution, not synthetic replay
session-level isolation between runs
live observation through watchable browser sessions
artifacts tied to a specific execution for auditability

Isolation and Session Boundaries

Sessions are intended to be isolated from each other. Product documentation and current implementation are aligned around the expectation that runs do not share cookies, browser storage, or filesystem state across sessions.

What This Means

Certyn is built so one run does not inherit another run's browser state by default. This supports safer debugging, clearer evidence, and lower cross-session leakage risk.

Evidence and Recordings

Certyn is built around replayable evidence. Depending on the run and enabled features, Certyn may capture:

screenshots
browser console logs
browser network events
conversation archives and technical reports
optional full-session video

These artifacts can contain application content, internal data, or personal data visible during the run. Use appropriate test environments and access controls accordingly.

Test Access Data Handling

Certyn may use customer-supplied shared test login details, tokens, API keys, or other test access values so an agent can access authenticated parts of an application during testing. Those values may be provided at runtime or saved as restricted environment data by the customer.

Certyn treats those paths as restricted operational test data, but this page intentionally avoids claiming universal encryption at rest for every storage path in every deployment. Customers should use shared test accounts, scoped test access, and least-privilege permissions where possible.

Retention and Deletion

Certyn's standard retention target for execution artifacts is 30 days unless a different period applies by contract, workspace configuration, or legal requirement. Account, billing, and support records may be retained longer where necessary.

Vendors and Monitoring

Certyn relies on Azure infrastructure, Auth0 authentication, Anthropic inference, Stripe billing, PostHog analytics, and Sentry monitoring. Current production subprocessors are listed on the Subprocessors page.

Contact

Security review requests, DPA requests, and trust questions can be sent to security@certyn.io or legal@certyn.io.