Security
Built for procurement, not around it
Total Shift Left was designed for regulated enterprises that can't ship API specs to OpenAI. This page documents what we ship today, what we're transparent about not yet shipping, and how to get the security questionnaire response your team needs.
Where your data lives
Two deployment shapes — self-hosted on your infrastructure, or multi-tenant SaaS managed by us. Both shapes treat your API specifications, credentials, and test traffic as sensitive by default.
| Data class | Self-hosted deployment | Multi-tenant SaaS |
|---|---|---|
| API specifications (OpenAPI / Swagger / WSDL) | Stays on your infrastructure | Stored in tenant-isolated MongoDB |
| AI prompts and generated tests | Sent only to the LLM endpoint you configure (Ollama / vLLM / LM Studio) | Sent to the LLM provider you select (BYO API key) |
| API credentials, tokens, secrets | AES-256-CBC encrypted at rest in your database | AES-256-CBC encrypted at rest, tenant-isolated |
| Test execution traffic (HTTP requests to your APIs) | Originates from your runner; never leaves your network | Originates from cloud runner; egress to your published API endpoints only |
| Audit logs | Stored in your database; configurable retention on roadmap | Stored per-tenant; export available via API |
For deployment topology and runtime requirements, see the deployment page.
Identity, access, and audit
Role-based access control
Five built-in roles cover the typical enterprise testing org: Administrator, Contributor, Reviewer, Reader, and Environment Manager. Roles map to project assignments and govern who can author tests, approve API spec changes, run executions, and view results.
Authentication
Local authentication with JWT tokens, AES-256 encrypted credential storage, and email-based user invitations. Token expiry, role-based scoping, rate limiting, and CORS controls protect the public REST API.
Single sign-on
Azure AD / Entra ID, generic OIDC (Okta, Google Workspace), and SAML 2.0 are on the near-term roadmap, with auto-provisioning and group-to-role mapping. See the SSO row on the pricing comparison for current status. Enterprise customers can integrate via professional services in the interim.
Audit & observability
Audit logs capture every meaningful action with role context, filterable viewer, statistics, and export. Real-time logs and a system health dashboard surface platform metrics. Configurable retention is on the roadmap; activity feeds are scheduled to ship alongside.
AI governance: your specs, your LLM, your call
The single biggest reason regulated buyers move off cloud-only API testing tools: the AI features require shipping API specifications to a third-party LLM. We treat that as a configuration choice, never a default.
BYO LLM key
Cloud LLM access is always bring-your-own-key. We never broker credentials to OpenAI, Anthropic, Azure OpenAI, Gemini, or any of the 13+ supported providers. Your key, your usage, your invoice.
Self-hosted inference (Enterprise)
Run AI test and mock generation against an Ollama, vLLM, or LM Studio endpoint inside your perimeter — or any OpenAI-compatible URL you control. API specifications, prompts, and generated tests are sent only to the endpoint you configure.
Spec change approval
When an upstream API spec changes, the platform flags affected tests and routes the change through an explicit review and approval flow before regenerating tests. Schema drift is surfaced, not silently absorbed.
Compliance posture
Honest about what is shipped, what is on the roadmap, and what is configurable today. We will update this page as items move state.
SOC 2
RoadmapEngagement with an independent auditor is required before publishing a Type 1 target date. We will update this page when that engagement begins.
ISO 27001
RoadmapAligned with internal security governance; formal certification follows SOC 2.
GDPR / data residency
Self-hosted by defaultSelf-hosted deployment keeps API specs, credentials, and test data inside the residency boundary you choose. Multi-tenant SaaS region selection is on the roadmap.
Security questionnaire response
Procurement and security teams typically ask for the same 30-50 control questions. We share a security questionnaire response, deployment topology diagram, and reference architecture upfront on the architect call — so your security team can review in parallel with the technical evaluation.
Email security@totalshiftleft.com with your questionnaire format, or book a demo and we'll share the standard response packet on the call.
Talk to our architect, not a sales rep
30-minute deployment and security review. We share questionnaire responses, topology diagrams, and reference architecture on the call.