Security Policy

How we protect our API testing platform, APIs, and supporting systems through layered technical and organizational safeguards.

Last Updated: February 2026

This Security Policy (“Policy”) describes the security practices used by TOTALSHIFT LEFT TECH PRIVATE LIMITED (the “Company”, “Total Shift Left”, “we”, “us”, or “our”) to protect the Total Shift Left website, SaaS platform, and APIs (collectively, the “Services”). This document is intended to provide transparency for customers, prospects, and security reviewers. It does not create contractual obligations unless expressly incorporated into a signed agreement.

These policies are issued by TOTALSHIFT LEFT TECH PRIVATE LIMITED. Our primary website is totalshiftleft.ai. We also operate totalshiftleft.com, which is under the same company.

Related policies: Privacy Policy · Terms of Service · Security Policy · AI Policy · Cookie Policy

On this page

1. SCOPE

This Policy applies to security controls and practices relevant to:

  • Our public website and marketing domains
  • Our SaaS platform used to configure, execute, and manage API testing workflows
  • Product APIs that support authentication, configuration, test execution, reporting, and integrations
  • Supporting infrastructure, build systems, and operational tooling used to deliver the Services

The Services are designed for business use. Customers control what data is uploaded, generated, or processed within their own testing workflows. Customers remain responsible for the content of requests, test data, and artifacts they introduce into the Services.

2. SECURITY GOVERNANCE

We maintain a security program intended to manage risk across our products and operations. Key governance practices include:

  • Defined security policies and operational procedures
  • Access control and least-privilege principles for administrative systems
  • Security awareness practices for personnel with access to production systems or customer data
  • Risk-based review of significant product and infrastructure changes

3. SECURE DEVELOPMENT LIFECYCLE

We use secure engineering practices to reduce vulnerabilities and improve reliability, including as appropriate:

  • Peer review for code changes
  • Automated checks in CI/CD pipelines (e.g., tests, linting, dependency checks)
  • Secure configuration management and environment separation (development, staging, production)
  • Principle of least functionality: minimizing exposed services and privileges

Where AI-assisted functionality is available (for example, generating tests from API specifications), customers should validate outputs and ensure generated artifacts align with their requirements and internal controls.

4. ACCESS CONTROL

We implement access controls to limit access to systems and data to authorized users and services, including:

  • Role-based access control (RBAC) within the platform where applicable
  • Administrative access restricted to authorized personnel
  • Separation of duties where feasible for sensitive operations
  • Session management and authentication controls designed to prevent unauthorized access

5. DATA PROTECTION

We apply layered protections to customer and platform data, including:

  • Encryption in transit for connections to the Services using industry-standard protocols
  • Encryption at rest for stored data where supported by our infrastructure and storage services
  • Logical access controls intended to prevent cross-tenant access
  • Secrets management practices designed to reduce exposure of credentials and keys

Customers should avoid introducing sensitive personal data, regulated data, or secrets (such as production credentials, private keys, or access tokens) into testing payloads unless contractually agreed and appropriately protected.

6. LOGGING, MONITORING, AND AUDITABILITY

We use logging and monitoring practices intended to support reliability and security, including as appropriate:

  • Operational monitoring and alerting for availability and performance issues
  • Security-relevant logging for authentication and service events
  • Investigation support to help detect, triage, and respond to suspected security incidents

Log retention periods vary based on purpose, legal requirements, and operational needs.

7. VULNERABILITY MANAGEMENT

We maintain vulnerability management practices designed to identify, assess, and remediate security issues, including as appropriate:

  • Monitoring for security advisories affecting key dependencies and services
  • Risk-based prioritization and remediation of identified vulnerabilities
  • Change management to reduce the likelihood of regressions during security fixes

If you believe you have discovered a security vulnerability, please report it using the contact details below. Please do not publicly disclose vulnerabilities until we have had a reasonable opportunity to investigate and remediate.

8. INCIDENT RESPONSE

We maintain incident response practices intended to support timely detection, containment, investigation, and recovery from security incidents. When required by law or contract, we will provide customer notifications regarding applicable security incidents.

9. BUSINESS CONTINUITY AND RESILIENCE

We employ measures intended to support service resilience, which may include:

  • Backups and recovery mechanisms for critical systems
  • Infrastructure redundancy where appropriate
  • Operational procedures to restore service following disruptions

10. THIRD-PARTY AND SUPPLY CHAIN SECURITY

We may use third-party service providers (for example, hosting, monitoring, support tooling, and payment processors). Where appropriate, we apply measures intended to reduce third-party risk, including:

  • Vendor selection based on risk and business needs
  • Contractual confidentiality and data protection obligations
  • Limiting third-party access to what is necessary to provide contracted services

11. COMPLIANCE ALIGNMENT

Our controls are designed to align with common security principles and frameworks used in enterprise environments (for example, ISO/IEC 27001 concepts, SOC 2 trust services criteria, NIST Cybersecurity Framework, and OWASP guidance). References to frameworks are informational and do not represent a claim of certification unless explicitly stated in a separate written attestation.

12. CUSTOMER RESPONSIBILITIES

Customers play an important role in maintaining security. Customers should:

  • Use strong authentication practices and protect their credentials
  • Configure access roles and permissions according to least privilege
  • Control and sanitize test data used in workflows
  • Review platform outputs (including AI-assisted outputs) for correctness and compliance with internal policies
  • Report suspected security issues promptly

13. CONTACT

For security-related questions or to report a suspected vulnerability, please contact:

Email: security@totalshiftleft.ai

For company details (including registered office address), please see our Privacy Policy or Terms of Service.

14. UPDATES TO THIS POLICY

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or risk environment. The “Last Updated” date reflects the most recent revision.