Skip to main content

Security & Data Handling

Stably is built on top of Playwright and runs your tests using standard Playwright infrastructure. This page explains how your data flows through Stably’s systems and what controls are available to protect sensitive information.

How data flows through Stably

Test execution

When you run tests with Stably SDK, your tests execute in your own environment (local machine, CI runner, or your own infrastructure). Stably does not host or execute your application code. However, Stably uses Playwright to interact with your application in a browser during test execution — this means Stably accesses your application as a user would.

Code generation agent

If you use Stably’s codegen agent to generate or maintain tests, Stably needs access to your test code. There are two modes:
  • Stably-hosted repository: Stably self-hosts your test repository on your behalf. Only Stably has access — you cannot clone or modify it directly.
  • Bring your own repository: You connect your own GitHub repository. Stably clones it into a secure, isolated instance to read your existing files and generate better tests. No files are retained — they are deleted once the codegen agent session ends.

AI-powered features

Stably’s AI features (AI assertions, AI locator, AI extraction, AI agent execute) work by sending contextual data to AI model providers for analysis. When you use these features:
  • What is sent: Page screenshots, accessibility snapshots, and the natural language prompts you write in your test code
  • When it is sent: Only when your test code explicitly calls an AI method (e.g., aiAssert(), page.extract(), agent.act())
  • Where it is sent: To third-party AI model providers (such as Google Gemini, OpenAI, and Anthropic) via Stably’s backend
AI features are opt-in. If you don’t use AI methods in your tests, no page content is sent to AI providers.

Test Reporter

When the Stably Test Reporter is configured, test results and Playwright traces are uploaded to Stably’s servers for dashboard viewing, failure analysis, and stably fix functionality.

Sensitive data scrubbing

The Stably Reporter supports scrubbing sensitive values from trace data before upload. Configure it by passing a sensitiveValues array: 
stablyReporter({
  apiKey: process.env.STABLY_API_KEY,
  projectId: process.env.STABLY_PROJECT_ID,
  sensitiveValues: [
    process.env.TEST_USER_PASSWORD,
    process.env.API_SECRET,
  ],
});
Screenshots and videos are not scrubbed. If sensitive data appears on screen during test execution, it may be captured in visual artifacts. Avoid entering sensitive data in visible form fields when possible.For full details on scrubbing behavior and limitations, see the Stably Test Reporter documentation.

Infrastructure

  • Test results and traces are stored in the United States
  • All data is encrypted in transit (HTTPS/TLS) and at rest
  • The Stably Cloud Runner executes tests in isolated, ephemeral browser environments

Compliance

Stably has achieved SOC 2 Type I certification and is currently pursuing SOC 2 Type II certification.

Questions?

If you have security questions or need to complete a security questionnaire, contact us at jinjing@stably.ai.