Vansah is a modern, cloud-native Test Management solution built for the Atlassian ecosystem. Designed for organizations operating within complex regulatory, security, and operational environments, Vansah emphasizes privacy-by-design, defense-in-depth security, and enterprise-grade governance across all operational layers.

Vansah is developed by Testpoint Pty Ltd a reputable Australian company registered in 2008 with a physical address: Level 35, Tower One, 100 Barangaroo Ave, Barangaroo, 2000, NSW, Phone number +61 2 89166176 , Website: Website

An Atlassian marketplace app, Vansah integrates deeply with Jira and Confluence while maintaining a clear separation of responsibilities regarding data storage, privacy, and access controls. Vansah’s architecture, processes, and roadmap are governed by its policies to protect customers with our commitment to meet and exceed enterprise risk expectations.

To support your evaluation of Vansah, we have consolidated and clearly documented our responses across all key security assessment areas including security controls, data residency, privacy practices, AI governance, operational resilience, and platform architecture.

This comprehensive Q&A listed below is designed to streamline customer evaluations and provide full transparency into Vansah’s enterprise-grade capabilities.

If you have any questions about this assessment or have further questions, please contact us through our support portal alternatively you may send an email to [email protected]

Vansah Intelligence uses a secure, context-limited AI engine to generate structured, high-quality test cases directly from Jira items. Only the Jira fields intentionally provided by the user such as Summary, Description, Labels, Components, Priority, and permitted custom fields are processed. No credentials, secrets, or unrelated project data are accessed.

The workflow is transparent and auditable: users trigger AI from a Jira work item, select coverage scope, and receive draft tests containing objectives, steps, expected results, traceability links, and metadata. A human-in-the-loop approval process ensures users can refine, regenerate, or reject content before saving it.

All output becomes Vansah test cases with full provenance, and Vansah enforces quality guardrails such as naming standards, field completeness checks, and style preferences. AI prompts and results follow data residency rules aligned to the customer’s Jira region, and usage is logged for auditability.

Vansah’s AI processes only the minimal Jira context needed to generate the requested test artefacts. AI interactions:

Only Jira work item text fields and explicit user prompts are considered, ensuring alignment with privacy-by-design principles.

Yes - Vansah implements a strict privacy framework. Only relevant Jira fields are processed, never entire projects. Sensitive fields are anonymized where applicable, and customers may configure exclusions.

Vansah uses OpenAI APIs in a zero-training configuration, ensuring no prompt or output is used to improve models.

All AI features comply with GDPR principles and align with ISO 27001 and SOC 2 controls. Customers are encouraged to follow best practices such as avoiding sensitive PII in issue descriptions and using synthetic data during test authoring.

Vansah does not store Jira user credentials or passwords. Authentication is handled by Atlassian. Vansah applies administrative, technical, and physical safeguards and encrypts all sensitive data in transit using SSL/TLS.

Vansah employs defense-in-depth security including RBAC, audit logging, secure coding standards, continuous patching, network security monitoring, compliance-aligned policies (ISO 27001), and industry-standard encryption at rest and in transit.

Yes - TLS secures all data in motion, and AES-256 or equivalent encryption protects stored data.

Vansah aligns with ISO 27001 and SOC 2 principles and adheres to Atlassian Marketplace security requirements. Data residency is available across multiple global regions including US, EU, UK, Australia, Singapore, Germany, and Canada.

Vansah Testing data (test cases, runs, scripts, attachments, reports) is stored securely on Vansah-managed infrastructure (AWS and DigitalOcean).

Jira provides only metadata required for functionality; PII remains within Atlassian systems.

Data is retained for up to 6 months after subscription expiration. Early deletion can be requested at any time.

Vansah is actively progressing toward full ISO 27001 certification. Its current controls and governance already align with ISO/NIST frameworks. Hosting providers are ISO 27001 certified.

Vansah aligns with SOC 2 principles, and its hosting providers are SOC 2 certified.

Yes - Vansah maintains structured ITGC practices including access management, change control, backups, DR readiness, and continuous audit support.

Yes - Vansah and its supporting infrastructure comply with GDPR. No personal data is processed directly by Vansah; all PII remains within Atlassian.

Vansah follows NIST-aligned incident response: detection, containment, investigation, customer notification, and remediation. Threat detection is continuous and supported by automated tooling and the Atlassian Cloud Fortified framework.

Yes. While Vansah does not process personal data, it maintains full cooperation processes for any incident affecting customer-owned testing data.

Vansah notifies impacted customers within 24 hours of confirming a breach.

Yes - test cases, scripts, runs, plans, reports, and attachments are stored in Vansah in the same Jira region to provide full testing capability.

No - Vansah does not access or use customer production data. Support access requires explicit customer consent and time-limited authorization (via expiring JWT).

Each customer is a distinct tenant with unique identifiers. Logical isolation prevents data overlap.

No - Customer data is never used for internal development. Only Vansah-owned data is utilized.

Not currently; however, Vansah applies strong encryption, tenant isolation, RBAC, audit logging, and secured encrypted backup processes retained within the same region.

Only limited authorized Vansah staff under strict approval conditions: Customer-authorized support, legal requirements, or enforcement of terms.

Zero-trust principles apply. All access is logged along with two senior approvals.

No - AI interactions are request-only and never retained for model training.

AWS-managed AES-256 and LUKS encryption secure all managed database clusters.

Atlassian manages Jira-side keys; Vansah manages keys for Vansah-stored data. JWT tokens support app authentication.

Yes. Backups are regionally redundant and isolated, with AWS replication and encrypted standby nodes.

Vansah’s Cloud Fortified status requires 99.9% uptime, rapid response (<24h), and minute-level restore points.

28. Does Vansah support role-based access control (RBAC)?
​Yes

Full user action logs are maintained. Export capability is planned for March 2026

Yes. Vansah provides a recycle bin with 6-month retention and permanent deletion options, including automated delete after uninstall.