Testing you can trust — and check
Here is exactly where your tests run, what reaches the model provider, and how your data is protected. No black box.
What runs where
You choose local-first or cloud execution. The difference is where the browser runs.
Local-first
Tests run fully on your machine with your own Gemini key, against localhost, staging, or production. No tunnels and no source-code upload — only calls to the model provider leave your network.
Cloud
A managed browser runs the test for you so anyone on the team can run from any device. The same data boundaries apply: credentials are encrypted and never enter the model context.
What reaches the model provider
Agentiqa uses Google Gemini as its model provider. Here is the boundary.
Never sent
Credentials
Credentials are AES-256-GCM encrypted and typed into the app by name. Their plaintext values are never placed in the model context.
Your source code
Agentiqa requires no repo access or code upload; test plans and verification derive from the rendered UI.
In cloud runs the file-read tool is disabled — it has no backing service and returns unavailable — so your source cannot be read.
In the desktop app, runs execute entirely on your machine with your own API key; any local file the agent reads stays within your own model session.
Does reach it
Screenshots and page snapshots
To decide what to do next, the agent sends screenshots and structured snapshots of the pages it is testing to the model provider.
Your testing instructions
The goals and prompts you give the agent are sent to the model provider so it can plan and carry out the test.
Controls
Encryption at rest
Stored credentials are encrypted with AES-256-GCM.
Supervisor oversight
An independent supervisor model watches every run and can continue, redirect, block, or wrap it up.
Video audit trail
Every run is recorded on video, and each bug ships with screenshots and step-by-step reproduction evidence.
Compliance and data policy
SOC 2 in progress
We are working toward SOC 2. It is in progress, not yet achieved — we will say so plainly here when that changes.
Zero Data Retention (policy)
On the Team plan, Zero Data Retention is a contractual policy: we commit not to retain your run data beyond what is needed to deliver the service, and to delete it on request. It is a policy commitment, not an automatically enforced control in the product today.
Subprocessors
Our subprocessors are listed in our privacy policy.
Data-processing agreement
For a DPA, contact hi@agentiqa.com.
Have a security review to run?
Book a demo and we will walk your team through the architecture, or read what an Enterprise engagement includes.
Get in touch
hi@agentiqa.com© 2026 Agentiqa, Inc. All rights reserved.