#Security and Compliance Best Practices
Security in Hawzu starts with disciplined access, careful test data handling, and traceable testing workflows.
#Manage Access Intentionally
- Assign workspace roles only for workspace-level responsibilities.
- Assign project roles for project testing work.
- Use groups for inherited project access where possible.
- Review users, groups, and roles regularly.
- Remove direct project access when a user no longer needs it.
Learn more in Roles Overview and Users in Groups.
#Use Access Tokens Carefully
Access tokens are for automation and external systems, not interactive user work.
Best practices:
- Use the smallest workspace or project scope that works.
- Choose roles that match the automation task.
- Set an expiry unless there is a strong reason not to.
- Disable a token when you need a temporary pause.
- Revoke a token when it should no longer work.
Learn more in Access Tokens Security.
#Protect Sensitive Data
- Avoid storing passwords, production credentials, or private tokens in test cases, defects, comments, or attachments.
- Use regular parameters only for reusable non-secret values.
- Mask or crop screenshots before attaching them when they contain private data.
- Prefer synthetic or approved test data over copied production data.
#Preserve Traceability
Traceability supports audits and quality review.
- Link requirements to test cases.
- Link defects to test cases, executions, releases, and requirements where relevant.
- Keep release execution history intact.
- Prefer careful retirement over deleting useful historical context.
Learn more in Traceability and Coverage.
- Scope integrations to the projects that need them.
- Rotate external credentials when team ownership changes.
- Test connections after credential changes.
- Avoid assuming external tools mirror every Hawzu workflow automatically.
Learn more in Integrations Best Practices.
#Next Steps