Our Commitment to Quality

Unit Testing

Purpose

Unit testing focuses on verifying the smallest testable parts of the application — typically individual methods, functions, or components — to ensure they behave as expected in isolation.

Tools & Frameworks

• RSpec is our primary framework for testing Ruby on Rails backend code.
• QUnit / Ember Testing Utilities is Used for testing frontend logic and Ember.js components.

Process

Developers write unit tests alongside new code or when refactoring existing features. Each test runs in isolation to ensure that the functionality of a unit does not depend on others. Tests are written using descriptive scenarios to act as both validation and documentation. We prioritize tests that cover business logic, data processing, and permission checks.

Automation & CI Integration

All unit tests are executed automatically through GitHub Actions during each pull request and on every push to the codebase.

Failing tests prevent merges, helping us catch regressions early.

Coverage

We aim to maintain overall test coverage above 90%, with a particular focus on business-critical logic and complex workflows. Coverage reports are generated automatically in our CI pipeline, and we review gaps regularly as part of our development process. While coverage is not the only indicator of quality, we treat it as a key metric to help ensure confidence in changes and long-term maintainability. We regularly review and improve test coverage in critical or complex areas.

Integration Testing

Purpose

Integration tests focus on validating how different components of the system interact — especially APIs, services, and data layers — to ensure they behave correctly as a whole.

Tools & Frameworks

• RSpec: Used to test the interaction between models, controllers, services, and the database.
• FactoryBot: Helps create reliable test data for various scenarios.
• Custom Test Helpers: Used to simulate requests and system state for API testing.

Process

We write integration tests for key workflows such as authentication, data imports/exports, background jobs, and business rule enforcement.

These tests are designed to catch issues that span multiple layers (e.g., from an HTTP request to a database transaction).

For our monolithic legacy system, a small number of Capybara-based tests exist, but we are phasing them out as we continue to separate the UI and API layers.

Automation & CI Integration

Integration tests are run automatically in GitHub Actions alongside unit tests. They are a key part of our pull request validation and deployment pipeline.

User Acceptance Testing (UAT)

Purpose

User Acceptance Testing (UAT) ensures that our application behaves as expected from an end-user perspective before any changes are released to production.

Process

UAT is primarily conducted using Endtest, a no-code automated testing platform that replicates real user actions in a browser.

Our tests are designed to validate critical workflows and ensure that the application fulfills our documented behavior and business rules.

These tests simulate end-user scenarios and help us verify that new features or updates meet customer expectations without regression.

Documentation-Driven Approach

UAT scenarios are aligned with our internal documentation and user guides.

This ensures that features behave as described and that we maintain consistency across development, QA, and customer experience.

Environment

Tests run in a staging environment that mirrors production as closely as possible. Any failures or inconsistencies are reviewed by the team and addressed before deployment.

Continuous Integration & Quality Gates

Purpose

Our Continuous Integration (CI) pipeline ensures that every code change is automatically tested, validated, and reviewed before it can be merged or deployed. This protects system stability and enforces quality at every stage of development.

Key Components

GitHub Actions: All tests (unit, integration, and Endtest UAT) run automatically on every push and pull request.

Deprecation Monitoring: Test runs capture deprecation warnings and log them to Rollbar, helping us proactively identify future upgrade issues.

Code Quality Analysis: We use tools such as CodeClimate to measure test coverage and maintainability.

Required Checks: A pull request cannot be merged unless all required checks pass — including test results and code review.

Quality Gates Enforced

✅ Test suite must pass (unit + integration + UAT)

✅ Code coverage must not drop below our threshold

✅ No unaddressed deprecation warnings in test logs

✅ Peer review approval is required

✅ Static analysis must report no critical issues

Kanban Methodology Integration

As part of our Kanban methodology, each stage of the development process has exit criteria that must be met before moving forward.

This includes code review by peers to ensure quality, functionality, and adherence to best practices.

Exit criteria help ensure that every task is fully validated before it progresses to the next step, ensuring consistent quality across the board.

Why It Matters

This automated process, combined with our Kanban flow and exit criteria, helps catch bugs early, prevent regressions, and maintain a high standard of code quality — even as the system evolves and grows in complexity.

Monitoring & Post-Deployment Checks

Purpose

After a deployment, continuous monitoring and post-deployment checks ensure that the system is performing as expected, detect any issues early, and enable quick remediation.

Monitoring Tools & Practices

Rollbar: Used for real-time error tracking and logging. We monitor exceptions, application errors, and performance issues. Alerts are configured to notify the engineering team when issues arise.

Papertrail: Provides centralized logging, allowing us to monitor and search through logs for any anomalies or errors post-deployment.

New Relic: Used for monitoring application performance, including response times, throughput, and database queries.

Continuous Monitoring

Critical errors or performance issues trigger immediate alerts, routed to the on-call team for swift resolution. We closely monitor application performance to identify any regressions or slowdowns post-deployment.

Continuous monitoring is essential to our operations, enabling us to proactively address issues as they arise. We also gather user feedback and error reports to uncover any issues that may not have been captured during testing.

Why It Matters

This proactive monitoring approach helps us catch issues early, reduce downtime, and improve the overall stability and performance of the system post-deployment, ensuring a seamless user experience.

Vulnerability Management

Purpose

Vulnerability awareness is a fundamental aspect of our commitment to software quality. We take a proactive stance in identifying, prioritizing, and mitigating security risks within our codebase and third-party dependencies. By addressing vulnerabilities promptly, we ensure the continued reliability, integrity, and security of our platform.

Tools

GitHub Dependabot: Automatically detects and notifies us of vulnerabilities in third-party libraries and dependencies, ensuring that we stay up to date with the latest security patches.

Qlty: Integrated into our CI pipeline, Qlty helps flag potential risks and maintain code quality through automated analysis, including identifying security concerns in the codebase.

Process

Vulnerability Identification: We rely on automated tools like Dependabot and manual reviews to identify security vulnerabilities.

Triage & Prioritization: Once vulnerabilities are identified, we assess their severity using the CVSS scoring system and determine their potential impact on our platform and customer data.

Remediation:

• High-priority vulnerabilities are addressed immediately as part of our development cycle.
• Lower-priority issues are scheduled for resolution in upcoming development cycles, based on their potential impact and exploitability.

Peer Review: All changes undergo a peer review process, which includes security checks to prevent introducing new vulnerabilities.

While we do not share internal vulnerability reports publicly, we remain dedicated to continuously improving our security posture and ensuring our platform remains secure and trustworthy for our users.