Security and Privacy FAQ

At Katalon TestOps, we prioritize providing strong security to ensure your information is safe and easily accessible when needed. We uphold a top-tier security program to safeguard your data by aligning with industry-leading practices and frameworks.

For more detailed information about Katalon’s security practices, certifications, and compliance posture, please visit our Security & Trust Center at: Katalon Trust Center.

Does Katalon hold any third-party compliance attestations?

Katalon maintains SOC 2 Type II certification and is certified against ISO/IEC 27001 and ISO/IEC 27017.

Moreover, Katalon is also Vendor Insights-certified on AWS Marketplace. For more information about our security profile, refer to the following link: Katalon Platform on AWS.

Our IT security team holds the following certifications:

Certified Information Systems Auditor® (CISA®)
Certified Information Security Manager® (CISM®)
Certified in Risk and Information Systems Control® (CRISC®)
Certified Data Privacy Solutions Engineer™ (CDPSE®)
Certified Information Privacy Professional (CIPP)
Certified in the Governance of Enterprise IT® (CGEIT®)
Certified Information Systems Security Professional® (CISSP®)
Information Systems Security Architecture Professional® (ISSAP®)
Project Management Professional® (PMP®)
Offensive Security Certified Professional

How does the data flow within Katalon systems?

All Katalon customers will have some information stored in a Katalon license server. That information is primarily concerned with user identification and includes the following:

User email address, User display name, Organization name, IP address for access logging.

Customer data remains active as long as the account is active. Upon voluntary closure, the data enters an "expired" state, and is subsequently transferred to "cold storage" and retained for 365 days. After this duration, both the account and its associated data are permanently removed from our systems.

Katalon Studio is Katalon’s tool for authoring test automation scripts. It is a desktop application and its data will typically be stored on an engineer’s workstation or similar environment within the customer’s control. Katalon Studio data takes the form of various text files stored within a project directory. Data that are stored within a typical Katalon Studio project include the following:

Test cases, Test suites, Test data (optional), Reports from test executions

Katalon TestOps is Katalon’s platform for test management and analytics. The data stored within TestOps is primarily related to test cases, test suites, and information about their execution. Following is a list of data stored within TestOps:

Test case names, Test suite names, Test execution details, Timestamps, Execution logs, Execution results (pass/fail/error), Environment information (browser, OS, mobile device), Screenshots (optional)

Katalon TestCloud provides Katalon customers with access to execution environments for web and mobile applications. In addition to providing access to browser and mobile devices, TestCloud also provides virtual machines to execute test scripts. The virtual machines that host browsers and execute test scripts are ephemeral and mobile devices are wiped between executions. While TestCloud is executing a test suite, it will have access to the following data:

Test case and test suite definitions, Test scripts, Associated test data, Test execution logs

TestCloud loads test suites and related data from external source code repositories (GitHub, GitLab, etc.). All data is deleted at the completion of test execution. Test results are transferred to TestOps for historical reporting as described above.

How does Katalon handle data privacy when using AI services?

Katalon products utilize AI services to improve various features. When AI services are used, we apply strict data privacy measures to protect user data.

As per Katalon's contract with OpenAI, none of the submitted data is retained or stored for any purpose. OpenAI does not use customer data to train or improve its models.

Regex patterns are used to filter PII from inputs and outputs. Users can also configure specific data exclusions to prevent sensitive information from being captured by tools like TrueTest. You can learn more about TrueTest's user data privacy policy here: Protect user data privacy.

In addition to our own hosted LLM service for StudioAssist, Katalon also supports Bring Your Own Key (BYOK), which allows customers to use their own OpenAI, Azure, Google Gemini, or OpenAI-compatible LLM service. In that case, any terms that the customer has in place with their provider would be in place.

What Personally Identification Information (PII) does Katalon retain?

We collect information you provide, information we collect automatically, and information from other sources.
We use your information to provide, improve, and personalize the Offerings, for marketing and communication, and for legal and safety purposes.
We disclose information to service providers, partners, and other third parties as described below. We do not sell your personal information.
You have rights regarding your personal information, including access, correction, deletion, and objection to processing.

For detailed description, refer to our Privacy Policy page.

How is user data stored? What encryption is used for data at rest and data in transit?

Data is stored in approved data stores within AWS. Structured data is stored in databases while unstructured data is stored in securely configured AWS S3 buckets.
Data at rest is encrypted with AES 256-bit encryption, while data transit is encrypted with TLS 1.2+ (RSA 2048-bit) encryption. Approved secure channels include SSH, HTTPS, and SFTP.
Sensitive records are hashed SHA256 at the database table level.

Can unprotected user data be accessed by your staff? Is this access audited?

Our internal staff is prohibited from directly accessing user data. Only approved database administrators, upon request from the data owner, are granted access to assist them directly.

All access is meticulously logged and subject to regular audits for accountability and security.

Is there a separation between publicly accessible parts of the application from the data storage?

Yes. Public-facing components are housed in separate logical networks behind load balancers.

Architecture design follows an n-tier pattern with all data decoupled from external-facing application components.

There is no direct external access to data stores.

Does Katalon TestOps have cloud providers? Where are they hosted?

Katalon TestOps uses Amazon Web Services (AWS) for all production infrastructure and storage. Our AWS location is us-east-1 region (Northern Virginia, USA).

If you need custom data storage location for your organization or project, Katalon TestOps offers on-premises and private Software-as-Service (SaaS) solutions. Contact us for more information.

What happens to my data after I stop using Katalon?

After your subscription expires or is terminated, Katalon will delete your personal data in accordance with the procedures described in our Legal Term's Deletion and return of your personal data section.

In certain situations, we may retain limited data if required by applicable law or as part of our standard backup and record-retention processes. Any data that is retained remains subject to strict confidentiality and security obligations, and Katalon will not further process your data except as required by law.

What is your system patching process/schedule?

Katalon addresses vulnerabilities by prioritizing them according to their critical degree, aligning with our Vulnerability Management policies. Our focus is on making the best effort to address critical, exploitable vulnerabilities identified in externally accessible assets.

Overall, we adopt an immutable image approach for production patching, implementing patches at the "golden image" level to facilitate swift continuous deployment and remediation for production workloads.

Due to architectural design considerations, patch deployment may follow a rolling fashion. With each patch deployed, the scope is announced in our release notes

Why do I get logged out of Katalon Studio every 7 days?

Katalon Studio uses a Single Sign-On (SSO) system for managing user authentication. The login token issued is valid for 7 days, and subsequent refresh tokens won't extend this period. To maintain continuous access, you'll need to log out and log back in every 7 days. Be mindful of your session duration to prevent interruptions to your testing activities.

What port does Katalon Studio use to communicate with external resources?

Katalon Studio is a desktop application and establishes connections with Application Lifecycle Management (ALM) integration servers like JIRA, qTest, Slack, and continuous integration (CI). The security protocols for these connections are configured by the users. Specifically, Katalon Studio utilizes port 443 for tasks such as updating, checking bugs, and reporting.

Refer to our documentation for the full list of supported external integrations: Integrations in Katalon Studio.

How are configuration and credential data encrypted in Katalon Studio?

App configurations and credential data are encrypted by password-based encryption with Secure Hash Algorithm 1 (SHA1) and Data Encryption Standard in Encrypt-Decrypt-Encrypt multiple encryption mode (PBEWithSHA1AndDESede).

For Katalon Studio, we use PBEWithSHA1AndDESede algorithm. Katalon Studio keeps a unique salt and secret key to encrypt and de-crypt values when performing the keyword action. We provide only the encryption feature without the decryption feature. Users can only see the encrypted value in the script file. The raw value will not be logged in our report.

For step-by-step guidance on handling sensitive text in Katalon Studio, refer to: Work with sensitive text in Katalon Studio.

How do you manage access to production systems?

The principle of least privileged access is enforced to define role-based access to our production systems. All production access requires a secure VPN connection to a management network zone. No production environments can be accessible publicly (i.e., all 0.0.0.0/0 subnets are shut down). Also, all production and privileged connections are logged.

No production environments can be accessible publicly (i.e., all 0.0.0.0/0 subnets are shut down).

Does Katalon hold any third-party compliance attestations?​

How does the data flow within Katalon systems?​

How does Katalon handle data privacy when using AI services?​

What Personally Identification Information (PII) does Katalon retain?​

How is user data stored? What encryption is used for data at rest and data in transit?​

Can unprotected user data be accessed by your staff? Is this access audited?​

Is there a separation between publicly accessible parts of the application from the data storage?​

Does Katalon TestOps have cloud providers? Where are they hosted?​

What happens to my data after I stop using Katalon?​

What is your system patching process/schedule?​

Why do I get logged out of Katalon Studio every 7 days?​

What port does Katalon Studio use to communicate with external resources?​

How are configuration and credential data encrypted in Katalon Studio?​

How do you manage access to production systems?​