Skip to main content

Security and Privacy FAQ

Does Katalon Platform have cloud providers? Where are they hosted?

Katalon Platform uses Amazon Web Services (AWS) for all production infrastructure and storage. Our AWS location is us-east-1 region (Northern Virginia, USA). If you need custom data storage location, we offer On-Premises and Private SaaS solution. Contact us to discover.

Do you operate physical infrastructure?

Katalon infrastructure is cloud-first, and 100% virtualized. None of our infrastructure is physical.

Does Katalon hold any third-party compliance attestations?

Katalon currently holds and maintains SOC2, Type II certification. Katalon was also verified by GDPR Local to adopt GDPR compliance.

Our IT security team also holds the following certifications:

  • Certified Information Systems Auditor® (CISA®)

  • Certified Information Security Manager® (CISM®)

  • Certified in Risk and Information Systems Control® (CRISC®)

  • Certified Data Privacy Solutions Engineer™ (CDPSE®)

  • Certified Information Privacy Professional (CIPP)

  • Certified in the Governance of Enterprise IT® (CGEIT®)

  • Certified Information Systems Security Professional® (CISSP®)

  • Information Systems Security Architecture Professional® (ISSAP®)

  • Project Management Professional® (PMP®)

  • Offensive Security Certified Professional

Does Katalon have an information security program?

Katalon maintains an internal Information Security Management System based on the ISO 27001 and the NIST CyberSecurity Framework. All personnel are required to review and sign off on the policies upon hire and at least annually. This program is supervised internally by Katalon's Chief Information Security Officer.

Can unprotected user data be accessed by your staff? Is this access audited?

No user data can be directly accessed by our internal staff. Only approved database administrators, at the request of the data owner, would be able to have access to assist the data owner directly. All access is centrally logged and audited.

Do you have a disaster recovery plan (DRP) and business continuity plan (BCP)?

Katalon Platform systems are hosted in AWS and take advantage of AWS services for continuity and redundancy.

  • Backups: Regular backups and snapshots are taken and tested. Our backup and snapshots are taken daily.

  • High Availability: Katalon systems are designed with high availability being a primary goal.

How are backups managed? What encryption is used? How are they destroyed when they are no longer needed?

Automated snapshots and backups are captured and destroyed systematically per policy.

What personal identification information does Katalon retain?

Katalon retains personal identification information (PII) for user license verification including name, email, IP address. We retain PII for accomplishing payment of the licenses only, we don't process or manipulate the data in any way and for any other purpose.

What is your system patching process/schedule?

Katalon patches vulnerabilities based on critical degree and in accordance with our Vulnerability Management policies. Best effort is made for critical, exploitable, vulnerabilities found on externally accessible assets. In general, we take an immutable image approach to production patching. In that, patching is done at the "golden image" level to enable rapid continuous deployment and remediation to production workloads. Due to architecture design decisions, patches may be deployed in a rolling fashion.

What are some controls you implement for your application security program?

Katalon adopts latest practices to ensure secure delivery of Katalon Platform:
  • AWS CIS Benchmark for hardening and vulnerability remediation

  • Native IDS services enabled at the OS level

  • Vulnerability scanning, workload protection and cloud posture monitoring at the infrastructure level are handled through CNAPP, CWPP and CSPM

What port does Katalon Studio use to communicate with external resources?

Katalon Studio is a desktop application and it has connections to ALM integration servers such as JIRA, qTest, Slack, CI whose security protocols are configured by the users. Katalon Studio uses port 443 for updating checking/ bugs reporting.

How is user data stored? What encryption is used for data at rest and data in transit?

  • Data is stored within approved data stores within AWS. Structured data is stored within databases and unstructured data is stored within securely configured AWS S3 buckets.

  • Data at rest is encrypted with AES 256-bit and data transit is encrypted with TLS 1.2+ (RSA 2048-bit) encryption. Approved secure channels include SSH, HTTPS, and SFTP.

  • Further, sensitive records are hashed SHA256 at the database table level.

How are configuration and credential data encrypted in Katalon Studio?

App configurations and credential data will be encrypted by PBE with SHA1 and DESede.

What type of encryption does the 'Encrypt Text' tool in Katalon Studio use?

We use PBEwithSHA1AndDESede algorithm. Katalon Studio will keep a unique salt and secret key to encrypt and de-crypt values when performing the keyword action. We provide only the encryption feature without the decryption feature. Users can only see the encrypted value in the script file. The raw value will not be logged in our report. You can encrypt text manually by going to Katalon Studio, Help > Encrypt Text:Katalon Studio encrypt textThe encrypted value can be used in the method:

WebUI.setEncryptedText(findTestObject(null), '8SQVv/p9jVTHLrggi8kCzw==')

The method is to fill the encrypted text into a text box, the raw value will be decrypted when running the test.

How are users' passwords stored?

Users' passwords are stored in secure vault compliant with NIST Special Publication 800-63 Digital Identity Guidelines.

Do you have an enforced password policy for admin accounts? Do you require MFA for admin accounts?

All admin accounts are enforced with company-defined length, complexity, and history requirements for passwords. All admin accounts require multi-factor authentication.

Do you have separate production and development environments?

Yes, each of these environments is separated logically, in their VPC, and has no dependencies on each other.

Are these systems separate from your corporate network?

Yes, corporate network and Katalon Platform environments are not within the same logical networks.

How do you manage access to production systems?

The principle of least privileged access is enforced to define role-based access to our production systems. All production access requires a secure VPN connection to a management network zone. No production environments can be accessible publicly (i.e., all subnets are shut down). Also, all production and privileged connections are logged.

Describe your coding, testing, and deployment practices.

  • Katalon employs industry standard tools and processes for efficient and secure software delivery life-cycle and CI/CD pipelines.
  • All development teams adopting Agile method with defined releases and support cadences

  • Code security support is enabled with industry leading tools to enable static and dynamic code scanning, secured shared secrets, software composition analysis and vulnerability testing.

Is there a separation between publicly accessible parts of the application from the data storage?

  • Yes, public-facing components are housed in separate logical networks behind load balancers.

  • Architecture design follows an n-tier pattern with all data decoupled from external-facing application components.

  • There is no direct external access to data stores.

Do you perform system vulnerability scans and penetration testing?

Yes, we employ AWS Inspector and Nessus for vulnerability scanning. Annual penetration testing is done internally and externally.

Do you perform web application vulnerability testing or intrusion detection?

  • Yes, application vulnerability scans include static, dynamic, and open source dependencies.

  • AWS CIS Benchmark is used for hardening and vulnerability remediation.

  • Native IDS services are enabled at the OS level and vulnerability.

  • Management and tracking are enabled with Amazon Inspector and Nessus.

What type of firewalls/DDOS defense do you use?

Native AWS WAF services are deployed for edge defense.

How do you monitor your systems and networks?

AWS Security Hub, CloudTrail, GuardDuty, Macie, Prowler, and Wazuh are some of the tools and services deployed for our network and workload monitoring.

What logging do systems perform? How are they protected?

All cloud workload logs are shipped to a central log management platform where security, compliance, vulnerability logs are performed. Protection is enabled by regular backups and architecture high availability design.

How does Katalon manage the physical security setup of the system/service (including overview/architecture drawing)?

Katalon security framework complies with the ISO/IEC 27001 standard for information security management system (ISMS) and covers Physical and Environmental security to prevent unauthorized physical access, damage, and interference to the organization's information and information processing facilities. ISO standard - physical and environmental security

Log4Shell (CVE-2021-44228) - General update

On the 9th of December 2021, a Remote Code Execution exploit CVE-2021-44228 was discovered in a popular Java logging library called Log4j2. It became widespread and known to have been exploited in the wild. This incident was created for further investigation and response to fully understand and respond to the potential attacks on Katalon assets. Based on our internal review, Katalon users are not affected by this vulnerability.

Katalon TestOps is not affected by this vulnerability. TestOps uses the default implementation of Spring Boot (implemented Logback through SLF4J for logging). As noted by the Spring Boot team: "Spring Boot users are only affected by this vulnerability if they have switched the default logging system to Log4J2."

Any vulnerability that might exist in TestOps has been mitigated to some extent in its Web Application Firewall (WAF) controls, which have been updated to block requests embedding known attacks on this vulnerability.

As of 13 December 2021, TestOps has been upgraded to include Log4J v2.15.0 in its dependencies. In combination with the WAF controls noted above, these corrective actions should completely mitigate any exposure in TestOps.

Katalon Studio Enterprise uses Log4J v1.2.15. This version is not as vulnerable as the version identified in the CVE, particularly given that we are not using the JMSAppender. The similar conclusion is drawn for Katalon Runtime Engine.

You might download it from our GitHub Repo at:

For 8.3.0:

We are encouraging our users to download and use those versions. During your usage, please do let us know of any feedback that you have with the products.

Does the GPT-powered Manual Test Generator engine employ closed-model AI or open source? Is the data shared or used by any other third party?

  • The GPT-powered Katalon Manual Test Cases Generator is based on the cloud API of OpenAI. We only send requests to OpenAI and receive responses from their server. No prompt or answer submitted through Katalon products is used by OpenAI to train models. The data is retained by OpenAI for a maximum of 30 days, solely for abuse and misuse monitoring purposes, after which it will be deleted. For more information, see: OpenAI's API data usage policy. Katalon also does not store prompts and answers submitted through the Manual Test Generator.