Katalon Trust Center

Trust is our foundation

Welcome to the Katalon Trust Center. Discover how we protect your data through our commitment to enterprise-grade security, verifiable compliance, and responsible AI.

Security

Learn about our robust security program, from our secure development practices to our resilient cloud infrastructure.

Explore security →

Compliance

Review our certifications and attestations, including SOC 2 and ISO 27001, which are verified by independent auditors.

View compliance ->

Data & privacy

Understand our data handling practices, our commitment to global privacy standards, and our transparent approach to AI.

Review privacy ->

Security

A multi-layered security program

Our commitment to protecting your data through a robust, multi-layered security program.

Secure by design

Security isn’t an afterthought; it’s built into every phase of the software lifecycle. We embed security controls from initial design to deployment.

Learn more about lifecycle security →

Infrastructure security

We host on Amazon Web Services (AWS), leveraging its resilient, globally certified infrastructure to ensure availability and protect your data.

Learn about AWS security →

Platform security

Sensitive data is encrypted in transit Katalon protects customer data with strong encryption (AES-256 at rest, TLS in transit), enterprise-grade identity and access controls (SSO, MFA, least privilege), and regular independent audits and penetration tests to validate our security posture.

Learn more about platform security->

AI security and trust

Our AI features are built on a foundation of trust and transparency, with a core commitment to zero data retention. Customer data is never retained or used by third-party providers to train their models.

View AI architecture →

Katalon’s “secure by design” philosophy

We embed controls across the software lifecycle and cloud platform so every release inherits the same hardened baseline.

1. Plan

Security, privacy, and compliance requirements are defined at project inception.

2. Design

We conduct threat modeling (e.g., STRIDE) to address architectural risks before coding begins.

3. Develop

Engineers follow OWASP-based secure coding standards, with mandatory peer reviews and automated dependency scanning.

4. Test & verify

Static and dynamic application security testing (SAST/DAST) are integrated into our CI/CD pipeline.

5. Deploy & harden

Infrastructure as Code (IaC), least privilege access, and secure configurations are enforced in production.

6. Maintain & monitor

Continuous monitoring, vulnerability management, and a dedicated incident response team ensure ongoing protection.

Compliance

Compliance & certifications

Our commitment to global security and privacy standards

SOC 2 Type II

Katalon undergoes annual, independent third-party audits to certify our platform against the SOC 2 Type II standard for Security, Availability, and Confidentiality.

Request report (under NDA) ->

ISO/IEC 27001:2022

We are certified against the global standards for Information Security Management Systems (ISMS), demonstrating a systematic approach to managing security.

View certificate ->

Global privacy standards

We are committed to global privacy regulations, including GDPR. We are a participating member of the EU-U.S. Data Privacy Framework (DPF) for trusted international data transfers.

View our listing on DPF website ->

AI governance & transparency

Our AI architecture provides clear, transparent documentation on how our AI systems work, the data they use, and the safeguards in place to ensure responsible operation.

Explore AI architecture ->

Vendor security and supply chain

Your trust in Katalon extends to the vendors and sub-processors we partner with. We maintain a formal vendor security risk management program that includes rigorous initial due diligence and ongoing monitoring of all sub-processors, such as AWS and OpenAI, to ensure they meet our high security and compliance standards. This program is audited as part of our SOC 2 certification.

Data & Privacy

Your data, your control

How we handle your data with the care and control you expect.

Data ownership

You retain ownership of your data processed on the Katalon Platform. For AI-powered features, this extends to both the inputs you provide and the outputs generated by the system. Katalon acts solely as a processor, handling your data in accordance with our agreements and applicable data protection laws.

Data hosting and processing

All customer data is processed and stored in our secure AWS environment, hosted in the us-east-1 (USA) region. We apply enterprise-grade security controls to protect your data at rest and in transit.

AI trust and privacy

Our core commitment is Zero Data Retention. Your data is never used to train third-party AI models. We provide you with full control to enable, disable, and configure AI features.

Learn more about AI safeguards ->

Legal & DPA

We provide a GDPR-compliant Data Processing Agreement (DPA) to all customers. Find our standard DPA and other legal documentation in our central resource hub.

View legal documents →

AI architecture: Katalon TrueTest

Transparency in how we leverage AI to revolutionize test automation.

Katalon TrueTest is designed to help quality assurance (QA) teams, developers, and product managers accelerate test creation and improve test coverage. By observing real user interactions in a production or pre-production environment, TrueTest automatically generates robust, maintainable automated tests. This is intended to:
- Generate automated tests: Automatically create test scripts and objects for Katalon Studio based on captured user journeys.
- Identify coverage gaps: Highlight business-critical user flows that are not currently covered by existing test suites.
- Accelerate test maintenance: Simplify the process of updating tests when the application UI changes.
1. Capture

A small JavaScript snippet added to your application passively tracks UI interactions using DOM mutation observers and event listeners. Only structural interaction data is collected—never screenshots or raw user-entered values.

2. Local Filtering & Anonymization

Before leaving the browser, the agent automatically filters and removes sensitive input values. TrueTest does not store sensitive information by default.

3. Secure Processing with Additional PII Safeguards

After transmission, TrueTest performs a second, more comprehensive PII scan and exclusion process. Any remaining sensitive values are removed before the data is persisted. Only cleaned structural interaction data is used to build user sessions, journey maps, and flows.

4. AI-Assisted Generation (Strictly Limited LLM Use)

For selected flows, TrueTest sends a minimal prompt containing only structural metadata (such as DOM attributes and page transitions) to an enterprise LLM endpoint.

TrueTest uses enterprise LLM endpoints with strict data-handling guarantees, ensuring prompts are not logged, stored, or used to train foundation models.

The LLM is used only to generate:
- Object names
- Locator suggestions
- Test case names and descriptions
5. Delivery of Test Artifacts

Generated test objects and test cases are returned to the Katalon Platform and stored in the customer’s Git repository or Katalon Cloud for review and execution.
- Zero data retention: We have a contractual, zero-retention and no-log agreement with our AI sub-processor (OpenAI). Customer data submitted for processing is never stored, logged, or used to train or improve third-party AI models. The processing is ephemeral and stateless.
- Proactive data filtering: The TrueTest agent is designed to automatically detect and filter common sensitive data types at the source using regular expressions (regex). This includes Social Security Numbers, emails, IP addresses, phone numbers, credit card information, and passwords.
- Customer-defined exclusions: You have the control to manually define specific UI elements to be excluded from data capture by adding a simple CSS class to your application's code, ensuring sensitive or proprietary information is never captured.
- Bring Your Own Key (BYOK): For customers with stringent data sovereignty requirements, TrueTest supports a BYOK model, allowing you to route all AI processing through your organization's own private LLM instance.
- Complete customer control: AI features are optional. Your organization's administrators have full, granular control to enable or disable AI services at any time.
- Data ownership: You retain ownership of your data. Per our terms of service, any inputs provided to our AI products and any outputs generated by them are considered "Your Data."
- Like all AI systems, TrueTest is a tool to augment human expertise, not replace it.
- Contextual understanding: The AI may not always grasp the full business context or intent behind a complex user flow. Tests generated by TrueTest should always be reviewed by a human QA professional to ensure they align with business requirements.
- Complex dynamic elements: While robust, the AI may occasionally struggle with highly complex, non-standard, or dynamically generated UI elements. Some manual adjustment in Katalon Studio may be required in these edge cases.
- Hallucinations: In rare cases, the AI may generate a test step that is not logical or does not correspond to a real user action. We mitigate this through prompt engineering and by ensuring generated tests are easily editable in Katalon Studio.

Our AI trust principles

Transparency is a core component of responsible AI. We provide clear documentation about how our AI systems work, the data they use, and the safeguards we've implemented to protect your information and intellectual property.

Zero data retention

Your data is never used to train our AI models or third-party models.

Customer control

AI features are optional and can be enabled or disabled at an organizational level.

Transparency

We are committed to being transparent about how our AI features work.

Accountability

Robust internal governance ensures our AI systems are developed and deployed responsibly and ethically.

Resources

Downloads and reports

Access key documents, policies, and reports to support your due diligence process. We are committed to providing you with the information you need, when you need it.

Public documents

These documents are available for direct download.

Security and trust executive summary

A high-level overview of our security program.

Download PDF

Consensus Assessments Initiative Questionnaire (CAIQ)

Our responses to the CSA's industry-standard questionnaire.

Download PDF

Katalon data & AI trust FAQs

Frequently asked questions.

Download PDF

Compliance reports & certifications

Access to our sensitive compliance reports is managed through a secure portal to protect confidentiality.

SOC 2 Type II report

Our full audit report covering Security, Availability, and Confidentiality. Access requires an NDA.

Request access

ISO/IEC 27001 certificate

Our official certification for Information Security Management Systems (ISMS). Access is through our portal.

Request access

ISO/IEC 27017 certificate

Our official certification for Cloud Service Security. Access is through our portal.

Request access

Legal & DPA

Review our standard legal agreements and policies.

Data Processing Agreement (DPA)

Our standard, GDPR-compliant DPA.

View DPA

Privacy policy

How we collect, use, and share data.

View policy

Please visit the Katalon Security Policy Center for additional documentation

For a detailed review of our information security policies and controls, please visit our Drata-powered trust portal.

Katalon Policy Center