Does Katalon hold any 3rd party compliance attestations?
Katalon currently holds and maintains SOC2, Type II certification.
Does Katalon have an information security program?
Yes, Katalon maintains an internal Information Security Management System based on the ISO 27001 and the NIST CyberSecurity Framework. All employees are required to review and sign off on the policies upon hire and at least annually. This program is led internally by Katalon’s CISO.
Does Katalon depend on any cloud providers to support customer services?
Yes, the Katalon platform uses Amazon Web Services (AWS) for all production infrastructure and storage.
Do you have a disaster recovery plan (DRP) and business continuity plan (BCP)?
Yes, Katalon systems are hosted in AWS and take advantage of the native AWS services for continuity and redundancy.
- Backups: Regular backups and snapshots are taken and tested.
- High availability: Systems are designed and architected with high availability being a primary design goal.
What PII does Katalon process?
Katalon processes PII related to user license verification requirements including name, email, IP address, and in some cases deviceID in the event that support is needed.
What is your system patching process/schedule?
Katalon patches vulnerabilities based on criticality and in accordance with our internal SLAs within our Vulnerability Management policies. Best effort is made for critical, exploitable, vulnerabilities found on externally accessible assets.
In general, we take an immutable image approach to production patching. In that, all patching is done at the “golden image” level to enable rapid continuous deployment and remediation to production workloads.
Due to architecture design decisions, patches may be deployed in a rolling fashion.
What are some controls you implement for your application security program?
Katalon uses best practices for ensuring secure delivery of the Katalon Platform including:
- AWS CIS Benchmark is used for hardening and vulnerability remediation.
- Native IDS services are enabled at the OS level and vulnerability.
- Vulnerability scanning, workload protection and cloud posture monitoring at the infrastructure level is handled through CNAPP, CWPP and CSPM.
- Industry standard tools and processes for efficient and secure SDLC and CI/CD pipelines across all of its products.
- All development follows agile workflow with defined release and support cadences.
- Code security support is enabled with industry leading tools to enable:
- Static and dynamic code scanning.
- Secured shared secrets.
- Software composition analysis.
- Vulnerability testing.
How is user data stored? What encryption is used for data at rest and data in transit?
Data is stored within approved data stores within AWS. Structured data is stored within databases and unstructured data is stored within securely configured AWS S3 buckets.
AES 256-bit and TLS 1.2+ (RSA 2048-bit) encryption is enabled for data at rest and in transit respectively. Approved secure channels include SSH, HTTPS, and SFTP.
Further, sensitive records are hashed SHA256 at the database table level.
How are backups managed? What encryption is used? How are they destroyed when they are no longer needed?
Automated snapshots and backups are made within AWS CloudEndure and are destroyed systematically per policy.