Our commitment to security, privacy, and compliance makes us a trusted partner for enterprises worldwide.
Page last updated: 3 May 2025
Zero security incidents
In the past 4 years
100% local processing
Customer data never leaves your firewall
Trusted by 600+ companies
Across every regulated industry
Karate is a local solution, not a cloud-hosted SaaS offering. When using Karate for test automation, customer data never leaves the customer firewall.
This is one of our biggest differentiators and has been a primary driver for companies migrating from SaaS test automation providers to Karate. Only billing (Stripe) and SSO authentication (WorkOS, Google, Microsoft) are delegated to industry-standard cloud providers — and enterprise customers can opt for offline license activation to avoid even those outbound calls.
01 · Architecture
Karate open source, IDE plugins, Xplorer, and Karate Agent all run locally on the user's machine or inside your infrastructure. Nothing is hosted on our cloud.
Karate Labs does not store any customer test data, application data, or screenshots. All data stays inside your network at all times.
Enterprise customers can activate licenses offline — no outbound calls required for validation. Suitable for fully air-gapped environments.
02 · Vulnerability Management
Karate is released as a Java package via Maven Central infrastructure. Releases are blocked if critical vulnerabilities are present. We have been successfully releasing to Maven Central since 2017. See all releases →
Continuously scans the repository for known vulnerabilities and deprecated dependencies. GitHub auto-provides pull requests for most remediations, enabling minute-level response times to CVE disclosures.
Customers use solutions like Snyk to scan their code, tools, artifacts, and Docker containers. When a scan flags an issue with Karate, we are notified quickly — often with a PR attached. Example: Log4J issue→
For cases where users cannot wait for an official release, Karate allows dependency overrides. Enterprise users have successfully mitigated CVEs by declaring newer dependency versions in their own POM files. Example: High CVEs in Karate core →
Stringent checks by JetBrains and Microsoft when publishing plugins to their respective marketplaces.
All vulnerabilities affecting the security of our software are disclosed publicly via GitHub Security Advisories and Sonatype.
03 · Security Controls
| Control | Status | Notes |
|---|---|---|
| Secure source control (GitHub) | Yes | Industry standard |
| Antivirus + file integrity monitoring | Yes | Internal systems |
| Logging and audit trails | Yes | Internal systems |
| Principle of least privilege | Yes | License tier enforces feature access |
| SAML SSO for enterprise customers | Yes | Via WorkOS. Okta, Azure AD, Ping supported. Offline activation optional. |
| Customer data stored | None | Local-first architecture |
| AI / ML on customer data | None | Not applicable |
| Data shared with 4th parties | None | Not applicable |
| OWASP web application standards | N/A | Products run on desktop, not as web applications |
04 · Third-Party Providers
Karate Labs does not store customer application data. Supporting services (billing, identity) are delegated to industry-standard providers, each with their own security program.
Payment processing and subscription management. Stripe security documentation →
Identity and SAML SSO for enterprise customers. Supports Okta, Azure AD, Ping, and other IdPs. Offline activation available.
OAuth flows for Google Workspace authentication.
OAuth flows for Microsoft / Entra ID authentication.
No customer application or test data flows through any of these providers. They handle billing and identity only.
05 · Regulatory Compliance
Because Karate Labs does not collect or store customer application data, most consumer data regulations are either satisfied by default or not applicable. Details below.
| Regulation | Status | Notes |
|---|---|---|
| CCPA (California) | Compliant | See Privacy Policy |
| CTA (Colorado) | Compliant | — |
| NYDFS (New York) | Not applicable | We do not collect personal resident data |
| CTDPA (Connecticut) | Not applicable | We do not collect personal resident data |
| VCDPA (Virginia) | Not applicable | We do not collect personal resident data |
| UCPA (Utah) | Exempt | Small business exemption |
Karate Labs does not sell any data for direct marketing purposes.
06 · Incident Response & Disclosure
None.
Well-defined internal processes for detection, response, and notification. Because Karate Labs does not store customer application data, the customer-impact surface is minimal.
Cybersecurity teams can request access and activity audits. Costs for any such audit are borne by the requesting customer and arranged as part of the enterprise contract.
07 · Business Continuity
Two dimensions: our own business continuity, and our role as a software provider.
All business data backed up via Microsoft OneDrive. Supporting providers (Stripe, WorkOS, Google, Microsoft Azure) maintain their own DR programs.
Because Karate runs locally on customer infrastructure, customers follow their own DR and business continuity controls for their Karate deployment. There is no dependency on Karate Labs cloud services.
Software availability is not dependent on Karate Labs uptime. Once activated (including offline activation), Karate operates entirely within your infrastructure.
08 · Updates & Patching
Update via Maven or Gradle build configuration, or download binary artifacts directly. Release notes on GitHub →
By default, new versions install automatically. Users or organizations can disable this. Rollback to any previous version is supported at any time.
Plugins are not installed automatically by default. Users choose which updates to install. Rollback supported at any time.
Both marketplaces have review and approval processes before publication.
09 · Resources & Downloads
Full security posture with responses to vendor questionnaires. PDF, 15 pages.
Detailed answers to common enterprise security questions. PDF, 14 pages.
83 questions enterprise teams ask during tool evaluation, answered in public.
Live feed of security advisories and responses for the Karate open source framework.
Continuous vulnerability scan of the latest Karate release on Maven Central.
Per-release SBOM PDF published with every Karate release on GitHub.
10 · Responsible Disclosure
We welcome responsible disclosure of security vulnerabilities. Two channels:
Subject line: “Security — [brief summary]”. Include reproduction steps and impact assessment.
Preferred for open source framework vulnerabilities. GitHub handles CVE reservation and coordinated disclosure.
We publicly disclose confirmed vulnerabilities after remediation. No bounty program at this time; researchers are credited in the advisory.
We’re happy to share NDA-free documentation, complete your security questionnaire, or join a call with your security team.