Skip to main content

ENTERPRISE

Trust & Security

Your data stays on your network. Karate runs locally on developer machines and in your CI infrastructure — there is no Karate Labs cloud in the test execution path.

This page documents the architecture choices, security controls, third-party relationships, and compliance posture that make Karate suitable for regulated industries.

Architecture: how Karate works

  • 100% local processing. Test data, application data, and screenshots stay on the customer's machine or CI runner — Karate Labs never receives them.
  • Runs on user desktops and CI. Karate is a local binary plus an SDK, not a cloud-hosted SaaS. There is no managed runtime.
  • No customer-data storage. Karate Labs does not store test data, application data, or screenshots on its infrastructure.
  • Offline license activation is available for air-gapped environments. See Offline License (IntelliJ) or Offline License (VS Code).

Vulnerability management

  • Public distribution. Karate is released via Maven Central. Release jobs are blocked if any critical vulnerability is detected during the build.
  • Continuous scanning. Dependencies are scanned continuously through GitHub Dependabot. Fixes are released as patch versions.
  • Community scanning. With 600+ enterprises using Karate, vulnerability signal scales: issues are reported back to Karate Labs and fixed in the open.
  • Customer overrides. Users can override any transitive dependency version through Maven or Gradle.
  • Disclosure. Vulnerabilities are disclosed publicly through GitHub Security Advisories once a fix is available.

Third-party providers

Karate Labs uses a small set of external providers — none of which see customer test data, application data, or test results.

ProviderUsed forCustomer data flow
StripeBilling and subscriptionsBilling identity only — no test or application data
WorkOSSSO / identity (Enterprise)Identity only
Google / MicrosoftOAuth sign-inIdentity only

Test execution and customer data never flow through these providers.

Regulatory compliance

RegulationStatus
CCPA (California Consumer Privacy Act)Compliant
CTA (Colorado)Compliant
NYDFSNot applicable — Karate Labs does not collect personal data of resident customers
CTDPA (Connecticut)Not applicable — same reason
VCDPA (Virginia)Not applicable — same reason
UCPA (Utah)Exempt under the small-business exemption

Because Karate runs locally and Karate Labs does not handle customer test or application data, several regulations are not applicable.

Incident response & responsible disclosure

  • Zero security incidents affecting customer data in the last 4 years of operation.
  • Karate Labs follows a responsible-disclosure process for vulnerabilities reported by researchers or customers. Report vulnerabilities to security@karatelabs.io.
  • Where applicable, advisories are posted to GitHub Security Advisories with reproduction steps redacted until a fix is published.

Business continuity

Because Karate runs locally and customers control their own deployment:

  • Software availability is not dependent on Karate Labs uptime. A Karate Labs outage does not stop you from running tests.
  • License activation is the only Karate Labs–dependent operation. Once a session is activated, the IDE plugins and CLI continue to work offline for the full session length.
  • Offline licenses (Enterprise tier) eliminate the activation dependency entirely.

Updates and patching

You control when to upgrade. None of the components self-update:

ComponentUpdate mechanismCadence
Karate frameworkMaven CentralYou pin via pom.xml / build.gradle
Karate CLISelf-installed binaryYou re-run Karate: Setup in VS Code, or download a new release
VS Code extensionVS Code MarketplaceStandard VS Code extension update flow
IntelliJ pluginJetBrains MarketplaceStandard JetBrains plugin update flow

Patch versions follow semver — security fixes are released as patches, never as breaking changes.

Resources

See also

On This Page