Protect user data privacy

This document provides details on how our data filtering mechanisms work to protect user privacy in Katalon test case generation.

Protecting user privacy is important to us at Katalon. While our TrueTest Agent tracks user interactions to generate test cases and build a user journey map, we understand that some of this data may be sensitive and could pose privacy concerns. To address this, we have implemented data filtering mechanisms to remove sensitive information before processing the data.

Types of data filtered

The following is a list of filtered data types and examples:

Data type	Risk	Example
Social security numbers	These are unique identifiers for individuals and can be used for identity theft or fraud if obtained by unauthorized individuals.	123-45-6789
Email addresses	These can contain personal information and can be used for spam or phishing attacks if obtained by unauthorized individuals.	john.doe@email.com
Pv4 and IPv6 addresses	These can be used to track a user's location or identify their device, which can be a privacy concern for some users.	IPv4 addresses: 192.168.0.1 IPv6 addresses: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
Phone numbers	These can be used for spam or scam calls if obtained by unauthorized individuals.	(123) 456-7890
Zip codes	These can be used to infer a user's location and potentially identify them, which can be a privacy concern for some users.	90210
Credit card information: Card number Card expiration date Card CVC	These can be used to make unauthorized transactions, commit identity theft, or engage in financial fraud.	4242424242424242 02/27 123
Password	These can be used to gain unauthorized access to accounts, steal sensitive information, and potentially engage in identity theft or fraudulent activities

How data is filtered

TrueTest Agent applies several techniques and methods to remove sensitive data from the captured user interaction data.

Regular expressions

In the beta release of TrueTest, the agent uses regular expressions to filter data.

Regular expressions, or regex, are patterns that define a search rule for text. TrueTest Agent uses regex to match and remove sensitive data that matches certain patterns, such as social security numbers, email addresses, IP addresses, phone numbers, and zip codes.

socialNumber = '^(?!0{3})(?!6{3})[0-8]\d{2}-(?!0{2})\d{2}-(?!0{4})\d{4}$' 
simpleEmail = '[^@ \t\r\n]+@[^@ \t\r\n]+\.[^@ \t\r\n]+' 
ipv4 = '(\b25[0-5]|\b2[0-4][0-9]|\b[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}' 
ipv6 = '(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))' 
phoneNumber = '^[\+]?[(]?[0-9]{3}[)]?[-\s\.]?[0-9]{3}[-\s\.]?[0-9]{4,6}$' 
zipCode = '/^[0-9]{5}(?:-[0-9]{4})?$/'

Autocomplete

TrueTest Agent will remove the credit card number, its expiration date and CVC by detecting the "cc-" prefix in those information.

CREDIT_CARD_NUMBER: 'cc-number'
CREDIT_CARD_EXP: 'cc-exp'
CREDIT_CARD_CVC: 'cc-csc'

Password type

TrueTest Agent will remove passwords by detecting the "password" type in the "input" field within HTML form.

<form>
  <label for="passwordField">Password:</label>
  <input type="password" id="passwordField" name="password">
  <input type="submit" value="Submit">
</form>

Exclusion list

TrueTest Agent allows users to define elements or properties that should be excluded from data capture. This can be done by specifying a CSS class named katalon-excluded to the UI elements.

Data privacy compliance

TrueTest Agent is committed to complying with the General Data Protection Regulation (GDPR) and has taken the following actions to ensure data privacy:

• Transparency: In the closed beta version, TrueTest Agent transparently informs users about what specific sensitive data is excluded or anonymized via verbal communication as acknowledgment. If users feel their application under test (AUT) does not contain sensitive data, they can try the feature.

• User control: TrueTest Agent allows users to request a complete deletion of all tracked data and to stop using the feature if they do not trust the data privacy compliance.

• Security monitoring: The internal Security team plays the Data Protection Officer (DPO) role to monitor the data and ensure compliance with GDPR requirements. The team conducts periodic penetration testing and security reviews to identify and address data privacy vulnerabilities.

By implementing these measures, TrueTest Agent is committed to protecting user data and complying with GDPR requirements.