Corbado services are designed, developed, monitored, and updated with security at our core to protect you and your customers' data and privacy.
At Corbado, we believe that robust security is built on a foundation of thoughtful architectural decisions and disciplined development processes. We follow a structured System Development Lifecycle (SDLC) to ensure that security is integrated into every phase, from planning and design through development, testing, deployment, and ongoing maintenance.
Our key architectural and development practices include:
As an organization pursuing ISO 27001 certification, we have implemented a comprehensive Information Security Management System (ISMS). This framework governs our approach to ensuring the confidentiality, integrity, and availability of all data we handle, under the oversight of our Chief Information Security Officer (CISO).
Our key information security practices include:
Corbado is committed to robust data security principles throughout the entire data lifecycle. We leverage WebAuthn, which utilizes public-key cryptography, making the server-side storage of traditional end-user passwords obsolete and significantly enhancing protection against credential theft.
Beyond passkeys, any other confidential data is protected using state-of-the-art hashing and encryption algorithms to ensure that even if unauthorized access to stored data were to occur, the information would be indecipherable.
Furthermore, we implement strict controls for the handling of data in all environments. This includes measures such as:
Corbado is deeply committed to data protection and privacy, recognizing that user data embodies the trust placed in our systems. Our approach to GDPR compliance is rooted in robust data governance and security practices implemented throughout our operations.
To specifically support our GDPR commitments and those of our clients, we host our European self-service solution within data centers located in Germany. This ensures that relevant user data is processed and stored in an environment designed to meet GDPR requirements for data sovereignty and security.
Our adherence to principles such as data minimization, purpose limitation, secure data handling (as detailed in our Data Security practices), and maintaining records of processing activities further underpins our GDPR compliance strategy.
Corbado's infrastructure security relies on robust cloud platforms and adherence to strict operational practices, including the logical separation of development, staging, and production environments with distinct access controls and security configurations for each.
For our self-service solution tailored for developers and small to medium-sized businesses (Corbado Complete), we leverage highly available and secure cloud infrastructure to ensure services are always available and securely delivered. Key aspects of this infrastructure include:
Each server in this setup is monitored 24/7, and in the event of problems, automated information is sent via SMS and e-mail. Monitoring is handled by the external service provider Serverguard24 GmbH. All Corbado hardware and networking is routinely updated and audited to ensure systems are secure and that least privileged access is followed. Additionally, we implement robust logging and audit protocols that allow high visibility into system use. For more details on getting started with this solution, please see our Getting Started documentation.
For larger enterprises with more complex requirements, our Corbado Connect solution offers customizable deployment options. These are designed to meet diverse security, compliance, and high-availability needs. More details can be found in our Corbado Connect Deployment Options documentation.
Key enterprise deployment models include:
Furthermore, Corbado's system architecture includes a fallback mechanism ensuring that any disruption to the passkey component automatically reverts to traditional login methods, minimizing impact on user workflows like payments.
Corbado is committed to protecting the personal data of our customers and their end-users. We integrate privacy considerations into our System Development Lifecycle (SDLC), embracing privacy-by-design principles from the outset.
We have in place appropriate data security measures that meet industry standards, and regularly review and enhance our processes, products, documentation, and contracts to support our and our customers' compliance for the processing of personal data.
A core aspect of our approach is data minimization. All our services are constructed to avoid unnecessary data consumption. To make our core authentication services work, we typically only require the following data:
All other application-specific data that may be required for a service to run (e.g., user profile information beyond the identifier, application state) typically remains within your systems and data centers.
At Corbado, we apply rate limit policies on our APIs in order to protect your application and user management infrastructure, so your users will have a frictionless non-interrupted experience.
The current rate limit for all our API endpoints is max. 50 requests per second. If these rate limits are exceeded, Corbado responds with HTTP status code 429 (too many requests). All requests coming from your IP address will be affected for 10 minutes. If your app triggers the rate limit, please refrain from making additional requests until the appropriate amount of time has elapsed.
If the error does not resolve after the necessary waiting time, please reach out via Slack or contact@corbado.com to get further insights or to request a rate limit increase.
Here at Corbado, we take the security of our users' data and of our services seriously. As such, we encourage responsible security research on Corbado services and products. If you believe you've discovered a potential vulnerability, please let us know by emailing us at security@corbado.com. We will acknowledge your email within 2 business days. As public disclosures of a security vulnerability could put the entire Corbado community at risk, we ask that you keep such potential vulnerabilities confidential until we are able to address them. We aim to resolve critical issues within 30 days of disclosure. Please make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Corbado service. Please only interact with accounts you own or for which you have explicit permission from the account holder. While researching, please refrain from:
Security is a journey, not a destination. As part of our ISO 27001 certification process and our broader commitment to excellence, we continually review and improve our ISMS and security practices. This involves regular management reviews, internal and external audits, assessments, and incorporating feedback from stakeholders to adapt to emerging threats and ensure our customers' trust is well-placed.