Security & privacy

At Corbado, we believe that robust security is built on a foundation of thoughtful architectural decisions and disciplined development processes. We follow a structured System Development Lifecycle (SDLC) to ensure that security is integrated into every phase, from planning and design through development, testing, deployment, and ongoing maintenance.

Our key architectural and development practices include:

• Secure by Design: Integrating security and compliance considerations from the earliest stages of system design, ensuring that our architecture inherently supports our security goals.
• Secure Coding Standards: Adherence to recognized secure coding standards (such as OWASP guidelines) and best practices to minimize vulnerabilities. This includes rigorous input validation and proper error/exception handling.
• Code Quality and Reviews: Maintaining high standards for code quality, including mandatory peer code reviews and automated static code analysis to identify potential weaknesses.
• Comprehensive Testing: Implementing extensive testing protocols, including unit, integration, user acceptance (UAT), and dedicated security testing (e.g., vulnerability scans) before any code is deployed.
• Controlled Change Management: Employing a formal change management process to ensure that all modifications to our systems and infrastructure are systematically reviewed, tested, approved, and deployed, minimizing risk and ensuring stability.
• Latest Web Standards: Utilizing current standards in web development, including robust encryption protocols like TLS 1.3, for secure data transmission.
• Continuous Monitoring: Constant monitoring of our production services to detect and respond swiftly to any operational or security issues.

As an organization pursuing ISO 27001 certification, we have implemented a comprehensive Information Security Management System (ISMS). This framework governs our approach to ensuring the confidentiality, integrity, and availability of all data we handle, under the oversight of our Chief Information Security Officer (CISO).

Our key information security practices include:

1. Policies and Governance: Our information security policies are founded on industry best practices and are actively communicated to all personnel. We ensure that employees understand their security responsibilities and adhere to stringent security protocols in their roles.
2. Risk Management: We conduct regular, systematic risk assessments to proactively identify, analyze, and mitigate potential threats to data security, aligning our controls with frameworks like ISO 27001 Annex A.
3. Data Encryption: Sensitive data is protected through encryption, both in transit and at rest, using state-of-the-art algorithms and key management practices to prevent unauthorized access.
4. Incident Management: We maintain robust incident response plans and processes designed for rapid detection, effective containment, thorough investigation, and timely resolution of potential security breaches.
5. Regular Audits and Reviews: Our security posture is continuously evaluated and improved through regular internal and external audits, management reviews, and assessments to ensure ongoing compliance and effectiveness against evolving standards and threats.

Corbado is committed to robust data security principles throughout the entire data lifecycle. We leverage WebAuthn, which utilizes public-key cryptography, making the server-side storage of traditional end-user passwords obsolete and significantly enhancing protection against credential theft.

Beyond passkeys, any other confidential data is protected using state-of-the-art hashing and encryption algorithms to ensure that even if unauthorized access to stored data were to occur, the information would be indecipherable.

Furthermore, we implement strict controls for the handling of data in all environments. This includes measures such as:

• Prohibiting the use of sensitive production data (like PII or customer financial details) in non-production (development and testing) environments unless it has been appropriately anonymized or masked.
• Enforcing access controls and segregation for test data, with specific authorizations required for any use of operational data copies, even if sanitized.
• Securely deleting or disposing of test data once its purpose is fulfilled, in line with our data retention and secure deletion policies.

Corbado is deeply committed to data protection and privacy, recognizing that user data embodies the trust placed in our systems. Our approach to GDPR compliance is rooted in robust data governance and security practices implemented throughout our operations.

To specifically support our GDPR commitments and those of our clients, we host our European self-service solution within data centers located in Germany. This ensures that relevant user data is processed and stored in an environment designed to meet GDPR requirements for data sovereignty and security.

Our adherence to principles such as data minimization, purpose limitation, secure data handling (as detailed in our Data Security practices), and maintaining records of processing activities further underpins our GDPR compliance strategy.

Corbado's infrastructure security relies on robust cloud platforms and adherence to strict operational practices, including the logical separation of development, staging, and production environments with distinct access controls and security configurations for each.

For our self-service solution tailored for developers and small to medium-sized businesses (Corbado Complete), we leverage highly available and secure cloud infrastructure to ensure services are always available and securely delivered. Key aspects of this infrastructure include:

• Operation within Amazon Web Service data centers in Germany, which comply with ISO standard 27001.
• Redundant power and internet connections in all data centers to prevent failure.
• The main location of the servers used is in Frankfurt (Germany), offering 24/7 support.
• Regular data backups are performed and tested, employing strategies like point-in-time recovery, to ensure data integrity and support business continuity.

Each server in this setup is monitored 24/7, and in the event of problems, automated information is sent via SMS and e-mail. Monitoring is handled by the external service provider Serverguard24 GmbH. All Corbado hardware and networking is routinely updated and audited to ensure systems are secure and that least privileged access is followed. Additionally, we implement robust logging and audit protocols that allow high visibility into system use. For more details on getting started with this solution, please see our Getting Started documentation.

For larger enterprises with more complex requirements, our Corbado Connect solution offers customizable deployment options. These are designed to meet diverse security, compliance, and high-availability needs. More details can be found in our Corbado Connect Deployment Options documentation.

Key enterprise deployment models include:

• Public Cloud (Shared AWS Instance): A cost-effective, fully managed environment for rapid deployment, where Corbado handles maintenance, security, and scaling.
• Private Cloud (Dedicated AWS Instance): Provides full control over data residency, customized security policies, and network configuration, with several high-availability tiers:
  • Multi-AZ Single-Region: Runs in multiple Availability Zones (AZs) within one AWS region, handling single AZ failure.
  • Multi-AZ + Cross-Region Replica: Adds near real-time data replication to a secondary AWS region for enhanced data protection.
  • Geo Failover-Ready: Maintains a secondary region with replicated data and a cold application environment for rapid recovery (15-30 min RTO) in case of regional outages.

Furthermore, Corbado's system architecture includes a fallback mechanism ensuring that any disruption to the passkey component automatically reverts to traditional login methods, minimizing impact on user workflows like payments.

Corbado is committed to protecting the personal data of our customers and their end-users. We integrate privacy considerations into our System Development Lifecycle (SDLC), embracing privacy-by-design principles from the outset.

We have in place appropriate data security measures that meet industry standards, and regularly review and enhance our processes, products, documentation, and contracts to support our and our customers' compliance for the processing of personal data.

A core aspect of our approach is data minimization. All our services are constructed to avoid unnecessary data consumption. To make our core authentication services work, we typically only require the following data:

• An identifier chosen by the user or application (e.g., username, UUID, phone number, email address).
• IP address (processed temporarily, primarily for security aspects like rate limiting).
• User agent (primarily for device management and security).

All other application-specific data that may be required for a service to run (e.g., user profile information beyond the identifier, application state) typically remains within your systems and data centers.

At Corbado, we apply rate limit policies on our APIs in order to protect your application and user management infrastructure, so your users will have a frictionless non-interrupted experience.

The current rate limit for all our API endpoints is max. 50 requests per second. If these rate limits are exceeded, Corbado responds with HTTP status code 429 (too many requests). All requests coming from your IP address will be affected for 10 minutes. If your app triggers the rate limit, please refrain from making additional requests until the appropriate amount of time has elapsed.

If the error does not resolve after the necessary waiting time, please reach out via Slack or contact@corbado.com to get further insights or to request a rate limit increase.

Here at Corbado, we take the security of our users' data and of our services seriously. As such, we encourage responsible security research on Corbado services and products. If you believe you've discovered a potential vulnerability, please let us know by emailing us at security@corbado.com. We will acknowledge your email within 2 business days. As public disclosures of a security vulnerability could put the entire Corbado community at risk, we ask that you keep such potential vulnerabilities confidential until we are able to address them. We aim to resolve critical issues within 30 days of disclosure. Please make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Corbado service. Please only interact with accounts you own or for which you have explicit permission from the account holder. While researching, please refrain from:

• Distributed Denial of Service (DDoS)
• Spamming
• Social engineering or phishing of Corbado employees or contractors
• Any attacks against Corbado's physical property or data centers

Security is a journey, not a destination. As part of our ISO 27001 certification process and our broader commitment to excellence, we continually review and improve our ISMS and security practices. This involves regular management reviews, internal and external audits, assessments, and incorporating feedback from stakeholders to adapt to emerging threats and ensure our customers' trust is well-placed.