Security & privacy

Architecure

We think architectural decisions are essential for software quality which is why we consider architectural changes in our system carefully. We use the latest standards in web development, including TLS 1.3 to ensure that passwords and other sensitive data are transmitted securely. We have very high standards concerning code quality and maintainability to avoid bugs being undetected. In addition to extensive testing, new code is reviewed by multiple instances and must pass vulnerability scans before getting accepted. Nevertheless, our production services are monitored constantly to ensure fast response in case something goes wrong.

Data security

We embrace WebAuthn which uses public-key cryptography and makes server-side storing of secrets like passwords for end-users obsolete. However, we still use state-of-the-art hashing and encryption algorithms for other confidential data to assure that even if an attacker gains access to the data, they will not be able to decipher it.

GDPR

We take data protection and privacy very seriously because user data embodies trust in a software system, which is a company’s foundation. That’s why we decided to host our entire solution in Germany with German data centers. Therefore, we can ensure that user data is kept in a secure and GDPR-compliant environment.

Infrastructure

Corbado leverages highly available and secure cloud infrastructure to ensure that our services are always available and securely delivered. Corbado's services are operated in uvensys GmbH's data centers in Germany and comply with ISO standard 27001. All data centers have redundant power and internet connections to avoid failure. The main location of the servers used is in Linden and offers 24/7 support.
‍
We do not use any AWS, GCP or Azure services.
‍
Each server is monitored 24/7 and in the event of problems, automated information is sent via SMS and e-mail. The monitoring is done by the external service provider Serverguard24 GmbH.

All Corbado hardware and networking is routinely updated and audited to ensure systems are secure and that least privileged access is followed. Additionally, we implement robust logging and audit protocols that allow us high visibility into system use.

Privacy

Corbado is committed to protecting the personal data of our customers and their customers. Corbado has in place appropriate data security measures that meet industry standards. We regularly review and make enhancements to our processes, products, documentation, and contracts to help support ours and our customers’ compliance for the processing of personal data.We try to minimize the usage and processing of personally identifiable information. Therefore, all our services are constructed to avoid unnecessary data consumption.To make our services work, we only require the following data:

• any kind of identifier (e.g. UUID, phone number, email address)
• IP address (only temporarily for rate limiting aspects)
• User agent (for device management)

All other data that is required to have a service running stays where it is now (so at your current data centers).

Rate limiting

At Corbado, we apply rate limit policies on our APIs in order to protect your application and user management infrastructure, so your users will have a frictionless non-interrupted experience.

The current rate limit for all our API endpoints is max. 10 requests per second. If these rate limits are exceeded, Corbado responds with HTTP status code 429 (too many requests). All requests coming from your IP address will be affected for 10 minutes. If your app triggers the rate limit, please refrain from making additional requests until the appropriate amount of time has elapsed.

If you're integrating via API, your code logic should be able to handle such cases by checking the status code on the response and recovering from such cases.

If the error does not resolve after the necessary waiting time, follow the steps below: 

1. Review request logs in the Corbado developer panel for more information about which limits are being reached.
2. Reach out via Slack or contact@corbado.com to get further insights or to request a rate limit increase.

Responsible disclosure program

Here at Corbado, we take the security of our user’s data and of our services seriously. As such, we encourage responsible security research on Corbado services and products. If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at security@corbado.com. We will acknowledge your email within 2 business days. As public disclosures of a security vulnerability could put the entire Corbado community at risk, we ask that you keep such potential vulnerabilities confidential until we are able to address them. We aim to resolve critical issues within 30 days of disclosure. Please make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Corbado service. Please only interact with accounts you own or for which you have explicit permission from the account holder. While researching, please refrain from:

• Distributed Denial of Service (DDoS)
• Spamming
• Social engineering or phishing of Corbado employees or contractors
• Any attacks against Corbado's physical property or data centers

Thank you for helping to keep Corbado and our users safe!