Infrastructure security

Corbado leverages highly available and secure cloud infrastructure to ensure that our services are always available and securely delivered. Corbado’s services are operated in uvensys GmbH’s data centers in Germany and comply with ISO standard 27001. All data centers have redundant power and internet connections to avoid failure. The main location of the servers used is in Linden and offers 24/7 support.

Each server is monitored 24/7 and in the event of problems, automated information is sent via SMS and e-mail. The monitoring is done by the external service provider Serverguard24 GmbH.

All Corbado hardware and networking is routinely updated and audited to ensure systems are secure and that least privileged access is followed. Additionally, we implement robust logging and audit protocols that allow us high visibility into system use.

Responsible disclosure program

Here at Corbado, we take the security of our user’s data and of our services seriously. As such, we encourage responsible security research on Corbado services and products. If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at We will acknowledge your email within 2 business days. As public disclosures of a security vulnerability could put the entire Corbado community at risk, we ask that you keep such potential vulnerabilities confidential until we are able to address them. We aim to resolve critical issues within 30 days of disclosure. Please make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Corbado service. Please only interact with accounts you own or for which you have explicit permission from the account holder. While researching, please refrain from:

  • Distributed Denial of Service (DDoS)
  • Spamming
  • Social engineering or phishing of Corbado employees or contractors
  • Any attacks against Corbado’s physical property or data centers

Thank you for helping to keep Corbado and our users safe!

Rate limiting

At Corbado, we apply rate limit policies on our APIs in order to protect your application and user management infrastructure, so your users will have a frictionless non-interrupted experience.

The current rate limit for all our API endpoints is max. 10 requests per second. If these rate limits are exceeded, Corbado responds with HTTP status code 429 (too many requests). All requests coming from your IP address will be affected for 10 minutes. If your app triggers the rate limit, please refrain from making additional requests until the appropriate amount of time has elapsed.

If you’re integrating via API integration, your code logic should be able to handle such cases by checking the status code on the response and recovering from such cases.

If the error does not resolve after the necessary waiting time, follow the steps below:

  1. Review request logs in the Corbado developer panel for more information about which limits are being reached.
  2. Reach out via Slack or to get further insights or to request a rate limit increase.


Corbado is committed to protecting the personal data of our customers and their customers. Corbado has in place appropriate data security measures that meet industry standards. We regularly review and make enhancements to our processes, products, documentation, and contracts to help support ours and our customers’ compliance for the processing of personal data.

We try to minimize the usage and processing of personally identifiable information. Therefore, all our services are constructed to avoid unnecessary data consumption.

To make our services work, we only require the following data:

  • any kind of identifier (e.g. UUID, phone number, email address)
  • IP address (only temporarily for rate limiting aspects)
  • User agent (for device management)

All other data that is required to have a service running stays where it is now (so at your current data centers).