We Take Security Seriously

This page provides information about our security practices and contacting our team if you have questions or security reports.

Questions and answers

Bug Bounty  Bug Bounty

We welcome anyone that believes they have found a security issue in our websites, web applications, or the FusionAuth product itself, to submit them to us.

We regularly pay bug bounties for valid and verifiable submissions. Please follow these rules if you wish to submit a security report:

  • Email a complete description of the issue to
  • Include a working example or documentation of a working example (screenshots, scripts, code, etc)
  • Do not include a ransom or any suggested bounty amount. These are ignored and sometime peeve off the person reviewing the report.
  • Do not demand pre-payment.
  • Do not include a timeline.
  • Do not demand updates. We will always reply to valid submissions in a timely manner.
  • We require a minimum of 1-2 weeks to review the report and make a determination.
  • We require a minimum of 1-2 weeks to make any bug bounty payments.

Audits  Audits, Background Checks & Training

We perform regular security audits at every level of our organization from employees to our servers. We also review all changes to our source code for security issues.

We run complete background checks on all employees and contractors. This process is repeated each year.

All of our employees and contractors go through security training each year. We currently use ESET's security awareness training as part of this process.

SOC 2  SOC 2 Type 2

We are in the process of obtaining our SOC 2 Type 2 compliance. This process takes time, but we are happy to share our Gap Analysis and a certification from the CPA firm that is running our audit to paying customers with a signed NDA in place.


We are happy to sign BAA for companies that wish to leverage FusionAuth Cloud and need to comply with healthcare industry regulations.


FusionAuth can be deployed on any server, anywhere in the world. This makes it simple for companies to ensure FusionAuth complies with GDPR.

FusionAuth Cloud also allows companies to select the location for their FusionAuth Cloud deployment. This makes data localization simple.

We are also happy to sign a Data Processing Addendum with paying customers.

FusionAuth is Complete Auth for Any App

FusionAuth is a complete solution with no sacrifices.
We got this. Go build something awesome.