This page provides information about our security practices and contacting our team if you have questions or security reports.
We welcome anyone that believes they have found a security issue in our websites, web applications, or the FusionAuth product itself, to submit them to us.
We regularly pay bug bounties for valid and verifiable submissions. Please follow these rules if you wish to submit a security report:
We perform regular security audits at every level of our organization from employees to our servers. We also review all changes to our source code for security issues.
We run complete background checks on all employees and contractors. This process is repeated each year.
All of our employees and contractors go through security training each year. We currently use ESET's security awareness training as part of this process.
We are in the process of obtaining our SOC 2 Type 2 compliance. This process takes time, but we are happy to share our Gap Analysis and a certification from the CPA firm that is running our audit to paying customers with a signed NDA in place.
We are happy to sign BAA for companies that wish to leverage FusionAuth Cloud and need to comply with healthcare industry regulations.
FusionAuth can be deployed on any server, anywhere in the world. This makes it simple for companies to ensure FusionAuth complies with GDPR.
FusionAuth Cloud also allows companies to select the location for their FusionAuth Cloud deployment. This makes data localization simple.
We are also happy to sign a Data Processing Addendum with paying customers.