Identity Data is Secure With Ory
We take security seriously
Ory is committed to offering secure, GDPR compliant, privacy-focused products.
ISO 27001 certified
ISO 27001 is an international standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive information in an organization, ensuring the confidentiality, integrity, and availability of that information. ISO 27001 sets out a framework for establishing, implementing, maintaining, and continually improving an organization's information security management system. It includes risk assessment and management, security policies, controls, and ongoing monitoring and improvement processes.
SOC 2 Type 2 certified
SOC 2 Type 2 is a framework for assessing the security, availability, processing integrity, confidentiality, and privacy of data in service organizations. It is not a standard but a certification that demonstrates that an organization's internal controls and processes meet specific criteria. The Type 2 designation indicates that an independent auditor has evaluated and tested these controls over a period of time (typically three months to a year) to ensure they are effectively implemented. Current and prospective customers interested in obtaining a copy of Ory’s latest SOC 2 report may contact our security team at [email protected].
Built with GDPR in mind. We make it easy for our customers to respect the rights of data subjects.
Secure identity and access management made easy
Our developers are trained on and adhere to secure coding standards, including applying OWASP Top 10 implementation guidance.
Ory implements least privilege principles, undergoes regular access control audits, and follows an extensive code review, testing, and analysis process.
Industry-standard best practices
We use best practices including zero trust security, encryption, third-party penetration testing, vulnerability scanning, and others.
Open source ethos
We believe an open-source approach to building software leads to better security. But we don’t stop there. We also implement security best practices to ensure the Ory Network stays safe.
Ory embeds vulnerability scans into the CI/CD pipelines and scans all containers built for deployment. In addition, at runtime all containers running in our clusters are scanned continuously to report findings.
Third party penetration testing
Third party pen tests are conducted on a quarterly basis to ensure regular verification of our systems and procedures.
Bug bounty program
Ory's disclosure and reward program supports anyone who wants to increase the security of the Ory Network by conducting external pen testing.
Technical and operational measures
Ory Network forces HTTPS for all services using TLS 1.2 or higher, including our public website and the console to ensure secure connections.
At rest encryption
Any data stored by the Ory Network is encrypted at rest using industry best practice standard AES-256 Password Encryption Ory uses salted bcrypt to ensure passwords are stored securely.
The Ory Network implements a backup strategy to ensure regular backups are created and stored in an encrypted fashion.
Secure cloud deployment
Google Cloud Platform provides secure and scalable infrastructure that meets Ory's strict requirements and compliance needs.
Logging and audit trail
Ory uses logging in its cloud network. enabling forensic analysis of potential incidents.
Availability and resiliency
Ory Network ensures all services and data are spread over different data centers and availability zones within them to maximize availability in the case of localized outages.
Hear from our longtime users
"Ory products consider all modern technical aspects and it was a perfect fit for our system. Integration was relatively easy and we are able to customize based on our requirements."
Protect your identity data with Ory
Sign up or schedule a demo with us to learn how you can improve conversion, retention, and security with Ory.