Trust and security at Logto

At Logto, we prioritize the utmost security measures to protect your data and ensure your trust in our services.
July 18, 20234 min read
Trust and security at Logto

Born open-source, insured by open-source

From its inception, Logto has been built on open-source foundations. We firmly believe in the power of open-source software, which has enabled us to develop Logto Cloud on top of our open-source project.

Exceptional developer experience

Logto serves as the "upstream" and maintains a strong connection with the global developer community. This close relationship allows us to listen and respond to the needs of developers worldwide, resulting in an outstanding developer experience and rapid iterations.

All of Logto's core services undergo public audits, as we value transparency. We believe that a robust and transparent codebase is a testament to our technical prowess and work ethic.

Self-hosted assurance

Logto OSS is also available as a self-hosted version. By choosing Logto Cloud, you gain an additional layer of trust, knowing that even in the unlikely event of Logto's discontinuation, you can seamlessly transition to the self-hosted version.

Watched by a vast community

Popular open-source softwares are under constant scrutiny by a vast community of developers and security experts. With Logto's commitment to open-source and the collaborative nature of the open-source community, it can be ensured that any security issues are quickly brought to light and resolved.

Strict adherence to standards

Logto meticulously adheres to the battle-tested open standard known as OpenID Connect, built on OAuth 2.0. This protocol provides a solid foundation for our services, offering both flexibility and scalability.

However, it's crucial to understand that failure to strictly follow the protocol's standards can introduce significant security risks, even for a large team. Read this blog post to learn more.

To ensure the highest level of security, Logto's engineers are well-versed in the inner workings of the chosen standards and continuously prioritize security measures throughout their daily work, including technical design and code review.

Embracing DevSecOps for continuous security

Besides conventional security measures, our team has implemented DevSecOps practices, which seamlessly integrate security into our development and deployment processes.

Before each code change, our systems automatically perform code scanning and penetration tests. This proactive approach allows us to identify and rectify potential security weaknesses at an early stage, ensuring that our services remain robust and resilient against emerging threats.

360-degree protection through latest technologies

Just like you, we appreciate the convenience of cloud services and software-as-a-service solutions. At Logto, we believe that certain complex challenges should be entrusted to professionals, and we employ state-of-the-art technologies to ensure comprehensive security.

Enforced security, non-negotiable

  • Logto never stores passwords in plain text; they are encrypted using the Argon2 algorithm.
  • All communication between any party and Logto Cloud is strictly enforced using Transport Layer Security (TLS) encryption.
  • Internal communications within Logto also require TLS or equivalent technologies, eliminating the use of plain connections.
  • Logto strictly avoids the use of algorithms and libraries known to have security vulnerabilities.
  • Cloudflare and Azure firewalls protect all Logto Cloud services.

Flexible computing with high availability

Logto Cloud leverages Azure services for computing resources. To provide a seamless user experience, every component of our infrastructure is designed to be flexible, capable of scaling up or down based on real-time workload requirements. Additionally, all computing resources are configured for high availability, ensuring our infrastructure is ready to handle any level of traffic.

Data isolation

  • Production data is rigorously separated from other environments, allowing only minimal authorized access.
  • Each Logto tenant is allocated a dedicated database role and connection, and we enforce Row-Level Security on user data tables. This ensures that your data remains isolated within the database. Dedicated databases are also available for enterprise users.

Data protection

  • Our databases are deployed within a private network in the Europe region, effectively preventing direct access from the public network.
  • Databases are encrypted at rest, safeguarding your data even in storage.
  • Regular database backups follow a geo-redundant policy, providing an additional layer of protection.

We are committed to maintaining the highest level of trust and security at Logto. The information provided above represent the key elements of our comprehensive security efforts. If you have any questions or concerns, please do not hesitate to contact us via [email protected].