Skip to main content
Corsa’s infrastructure is designed for regulated financial institutions that require the highest levels of data protection, availability, and auditability. Every layer - from network segmentation to secret rotation - follows defense-in-depth principles.

Cloud Infrastructure

Corsa runs on hardened, production-grade cloud infrastructure.
  • Private networks - All services operate within private subnets. No production workloads are directly exposed to the public internet.
  • Network segmentation - Strict firewall rules and network access controls isolate services by function. Database and internal services are unreachable from outside the private network.
  • Multi-region availability - Critical infrastructure spans multiple availability zones with automated failover.
  • Infrastructure as Code - All infrastructure is defined declaratively with peer-reviewed pull requests, plan previews, and approval gates before any change reaches production. No manual infrastructure changes.

Encryption

Data at Rest

  • All databases, object stores, and backups are encrypted using AES-256.
  • Encryption keys are managed centrally through a dedicated key management service and rotated automatically.
  • Customers who require additional control can use BYOK to manage their own encryption keys.

Data in Transit

  • All external-facing traffic is served over HTTPS with TLS 1.2+. Older protocol versions are rejected.
  • Internal service-to-service communication is encrypted with mutual TLS (mTLS), ensuring both the client and server authenticate cryptographically.

Sensitive Data Protection through BYOK

Enterprise customers who require full control over sensitive data encryption can use Corsa’s Bring Your Own Key (BYOK) offering. With BYOK, sensitive data (PII, government IDs, financial account details) is encrypted and decrypted on the customer’s side using their own KMS. Encryption keys never leave the customer’s environment, ensuring that Corsa cannot access plaintext sensitive data. See the BYOK documentation for setup details and supported configurations.

Secrets Management

  • All application secrets, API keys, and credentials are stored in a dedicated secrets management service - never in code, environment variables, or config files.
  • Secrets are rotated automatically on configurable schedules.
  • Access to secrets is governed by least-privilege policies.
  • Secret access is logged and auditable.

Vulnerability Management

Corsa maintains a continuous vulnerability management program to identify and remediate security weaknesses before they can be exploited.

Automated Scanning

  • Infrastructure and container images are scanned for known vulnerabilities on every build and on a recurring schedule.
  • Application dependencies are monitored for CVEs with automated alerting.
  • Static analysis (SAST) runs on every pull request as part of CI/CD.

Penetration Testing

  • Corsa engages independent third-party security firms to perform penetration tests on a regular cadence.
  • Findings are triaged, prioritized by severity, and remediated within defined SLAs.
  • Executive summaries of penetration tests are available to customers under NDA.

Patch Management

  • Server operating systems and base images are updated regularly, well in advance of end-of-life dates.
  • Servers are frequently and automatically replaced (immutable infrastructure) to discard stale state and maintain server health.
  • Critical and high-severity patches are prioritized and applied promptly.

Network Security

DDoS Mitigation

  • Corsa uses cloud-native and application-layer protections to absorb and mitigate distributed denial-of-service attacks.
  • Rate limiting is enforced at the API gateway level to prevent abuse.

Web Application Firewall

  • A WAF inspects inbound traffic for common attack patterns (SQL injection, XSS, SSRF) and blocks malicious requests before they reach the application.
For highly sensitive enterprises that require traffic to never traverse the public internet, Corsa supports private VPC connectivity. Customers can establish a dedicated VPC link between their environment and Corsa, ensuring all communication stays within private network paths. Contact your account manager to discuss private connectivity options.

Incident Response

Corsa maintains a documented incident response program with clear severity definitions, escalation paths, and customer notification procedures.
SeverityDefinition
SEV1Customer data breach or complete service outage - immediate response with full team mobilization.
SEV2Partial service degradation affecting multiple customers - rapid response with escalation.
SEV3Security event with no customer data impact - prioritized investigation and remediation.
SEV4Low-risk finding or policy deviation - scheduled review and resolution.
  • Every incident concludes with a post-mortem: root cause analysis, timeline, impact assessment, and remediation actions.
  • Customers are notified within contractual SLAs when an incident affects their data.
  • Incident response tabletop exercises are conducted annually to test and improve the program.

Backup & Disaster Recovery

  • Databases are backed up continuously with point-in-time recovery capability.
  • Backups are encrypted and stored in a separate region from production.
  • Restoration is tested quarterly to validate backup integrity and measure recovery time.
  • Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are defined per service tier and documented in customer agreements.