Corma is built with security and privacy by design.
This page covers everything you need to know about how we collect, store, and protect your data, from technical infrastructure to GDPR compliance.
Corma is ISO/IEC 27001:2022 certified, confirming that our product, services, and internal processes meet the highest security standards. Our security strategy is built around three missions:
Credibility and Trust: professional-level security measures and constant compliance with customer requirements
Control and Resilience: risk-based approach to security implementation
Detection and Response: rapid identification and remediation of suspicious events
Topic | Details |
|---|---|
💽 Hosting | All data hosted in France on AWS servers (Paris region) |
🔐 Compliance | ISO 27001 certified |
🙅 Data protection | Limited PII collected, encrypted |
☁️ Sub-providers | AWS (cloud), Google (IdP), GitHub (version control), Vercel (deployment), Heroku (backend & API) |
Corma helps companies optimize automate access management (onboarding, offboarding, access requests, license monitoring). To deliver these services, we need visibility into which software tools are used across your company and how they are used.
Corma only collects data strictly necessary to discover IT tools, accesses, and understand overall usage patterns. All analysis is performed at an aggregated level. We have no interest in individual-level monitoring.
For each URL visited by an authenticated user, we capture:
User ID, timestamp, website name (raw URL), active duration
URL host, subdomain, URL path
SaaS ID, internal SaaS ID, SaaS status, SaaS directory ID
URLs are filtered by the extension using a whitelist system before reaching our database. Personal usage (YouTube, social media, etc.) is excluded automatically.
Username, email, last activity, date granted, granted by, roles, license type, groups
List of users (email, name, ID, team, admin status, roles)
Third-party apps, SSO/SAML logs
Authentication tokens, token timestamps, scopes granted to external apps
Installed apps (Microsoft Store packages, regular applications, command-line tools in PATH)
Activity: foreground/background usage, command lines executed from terminal
Start date, termination date, job title, team/department, manager, country, personal email
Invoices (cost, currency, date, supplier)
Ticket ID, title, assignee, content
What Corma does NOT collect: clicks, mouse position, scroll, keystroke logging, login credentials, private software usage, or data inserted inside your tools.
Anonymization on send: data sent from the browser extension is anonymized before transmission, so intercepted data cannot be traced to a specific individual.
Automatic exclusion of private tools: Corma uses a whitelist of 31,000+ commercially available SaaS tools. Private software is automatically excluded. If a user logs in with a personal email address, their usage is not tracked.
Data aggregation: Corma only displays aggregated data. The maximum granularity is daily/weekly/monthly usage counts, last activity, and login frequency.
Corma's whitelist contains more than 40,000 apps and is:
Continuously updated
Editable by admins
Compatible with custom client URLs for on-premise applications
All data is stored within France or the European Union
All Data is encrypted at rest and in trasit
Storage is secured within AWS Virtual Private Cloud, accessible only through MFA
Access is restricted on a need-to-know basis internally
No individual usage data is accessible to or shared with client companies
Corma does not provide personal data to its clients
Type of data | Corma | Customer company |
|---|---|---|
Personal data (email) | Briefly, deleted after onboarding | No |
Login/logouts of company tools | Yes, anonymous only | Yes, anonymous only |
Visited websites | Yes, anonymous & work-related only | No |
Activities inside tools | No | No |
Login credentials | No | No |
To work effectively with Corma, client companies should:
Use Google Workspace or Microsoft (Azure AD)
Use Chrome, Chromium, Edge, or Firefox browsers
Have significant web-based SaaS usage
All pricing plans include two authentication methods:
Google SSO
Microsoft SSO
Corma is GDPR compliant. Personal data is protected through encryption and hashing. We maintain strict data retention policies and access controls. Our Data Protection Officers confirm our compliance posture.
For more information, consult our Privacy Policy or your company's Data Processing Agreement with Corma.
Reach out to us at [email protected] or contact your company's Data Protection Officer.
