Corti focuses the data privacy protection on data minimization and localization, encryption, sub-processors management, impact assessments and external auditing.
In the rapidly evolving digital landscape, ensuring the privacy of our user data is paramount for Corti. We are committed to upholding the highest standards of data protection, adhering rigorously to international and regional regulations.
This section of our white paper outlines our compliance with the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA), demonstrating our dedication to safeguarding personal and sensitive information across all our operations.We are committed to maintaining transparency about how we collect, use, and share personal data. Users can easily manage their data, exercise their rights, and make informed choices about their privacy settings.
Privacy by Design
At Corti, we recognize that effective privacy protection is not merely about compliance, but about embedding privacy into the very fabric of our technology and organizational practices. Our commitment to Privacy by Design is evident in every aspect of our operations, ensuring that privacy and data protection are integrated into all our products and services from the initial design through to deployment.
These principles include being proactive not reactive, privacy as the default setting, privacy embedded into design, end-to-end security, visibility and transparency, and user privacy and empowerment. By embedding these principles, Corti ensures that all data handling respects user privacy and maintains industry-leading standards of data protection.
Personal Data Handling
At Corti, our handling of personal data is critical to delivering high-quality services, as detailed in the Data Processing Agreement (DPA) in place between Corti (Data Processor/Data exporter) and our Customer (Data Controller/Data Importer). Corti processes both general and sensitive categories of personal data, under stringent data protection measures. We clearly document the types of personal data we process, including specific details on sensitive information, thereby maintaining transparency and accountability in our data handling practices.
General personal data includes general identification and contact information, employment details, and digital identifiers, which facilitate our interactions with both practitioners and patients.
Our processing of special categories of personal data (sensitive data), intended for more sensitive functions, includes health-related information and other data that may reveal racial, ethnic, religious, or other significant aspects of a person's identity and personal life, such as the data concerning a person’s sex life or sexual orientation.
Data Retention and Deletion
Our data retention and deletion policies outline Corti’s default timelines for retention and the conditions under which data is deleted, ensuring compliance with legal requirements and minimizing risks associated with data storage.
Corti follows the instructions of the Data controller on retention and deletion as detailed in the Data Protection Agreement (DPA). We retain customer data only for the duration necessary to fulfill its intended purpose, as dictated by regulatory and contractual obligations.
For active accounts, data is securely retained, while data from voluntarily closed accounts is held in an "expired" state for 30 days to allow for recovery, before being securely deleted in accordance with our robust data destruction procedures. In cases of involuntary suspension, accounts are given a 30-day grace period during which they can be reinstated after resolving any issues; otherwise, the data enters an expired state and is deleted after an additional 30 days.
Prompt deletion actions are taken upon the expiration of retention periods or explicit customer requests, including notifying relevant third-party organizations to delete shared information.