At Corti, safeguarding personal data through stringent processing protocols is paramount. To further enhance our services, we collaborate with selected subprocessors who also follow these rigorous standards. By ensuring that all of our subprocessors adhere to stringent EU data protection standards, Corti upholds its dedication to maintaining the highest levels of data privacy and security.

Microsoft Azure: Core to Our Cloud Strategy

Our primary data processing operations are hosted on Microsoft Azure, widely acknowledged as one of the most secure and compliant cloud service platforms in the industry. Microsoft Azure serves as the central platform for hosting and processing the data of all our customers. Our main data processing facility is located in Amsterdam, Netherlands, with a secondary, backup processing site in Dublin, Ireland. Users of Corti Assistant in the US may choose to use the U.S. environment instead. We ensure the highest level of security by encrypting all data, both in transit and at rest, within the robust framework provided by Microsoft Azure.

For more specific information regarding Microsoft Azure’s certifications and its commitment to data protection, please refer to the certification section of this white paper. This structured data handling assures that operational data is managed under the highest security standards set by Microsoft Azure, maintaining strict data integrity and privacy.

Enhancing Operational Insights: Datadog and Mixpanel as Usage Data Subprocessors

While Azure is our primary platform for data hosting, in order to enhance our services and analytics capabilities, we collaborate with subprocessors such as Mixpanel and Datadog, which are utilized solely for the processing of usage data, underlining our strategic approach to data segregation and security. These subprocessors do not process sensitive personal data of any of our customers and end users.

DataDog, which is operating within Germany, is responsible for the processing of usage telemetry data from Corti’s applications, ensuring secure and compliant monitoring services.

Similarly, Mixpanel, operating in The Netherlands, manages the processing of data related to user activity within Corti’s frontend application, maintaining a robust and legally compliant framework for analyzing usage metrics.

By prioritizing the localization of data processing in the EU, Corti maintains an option for customers for strict data residency within EU borders, thus safeguarding personal information against unauthorized access and data breaches and reinforcing the trust that our clients place in our operational practices. By utilizing these subprocessors in well-regulated locations, we reinforce our commitment to maintaining high standards of data security and compliance.

Data Transfers to Third Countries

To ensure robust privacy protection and secure international transfers, Corti incorporates stringent GDPR-compliant practices, focusing on the lawful processing of personal data across borders. Our platform employs legal transfer mechanisms such as Standard Contractual Clauses (SCCs) and adheres to the EU's adequacy decisions (EU-U.S. Data Privacy Framework) to facilitate compliant data flows outside the EU. By integrating these safeguards, Corti ensures that all data transfers meet the highest standards of privacy and security.

Corti is committed to maintaining the highest standards of data protection, especially in cross-border data transfers. For transfers to countries without an EU adequacy decision, we rely on EU Standard Contractual Clauses (SCCs) to ensure that our strict data protection standards are met. Additionally, we conduct thorough Transfer Impact Assessments (TIAs) to ensure that all potential cross-border data transfers meet our stringent privacy requirements. This proactive approach safeguards personal information against unauthorized access and data breaches, reinforcing our dedication to upholding the highest standards of data privacy.

Corti is certified under the The EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework, which is applicable to transfers to the US from the EU, UK, and Switzerland, ensures that data is managed under privacy standards equivalent to those mandated within the EU. Regarding our subprocessors, we confirm that all are certified under the EU-US Data Privacy Framework. This certification ensures that they adhere to stringent data protection requirements when processing data from the European Union. This commitment helps maintain a secure and compliant data processing environment, providing peace of mind that personal and sensitive information is handled with care in accordance with internationally recognized privacy standards. In adherence to the recent European Data Protection Board (EDPB)'s Opinion 22/2024, Corti recognized immediately the critical importance of this opinion by conducting thorough risk assessments for our subprocessors involved in our data processing activities. This proactive approach is fundamental to maintaining accountability throughout the entire processing chain. By continuously evaluating and overseeing our subprocessors, we ensure that every partner meets the stringent standards required for data protection and privacy.

This not only complies with regulatory expectations but also upholds our commitment to safeguarding the integrity and confidentiality of customer data, reinforcing the trust that our clients place in our operational practices.

Training and Awareness

Corti has developed a robust data protection culture as it invests in continuous training and awareness programs for all employees, emphasizing the importance of privacy and data protection. Specifically, we conduct two focused training sessions: one on the General Data Protection Regulation (GDPR) and another on the Health Insurance Portability and Accountability Act (HIPAA). This approach ensures that our team is not only aware of but also adept at navigating the complex landscape of data privacy and protection, fostering a culture of compliance and respect for user privacy across the organization.

At Corti, we believe that creating a culture that prioritizes privacy is essential for maintaining the trust of our customers, employees, and partners. To achieve this, we actively encourage and facilitate continuous dialogue around our data practices. Corti is committed to transparency and openness, allowing any concerns regarding data privacy to be raised and addressed promptly.

Continuous Improvement

Cort is committed to continually improving its data protection strategies and practices to ensure we meet all relevant privacy requirements. We monitor regulatory updates and adapt our processes as necessary to stay compliant.