Question | Y/N | Details |
Is Corti SOC2 type 2 and SOC 3 compliant? | Yes | Corti has SOC2 type 2 and SOC3 attestations |
Is Corti GDPR compliant? | Yes | Corti complies with the GDPR requirements for EU and UK.
In 2024, the GDPR compliance was externally audited with a focus on customer data handling and achieved the ISAE 3000 certificate.
|
Is Corti HIPAA compliant? | Yes | Corti complies with the HIPAA requirements |
Is Corti BSI C5 certified? | Yes | Corti complies with Germany’s BSI C5 requirements for health data on Cloud security - demonstrated by an external type 1 audit. |
Is UK Cyber Essentials security certified? | Yes | Corti is UK Cyber Essentials security certified. |
Is Corti UK Data Security and Protection Toolkit (DSPT) certified? | Yes | Corti complies with the UK Data Security and Protection Toolkit (DSPT). |
Is Corti UK DCB0129 compliant? | Yes | Corti complies with UK DCB0129 clinical risk management system requirements. Compliance is maintained by a Clinical Safety Officer. |
Are data centers HIPAA and ISO/IEC 27001:2022 certified? | Yes | Microsoft Azure complies with the HIPAA requirements and adheres to the Security Rule requirements in its capacity as a business associate. To support Azure customers in managing electronic protected health information (ePHI), Microsoft provides a HIPAA Business Associate Agreement (BAA) Microsoft Azure complies with the ISO/IEC 27001:2022 standards |
Does Corti ensure compliance with different regional privacy laws? | Yes | Corti complies with multiple global and regional privacy regulations, including GDPR, HIPAA, BSI C5, UK DSPT, and FedRAMP. The company continuously monitors and adapts its security posture to align with evolving legal requirements. |
Does Corti conduct regular penetration testing and security assessments? | Yes | Corti employs CREST-accredited external auditors to conduct penetration testing and web application assessments regularly. Additionally, vulnerability scanning and security reviews are performed periodically. |
Do you provide several options for location(s) of the data centers used? | Yes | Microsoft Azure has data centers in more than 60 regions across the globe, spanning over 140 countries to meet national and regional regulatory and jurisdictional requirements. Corti employs several of them. |
Can Corti restrict access based on geographic location? | Yes | Corti can configure access restrictions based on geographic location. The system enforces IP safelisting techniques and allows traffic only from approved regions. |
Does the service implement robust monitoring and redundancy to manage technical failures? | Yes | Microsoft Azure data centers provide resilience to technical failure using multiple levels of physical and logical redundancy, like Azure Monitor and Azure Service Health, automated disaster recovery via Azure Site Recovery, and features like scalability and load balancing to ensure high availability and performance |
Does the service support post-incident data recovery? | Yes | Microsoft Azure includes data backup options such as Azure Backup and Azure Site Recovery to support restore data and applications from backups following accidental modification or deletion of data, security incidents, hardware failures, or natural disasters |
Do you segregate customer data? | Yes | Customers’ data is only stored and processed within the customer's instance of the Corti service or separated via tenant-specific access control layers in the infrastructure layer. |
Who has access to customer data held within the service? | Yes | Access to data is restricted by the customer to their authorized users only, with data confidentiality protected using robust encryption that prevents unauthorized access to data |
Are advanced threat detection and prevention measures employed? | Yes | The Corti solution uses comprehensive information security monitoring and protection measures, including firewall perimeter security and third-party network security monitoring |
Is data protected at rest? | Yes | All stored data is encrypted at rest using the FIPS-approved AES algorithm |
Is data protected in transit? | Yes | All data in transit is encrypted using the FIPS-approved TLS 1.2 protocol or higher. |
Can you create unique encryption keys per customer? | Yes | We provide each customer with unique encryption keys for their instance of the Corti service |
Do you enforce full hard disk encryption on devices and media containing PII and PHI data? | Yes | PII and PHI data is encrypted at rest and in transit. |
Do you enforce access controls to each system housing client data? | Yes | The customer's designated administrator controls logical access to their data using Azure's identity and access management functions. Access is subject to logging and auditing Physical access to the Azure environment is strictly controlled and audited by the hosting company |
Do you have application-level authentication? | Yes | All authorized users are provided with a named and password-protected account. Multi-factor authentication and password policy are configurable by the client |
Are account-level changes logged and retained? | Yes | All authentication and access changes are logged and audited |
Are all servers suitably isolated and behind firewalls? | Yes | All customer instances of the Corti service include a software firewall to manage access and implement content controls. |
Are there robust network boundary security controls in place? | Yes | The Microsoft Azure hosting environment includes robust perimeter controls using a multi-layered approach for network protection |
Is network monitoring and alerting in place to respond to significant traffic changes | Yes | Datadog provides advanced network traffic monitoring, combined with automated protection against DDoS attacks via rate limiting |
Is the hosting environment hardened? | Yes | The Microsoft Azure hosting environment includes tools and guidance for hardening to disable unneeded services and connections |
Do you ensure that hosted client data is securely removed after deletion? | Yes | Microsoft Azure ensures that hosted client data is securely removed after deletion. Azure follows strict data destruction policies compliant with industry standards and regulations. When data is deleted, Azure employs techniques such as overwriting storage space to make the data unrecoverable. Additionally, for managed services that handle data deletion, such as Azure Storage, Azure manages the replication and destruction of data across its physical media to ensure that deleted data cannot be recovered or accessed. |
Are information security and privacy policies aligned with industry standards | Yes | Corti’s information security and privacy policies align with applicable major industry standards, including SOC2, GDPR, HIPAA. BSI C5, UK Cyber Essentials, UK DSPT etc. |
Do you communicate your policies to staff and contractors? | Yes | Staff and contractors have access to relevant policies and receive regular communications and briefings when necessary |
Is cross-border data movement limited, monitored, or controlled? | Yes | All data movement within the Microsoft Azure hosting environment follows applicable legislation for the relevant hosting jurisdiction |
Is access to the Corti service fully auditable? | Yes | Customers have access to audit reports for their instance of the Corti solution |
Is the Corti service regularly independently security audited? | Yes | The Corti solution is certified and subject to annual independent security auditing, and the Microsoft Azure hosting environment is certified and subject to regular independent audits |
Is an individual, group, or committee responsible and accountable for information security and data handling? | Yes | Corti's Chief Technical Officer is responsible and accountable for information security and data protection |
Do you follow a defined Change Management process? | Yes | Corti business practices include a defined change management process that staff must follow |
Do you back up important data? | Yes | All customer instances of the Corti service include backup options that are fully configurable by the service operator to meet their business requirements |
Do you have a process in place for security patch management? | Yes | Security patches are automatically applied as part of the Microsoft Azure hosting solution |
Do you capture and maintain logs of information security activity? | Yes | The Microsoft Azure hosting solution generates security event logs that are processed by a third-party monitoring and security service provider for threat detection and response |
Do you have an incident management process in place? | Yes | Corti business practices include a defined incident management process that staff must follow |
Are staff subject to pre-employment checking? | Yes | All staff are subject to background checks as part of the recruitment process |
Updated over 2 weeks ago