Corti is committed to ensuring the security and privacy of customer data. This article explains how data is processed, stored, retained, and securely deleted within Corti’s platform, in line with best practices and regulatory requirements.
Data Flow and Customer Control
When customers use Corti’s platform or APIs (for example, to generate ambient notes), data such as audio files is securely transmitted and processed within Corti’s infrastructure. Corti acts as a data processor, following the instructions of the data controller in accordance with the applicable Data Protection Agreement (DPA).
Corti provides customers with full control over their data. Through the Delete API, customers can delete data immediately after an interaction or at any time of their choosing. This ensures that data can be stored only for the minimal period required, supporting compliance with internal and regulatory requirements.
Data Retention and Deletion Policies
Corti retains customer data only for as long as necessary to fulfill its intended purpose, as determined by contractual and regulatory obligations.
Data is securely retained for the duration of the customer agreement.
When an agreement is terminated or expires, all personal data is securely deleted within 30 days.
For voluntarily closed accounts, data is held in an expired state for 30 days to allow recovery if needed, then securely deleted.
For involuntarily suspended accounts, data is retained for 30 days to allow reinstatement. If not reinstated, the data enters an expired state and is deleted after an additional 30 days.
Customers can request deletion of data at any time, either through the API or by contacting Corti. Corti will promptly delete the data and instruct any relevant subprocessors to do the same.
Security Practices
Corti applies strict security measures to protect all data handled on its platform. These include:
Encryption of data in transit and at rest
Rigorous access controls with audit logging
Continuous monitoring and incident response processes
Corti has successfully completed independent penetration tests for four consecutive years, with no critical or high vulnerabilities identified.
Minimizing Data Risk
Corti’s platform is designed to minimize risk through a combination of flexible data deletion options and strong security controls. By using the Delete API, customers can ensure that data is stored only for as long as necessary, such as the duration of a consultation. This reduces the exposure associated with long-term data storage.