We recognize the importance of security certification and accreditation for demonstrating compliance with industry best practices for protecting sensitive healthcare information.
Our secure platform
The Corti solution uses Microsoft Azure for all data hosting services, with data for each customer held within a specified geographical region to meet their requirements.
Microsoft has designed Azure with industry-leading security controls, compliance tools, and privacy policies to safeguard data stored in the cloud. This feature ensures that the Corti service platform complies with global and regional privacy standards, including:
ISO/IEC 27001 - International Standard for Information Security Management
ISO/IEC 27018 - Code of practice for protection of Personally Identifiable Information (PII) in public clouds acting as PII processors
SOC 1 - System and Organizational Controls for financial reporting
SOC 2/3 - System and Organizational Controls for compliance and operations
US FedRAMP - Federal Risk and Authorization Management Program for cloud services
EU-U.S. Privacy Shield Framework for transfer of personal data to the US
EU GDPR - General Data Protection Regulations for personal data protection and privacy within the European Union
HIPAA/HITECH - Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act for protection of Protected Healthcare Information (PHI) within the US
Azure additionally adheres to security controls for national standards where applicable, including:
MTCS - Multi-Tier Cloud Security Standard for Singapore for security and confidentiality of data in the cloud
IRAP - Australian Infosec Registered Assessors Program for the assessment of data storage, processing, and communications infrastructure
ENS - Spanish High-Level Security Measures (Esquema Nacional de Seguridad) for cloud services
BSI C5 - Germany’s BSI C5 health data on cloud security
HDS - France’s Hébergeurs de Données de Santé (HDS) certification of health data hosting
More information and documentation of Microsoft Azure compliance of many more standards is available here - https://learn.microsoft.com/en-us/azure/compliance/
Corti’s Certification and Accreditation
Corti ensures that its data protection and cyber security are aligned with market and regulatory requirements including compliance with several strict frameworks:
SOC2/3 - System and Organizational Controls for compliance and operations - demonstrated by an external type 2 audit.
US HIPAA privacy regulation of personal health data.
US FedRAMP - Federal Risk and Authorization Management Program for cloud services
US Criminal Justice Information System (CJIS) - Corti complies with the CJIS regulation for products without access to criminal records.
GDPR - General Data Protection Regulations for personal data protection and privacy regulation for EU and UK - demonstrated by an external ISAE 3000 type 1 audit.
German BSI C5 for health data on Cloud security - demonstrated by an external type 1 audit.
UK Cyber Essentials security standard certification.
UK Data Security and Protection Toolkit (DSPT) certification.
UK DCB0129 - clinical risk management system compliance.
UK Digital Tech Assessment Criteria (DTAC) compliance report available for customers.
Corti appointed an external Data Protection Officer (DPO) who supports data protection with a focus on GDPR compliance.
Corti employs Crest accredited NCC Group to run annual Web Application Assessments and Cloud Configuration reviews including penetration tests.