Skip to main content
Certification and Accreditation
Updated over a month ago

We recognize the importance of security certification and accreditation for demonstrating compliance with industry best practices for protecting sensitive healthcare information.

Data Protection

The Corti solution uses Microsoft Azure for all data hosting services, with data for each customer held within a specified geographical region to meet their requirements.

Microsoft has designed Azure with industry-leading security controls, compliance tools, and privacy policies to safeguard data stored in the cloud. This feature ensures that the Corti service complies with global and regional privacy standards, including:

  • HIPAA/HITECH - Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act for protection of Protected Healthcare Information (PHI) within the US

  • HITRUST - Health Information Trust Alliance certification for the safeguarding of sensitive information

  • ISO/IEC 27018 - Code of practice for protection of Personally Identifiable Information (PII) in public clouds acting as PII processors

  • EU-U.S. Privacy Shield Framework for transfer of personal data to the US

  • EU GDPR - General Data Protection Regulations for personal data protection and privacy within the European Union

  • California Consumer Privacy Act (CCPA) for personal data protection and privacy for residents of California

HIPAA Compliance

Azure has enabled the physical, technical, and administrative safeguards required by HIPAA and the HITECH Act inside the in-scope Azure services and offers a HIPAA Business Associate Agreement (BAA) as part of the Microsoft Product Terms. The BAA provides customers with contractual assurances covering data safeguarding, reporting (including breach notifications), and data access per HIPAA and the HITECH Act. In addition, it adheres to the HIPAA Security Rule requirements in its capacity as a business associate.

Information Security Certification

The Corti solution employs Microsoft Azure as the foundation for its information security controls. Azure adheres to security controls for international and US federal standards, including:

  • ISO/IEC 27001 - International Standard for Information Security Management

  • ISO 27018 - Code of practice for protection of Personally Identifiable Information (PII) in public clouds acting as PII processors

  • SOC 1 - System and Organizational Controls for financial reporting

  • SOC 2/3 - System and Organizational Controls for compliance and operations

  • FedRAMP - Federal Risk and Authorization Management Program for cloud services

  • HITRUST - Health Information Trust Alliance certification for the safeguarding of sensitive information

Azure additionally adheres to security controls for national standards where applicable, including:

  • MTCS - Multi-Tier Cloud Security Standard for Singapore for security and confidentiality of data in the cloud

  • IRAP - Australian Infosec Registered Assessors Program for the assessment of data storage, processing, and communications infrastructure

  • ENS - Spanish High-Level Security Measures (Esquema Nacional de Seguridad) for cloud services

Corti is fully compliant with the requirements of HIPAA, GDPR, and the FedRamp standards. It is also working towards compliance with the following standards for its development processes:

  • ISO/IEC 27001 - International Standard for Information Security Management

  • ISO 13485 - International Standard for medical device Quality Management Systems

  • ISO 14971 - International Standard for medical device application of Risk Management

  • IEC 62366 - International Standard for medical device application of Usability Engineering

  • IEC 62304 - International Standard for medical device Software Life Cycle Processes

Did this answer your question?