We place a sharp focus on information safeguarding because we understand our customer's personal identifiable information and protected health information are critical assets. Customer's place this information into our care when using our service and trust us to keep it secure.

We focus our security processes on managing your sensitive medical data's confidentiality, integrity, and availability. Confidentiality means protecting the data against unauthorized disclosure, be that from the malicious actions of an external attacker or the unintentional error of an internal employee. Integrity means protecting the data against corruption or modification through human error or technology failure. Finally, availability means ensuring that the data is available whenever required, protecting against loss of service due to external factors or the failure of a device.

The primary focus for our information safeguarding is the reliable identification and authentication of those accessing sensitive medical data. An inability to authenticate those accessing such data will render other data, application, and network security controls ineffective. Corti has established the security of the systems and networks that host its service with robust access controls.

Authentication is managed using Azure's identity and access management facility, which operates identity-based access control, locks down administrative access, alerts on identity-related events and abnormal account behavior, and implements role-based access control. In addition, the authentication solution is customer configurable to meet service needs.

Web, application, and database servers supporting our services reside within secure data centers certified to internationally recognized standards.

All data held and processed by the Corti systems is protected using internal access controls and encryption techniques. We have designed this to facilitate efficient information sharing between authorized users of that data while, at the same time, preventing access or modification by any authorized system user that is not permitted to access that data.

Data is compartmentalized so each service owner may access information relating to patient call data uploaded to their specific service. Advanced access management protocols prevent leakage of data between compartments. Only users with explicit permission to access any data information may view or modify it. We have designed the system to ensure that all requests to access any data item must be verified to confirm that the user has permission to perform that action before the action is permitted.

The configuration of the protection mechanisms is such that no user without explicit access rights to an item of data may perform any action on that data, including Corti employees, our system administrators, and any employees of the third-party hosting provider. In addition, the solution includes no role that allows access to any data in the Corti service or its underlying network and hosting platform without having explicit permission to access that data. This locked-down approach to data access management prevents any possibility of unintentional release, modification, or loss of data. In addition, this approach helps counter insider threats to the confidentiality and integrity of the data.

Information security is not just protecting data against unauthorized access, whether the intention is to steal it for financial gain, to release it to cause reputational damage or to modify it to cause severe disruption. Preventing authorized users from gaining access to data when needed can have equally serious consequences, primarily when they cannot access vital medical information when there is no alternative source of that information that is readily available.

The Corti solution manages the continuity of data available from its services using a combination of techniques. For example, the Azure data centers upon which we have built the service provide resilience through multiple levels of physical and logical redundancy. As a result, the failure of any device, application, operating system, or complete data center will have no discernible impact on the service user.

Corti employs the Azure Distributed Denial of Service (DDoS) protection as part of its solution, ensuring that the service can manage a deliberate external attack with minimal impact on its authorized users.

The critical control for protecting access to sensitive medical information is the implementation of dependable access control mechanisms to prevent access to unauthorized persons and restrict access to any authorized person to just the data they are permitted to access. These mechanisms require the reliable identification and authorization of users in a manner that cannot be open to impersonation or bypassed entirely. Without strict access controls, all other implemented security controls would be superfluous should an unauthorized user be granted access to data through the service.

The specific details of the access controls for secure user authentication to each client instance of the Corti service are configurable by each client. These controls include complex password enforcement and account lockout protocols deployed during unsuccessful attempts to gain access to accounts, such as from brute force attacks.

Access to the Corti service uses TLS technology to protect communications and prevent any attempt to access the service without TLS. We implement the encryption of all communications, including the initial requests for authorized access, to protect users from any potential eavesdropping attempts or man-in-the-middle attacks. In addition, message encryption is essential to prevent the leakage of any authentication information that may be of use to an attacker and protect the sensitive personal data that the user may subsequently access.

As well as the sensitive personal data, all other classified information, including system configuration settings, keycodes, and passwords we hold within the system, are secured using advanced cryptographic controls. We implement these controls using the latest encryption standards to protect against accidental or malicious unauthorized access attempts. We apply these cryptographic controls to all copies of the data, both the live systems, reversionary systems, and all backup copies.