We have developed our solution to be foundationally secure using security-by-design best practices as part of our multi-layered approach to protecting customer information.

The Corti service is built upon secure third-party network and hosting platform solutions that comply with international standards for information security, assuring that the logical and physical security of the platform meets the requirements for keeping your sensitive personal information secure.

The Corti solution uses Microsoft Azure for all data hosting services; Azure is a multi-tenant hyper-scale cloud platform that we use to store your data within our specified geographical region. In addition, the data is replicated across multiple locations within this region to provide system resilience. We carefully selected Azure for numerous factors, including the industry- and regional-specific security compliance obligations it meets.

The Azure hosting environment employs host-based software firewalls to protect customer instances of the Corti service from unauthorized access and implement content filtering.

We logically separate all customer data within their deployed instance of the Corti service from all other customer deployments within the multi-tenanted hosting environment. We restrict all data access to those users the customer has explicitly authorized. Azure's robust data encryption support ensures the confidentiality of all data within the customer's instance of the Corti service.

The customer’s configuration of their instance of the Corti service includes data backup options to ensure the availability and integrity of the data. These options include locally redundant storage to protect against a failure within the host data center, zone redundant storage to protect against the loss of a data center or localized disaster, and geo-redundant storage to meet more stringent regional disaster recovery requirements.

Microsoft's operations and support personnel do not have access to any data unless explicitly granted access for support purposes under the Azure Security Policy. In this event, the policy is to give access using the least privilege for the minimum time necessary. These data protection controls are subject to auditing for compliance against Azure's compliance and privacy policies.

Customers can request the deletion of their data at any time, including at the termination of the service per the Azure data management policies. This process includes deleting data copies following the replacement and decommissioning of data center equipment.

Management of the logical access to these systems uses technical controls, including switches, routers, and firewalls, to prevent unauthorized access and resist external attacks using multiple levels of security that deliver strength in depth. In addition, records of access and activity, both internal and external, to the service are monitored and logged, providing preventative and reactive options in the event of any attack, failure, or disruption.

The Azure infrastructure includes comprehensive security management and monitoring features to support the protection of customer data.

Corti treats the security of highly sensitive medical information with the highest importance, and security is one of the core principles upon which we develop our systems. In addition, security is a foundation stone that underpins the functionality of the entire Corti solution, from the software applications to the data storage solutions, from the communications channels to the personnel that develops, manages, and maintains the solution.

Corti’s development environment resides within Azure’s hosting environment and leverages the available security controls. Protection includes robust authentication controls based on an IP allowlist model to prevent unauthorized access and protect Corti’s intellectual property.

The development environment is subject to monitoring and logging to support continuous security management processes. Proactive measures include periodic vulnerability scanning of the development environment using a multi-layered approach.

This development environment is logically segregated from all live customer instances of the Corti service and has no access to customer-owned data. In addition, Azure's robust data encryption support ensures the confidentiality of all development data, including configuration settings and other security-related parameters.

Developers access the development environment using company-provided user access devices with robust password-based access controls. In addition, all data in transit between users and the development environment are protected by effectively implementing appropriately configured TLS protocols.

Development practices include following Open Web Application Security Project (OWASP) based secure coding practices. In addition, we have developed the Corti solution using security-by-design techniques that have built security controls into the application from the initial concept phase through the design, implementation, and deployment phases. This process enables the verification of the effectiveness of security controls built into the Corti service and facilitates the validation of the security of the deployed solution.

We manage operational and customer feedback in the development processes using the Zendesk service, which provides comprehensive incident reporting and customer support functions.

Corti recognizes that maintaining a robust security culture and promoting staff awareness is critical to the continued protection of our customer’s data.

All staff undergo employment checks as part of the recruitment process and are subject to confidentiality agreements.

We communicate security issues and awareness through a combination of regular meetings, continuous improvement processes, and individual feedback.

Staff activities are subject to monitoring, with computer-based operations critical to maintaining security subject to robust logging and auditing. In addition, we manage staff access using role-based access controls, which we grant utilizing the principle of least privilege and subject to review whenever any personnel join, leave, or change roles within the company.

Human resource management procedures are in place to manage security breaches and other security-related incidents in accordance with the company’s business processes.

We host the Corti service in data centers managed, operated, and monitored by Microsoft. They disperse their data centers geographically, allowing the selection of locations that meet customers' regulatory needs. Physical security is certified to industry security standards, including ISO/IEC 27001, and compliance is subject to regular independent audits.

Strict controls are in place to protect physical access to infrastructure hosting customer data using multi-layered perimeter defenses with multi-factor authentication of authorized personnel.

Data-bearing devices are subject to industry best practice data destruction techniques before decommissioning. This process applies techniques that ensure recovery of information is impossible. In addition, retained auditable records demonstrate compliance.