Question | Y/N | Details |
Is Corti HIPAA? | Yes | Corti complies with the HIPAA requirements |
Are data centers HIPAA and ISO/IEC 27001:2013 certified? | Yes | Azure complies with the HIPAA requirements and adheres to the Security Rule requirements in its capacity as a business associate
Azure data centers are certified against a number of national and international standards, including ISO/IEC 27001 |
Can the customer choose the location(s) of the data centers used? | Yes | Azure data centers are located in 35 different countries worldwide to meet national and regional regulatory and jurisdictional requirements |
Does the service implement robust monitoring and redundancy to manage technical failures? | Yes | Azure data centers provide resilience to technical failure using multiple levels of physical and logical redundancy |
Does the service support post-incident data recovery | Yes | Azure deployments include data backup options to support service recovery and data restoration following accidental modification or deletion of data or following a security incident |
Do you segregate customer data? | Yes | Customer data is only stored and processed within the customer's instance of the Corti service. All customer instances are isolated using dedicated virtual servers and storage segregated within the Azure hosting infrastructure. |
Who has access to customer data held within the service? | Yes | Access to data is restricted by the customer to their authorized users only, with data confidentiality protected using robust encryption that prevents unauthorized access to data |
Are advanced threat detection and prevention measures employed? | Yes | The Corti solution uses comprehensive information security monitoring and protection measures, including firewall perimeter security and third-party network security monitoring |
Is data protected at rest? | Yes | All stored data is encrypted using the AES algorithm |
Is data protected in transit? | Yes | All data in transit is encrypted using the TLS 1.2 protocol |
Can you create unique encryption keys per customer? | Yes | We provide each customer with unique encryption keys for their instance of the Corti service |
Do you enforce full hard disk encryption on devices and media containing PII and PHI data? | Yes | PII and PHI data is only stored within each customer's instance of the Corti service on the Azure infrastructure. The service encrypts stored data with access controlled by the data owner |
Do you enforce access controls to each system housing client data? | Yes | The customer's designated administrator controls logical access to their data using Azure's identity and access management functions. Access is subject to logging and auditing Physical access to the Azure environment is strictly controlled and audited by the hosting company |
Do you have application-level authentication? | Yes | All authorized users are provided with a named and password-protected account. Multi-factor authentication and password policy are configurable by the client |
Are account-level changes logged and retained? | Yes | All authentication and access changes are logged and audited |
Are all servers suitably isolated and behind firewalls? | Yes | All customer instances of the Corti service include a software firewall to manage access and implement content controls |
Are there robust network boundary security controls in place? | Yes | The Azure hosting environment includes robust perimeter controls using a multi-layered approach for network protection |
Is network monitoring and alerting in place to respond to significant traffic changes | Yes | Azure hosting offers advanced network traffic monitoring with automated protection against DDoS attacks |
Is the hosting environment hardened? | Yes | The Azure hosting environment includes tools and guidance for hardening to disable unneeded services and connections |
Do you ensure that hosted client data is securely removed after deletion? | Yes | Azure will remove all client data marked for deletion in accordance with its data destruction policy |
Are information security and privacy policies aligned with industry standards | Yes | Corti and Azure's information security and privacy policies align with applicable major industry standards, including ISO/IEC 27001 |
Do you communicate your policies to staff and contractors? | Yes | Staff and contractors have access to relevant policies and receive regular communications and briefings when necessary |
Is cross-border data movement limited, monitored, or controlled? | Yes | All data movement within the Azure hosting environment follows applicable legislation for the relevant hosting jurisdiction |
Is access to the Corti service fully auditable? | Yes | Customers have access to audit reports for their instance of the Corti solution |
Is the Corti service regularly independently security audited? | Yes | The Corti solution is subject to annual independent security auditing, while the Azure hosting environment is fully certified and subject to regular independent audits |
Is an individual, group, or committee responsible and accountable for information security and data handling? | Yes | Corti's Chief Technical Officer is responsible and accountable for information security and data protection |
Do you follow a defined Change Management process? | Yes | Corti business practices include a defined change management process that staff must follow |
Do you back up important data? | Yes | All customer instances of the Corti service include backup options that are fully configurable by the service operator to meet their business requirements |
Do you have a process in place for security patch management? | Yes | Security patches are automatically applied as part of the Azure hosting solution |
Do you capture and maintain logs of information security activity? | Yes | The Azure hosting solution generates security event logs that are processed by a third-party monitoring and security service provider for threat detection and response |
Do you have an incident management process in place? | Yes | Corti business practices include a defined incident management process that staff must follow |
Are staff subject to pre-employment checking? | Yes | All staff are subject to reference checks as part of the recruitment process |