Skip to main content
Security Checklist
Updated over a month ago

Question

Y/N

Details

Is Corti HIPAA?

Yes

Corti complies with the HIPAA requirements

Are data centers HIPAA and ISO/IEC 27001:2013 certified?

Yes

Azure complies with the HIPAA requirements and adheres to the Security Rule requirements in its capacity as a business associate

Azure data centers are certified against a number of national and international standards, including ISO/IEC 27001

Can the customer choose the location(s) of the data centers used?

Yes

Azure data centers are located in 35 different countries worldwide to meet national and regional regulatory and jurisdictional requirements

Does the service implement robust monitoring and redundancy to manage technical failures?

Yes

Azure data centers provide resilience to technical failure using multiple levels of physical and logical redundancy

Does the service support post-incident data recovery

Yes

Azure deployments include data backup options to support service recovery and data restoration following accidental modification or deletion of data or following a security incident

Do you segregate customer data?

Yes

Customer data is only stored and processed within the customer's instance of the Corti service. All customer instances are isolated using dedicated virtual servers and storage segregated within the Azure hosting infrastructure.

Who has access to customer data held within the service?

Yes

Access to data is restricted by the customer to their authorized users only, with data confidentiality protected using robust encryption that prevents unauthorized access to data

Are advanced threat detection and prevention measures employed?

Yes

The Corti solution uses comprehensive information security monitoring and protection measures, including firewall perimeter security and third-party network security monitoring

Is data protected at rest?

Yes

All stored data is encrypted using the AES algorithm

Is data protected in transit?

Yes

All data in transit is encrypted using the TLS 1.2 protocol

Can you create unique encryption keys per customer?

Yes

We provide each customer with unique encryption keys for their instance of the Corti service

Do you enforce full hard disk encryption on devices and media containing PII and PHI data?

Yes

PII and PHI data is only stored within each customer's instance of the Corti service on the Azure infrastructure. The service encrypts stored data with access controlled by the data owner

Do you enforce access controls to each system housing client data?

Yes

The customer's designated administrator controls logical access to their data using Azure's identity and access management functions. Access is subject to logging and auditing

Physical access to the Azure environment is strictly controlled and audited by the hosting company

Do you have application-level authentication?

Yes

All authorized users are provided with a named and password-protected account. Multi-factor authentication and password policy are configurable by the client

Are account-level changes logged and retained?

Yes

All authentication and access changes are logged and audited

Are all servers suitably isolated and behind firewalls?

Yes

All customer instances of the Corti service include a software firewall to manage access and implement content controls

Are there robust network boundary security controls in place?

Yes

The Azure hosting environment includes robust perimeter controls using a multi-layered approach for network protection

Is network monitoring and alerting in place to respond to significant traffic changes

Yes

Azure hosting offers advanced network traffic monitoring with automated protection against DDoS attacks

Is the hosting environment hardened?

Yes

The Azure hosting environment includes tools and guidance for hardening to disable unneeded services and connections

Do you ensure that hosted client data is securely removed after deletion?

Yes

Azure will remove all client data marked for deletion in accordance with its data destruction policy

Are information security and privacy policies aligned with industry standards

Yes

Corti and Azure's information security and privacy policies align with applicable major industry standards, including ISO/IEC 27001

Do you communicate your policies to staff and contractors?

Yes

Staff and contractors have access to relevant policies and receive regular communications and briefings when necessary

Is cross-border data movement limited, monitored, or controlled?

Yes

All data movement within the Azure hosting environment follows applicable legislation for the relevant hosting jurisdiction

Is access to the Corti service fully auditable?

Yes

Customers have access to audit reports for their instance of the Corti solution

Is the Corti service regularly independently security audited?

Yes

The Corti solution is subject to annual independent security auditing, while the Azure hosting environment is fully certified and subject to regular independent audits

Is an individual, group, or committee responsible and accountable for information security and data handling?

Yes

Corti's Chief Technical Officer is responsible and accountable for information security and data protection

Do you follow a defined Change Management process?

Yes

Corti business practices include a defined change management process that staff must follow

Do you back up important data?

Yes

All customer instances of the Corti service include backup options that are fully configurable by the service operator to meet their business requirements

Do you have a process in place for security patch management?

Yes

Security patches are automatically applied as part of the Azure hosting solution

Do you capture and maintain logs of information security activity?

Yes

The Azure hosting solution generates security event logs that are processed by a third-party monitoring and security service provider for threat detection and response

Do you have an incident management process in place?

Yes

Corti business practices include a defined incident management process that staff must follow

Are staff subject to pre-employment checking?

Yes

All staff are subject to reference checks as part of the recruitment process

Did this answer your question?