Security

Data on the CORTO Systems

Being a cloud-based solution, the software and all client data is stored on CORTO Services, which are built on the Amazon Web Services (AWS) platform.

AWS is a leading cloud services platform, providing database storage, content delivery and a range of other functions. It is one of the largest and most successful cloud platform providers in the world.

AWS makes security its top priority, providing a data centre and network architecture built to meet the requirements of the most security-sensitive organisations. AWS is constantly evolving its core security services such as identity and access management, logging and monitoring, encryption and key management, network segmentation and Denial of Service (DDoS) protection.

CORTO stores data originating from the EU, UK, AU, NZ, US and CA in AWS’s Oregon region, US (us-west-2). CORTO actively works to take advantage of AWS’s suite of services, following information security industry practices.

CORTO follows industry best practices to ensure data security while leveraging AWS's comprehensive security services. For more details on AWS security, please refer to the AWS Security and Compliance Documentation.  

Compliance

We comply with all applicable privacy laws and regulations, such as the Australian Privacy Act of 1988. For more information about a specific country’s privacy laws and how they may relate to the rights of your data, please visit our Privacy Policy.

CORTO has also obtained its SOC 2 Type II certification, a globally recognised security framework developed by the American Institute of Certified Public Accountants (AICPA). The framework encompasses controls for managing customer data, application architecture and business practices, ensuring that CORTO and its application are secure. To learn more about SOC 2 or read our report, please visit our Trust Centre.

Additionally, CORTO is certified with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF. This framework helps ensure that personal data transferred from the European Union and the United Kingdom to the United States is handled securely and in compliance with privacy regulations. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit the Data Privacy Framework website.

We follow other industry best practices to maintain the highest security standards across our systems and processes.

Encryption at-rest and in-transit

The CORTO application is accessed via HTTPS using Transport Layer Security (TLS). Once client data reaches the CORTO cloud infrastructure, all information is then encrypted at rest using AES-256 encryption.

Service Availability

CORTO is designed as a highly available solution to reduce the risk of downtime. Its services are distributed across multiple AWS data centres within the Oregon AWS region (us-west-2) and utilise OpenAI services for AI processes. CORTO is not responsible for any delays caused by the availability of AWS or OpenAI services.

Systems Monitoring | 24/7

The CORTO environment is monitored 24 hours a day, 7 days a week, 365 days a year. This ensures that any potential issues are quickly identified and addressed, providing peace of mind regarding the security and reliability of your data.

Application Security

CORTO adheres to secure development practices, including code scanning, code reviews, testing, and internal security consultations on development projects. We also engage external parties to perform annual penetration tests on the CORTO application. Additionally, CORTO implements robust security measures to continuously protect all CORTO APIs and prevent automated abuse by bots and other malicious actors. We use advanced Web Application Firewalls to distinguish between legitimate and malicious traffic automatically.

Generative AI and LLMs

We partner with OpenAI for our generative AI needs. Importantly, OpenAI ensures that client data is not used for training its models, as outlined in the OpenAI Enterprise Privacy Policy.

Authorisation

If you provide CORTO with any personal or sensitive data about other individuals, whether directly, through our websites, our software, or by any other means, you confirm that you have the authority to do so and grant us permission to use, access, or host that data.

Account Access

To protect you and your information, CORTO may suspend your access to any CORTO service without notice if a security breach is suspected, pending investigation.

Unauthorised access to password-protected and/or secure areas is prohibited and may result in legal action (including criminal prosecution) and account suspension.

If you believe your interaction with us is no longer secure (for example, if you suspect your account's security has been compromised), please notify us immediately through our Trust Centre.

We may use your information as we believe necessary or appropriate under applicable law, including laws outside your country of residence;

CORTO uses industry-standard security measures to protect your information. However, the security of data transmitted over the Internet cannot be guaranteed.

CORTO is not liable for any interception or interruption of communications over the Internet or for any alterations or losses of information.

Users are responsible for maintaining the security of their passwords, user IDs, or other forms of authentication used to access password-protected or secure areas of CORTO systems.

Employee Vetting

All CORTO staff with direct access to our critical infrastructure must undergo a rigorous vetting process, including police background checks. This guarantees that only verified team members are entrusted to manage our core platform.

Data Breach Notification

CORTO will promptly notify the client in writing upon discovering any data breach involving the client’s data.

If you identify a vulnerability or notice that data is publicly accessible outside the CORTO software, please contact CORTO immediately through our Trust Centre.

Ensuring the security and confidentiality of our users' data is a top priority for us. This thorough, independent evaluation of our internal security controls reinforces our commitment to maintaining the highest standards for protecting user data.

Questions?

This statement reflects the security policy of CORTO and is regularly reviewed and updated. It should be regarded as the primary source of truth regarding security within CORTO. If you have any questions, please refer to our Security FAQ documentation.