This article contains frequently asked questions (FAQs) regarding security.
Q: What measures do you take to protect my data?
A: At CORTO, we implement a robust security strategy to ensure the confidentiality, integrity, and availability of your data. This includes industry-standard encryption, regular scheduled vulnerability assessments, constant security monitoring, and strict access control policies. We utilise trusted cyber security tools for comprehensive threat identification and management.
Q: How is my personal/sensitive information stored?
A: CORTO is a cloud-based solution that stores all client data on CORTO Services, utilising the Amazon Web Services (AWS) platform in the Oregon region, US. AWS is a leading cloud provider known for its robust security measures, including advanced identity and access management, encryption, and DDoS protection.
Your personal and sensitive information is securely stored using encryption-at-rest (AES-256) and encryption-in-transit (HTTPS/TLS). Access to your data within our organisation is tightly controlled and restricted to authorised personnel only.
CORTO follows industry best practices to ensure data security while leveraging AWS's comprehensive security services. For more details on AWS security, please refer to the AWS Security & Compliance Quick Reference Guide.
Q: What personal/sensitive data do you collect?
A: CORTO collects the information necessary to provide and improve our services. This may include PII data and legal information. Any sensitive data is collected with your consent and is used strictly for its intended purpose. We may collect sensitive information through 'Feedbacks' to enhance our services.
Q: Do you comply with any cyber security frameworks?
A: Yes, CORTO complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF. This framework helps ensure that personal data transferred from the European Union and the United Kingdom to the United States is handled securely and in compliance with privacy regulations. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/list
We are also in the process of obtaining SOC 2 certification, a widely recognised standard for managing customer data securely and ensuring strong privacy controls. Additionally, we follow other industry best practices to maintain the highest security standards across our systems and processes.
Q: Do you share my data with third parties?
A: We do not share your personal data with third parties unless it is necessary for providing our services or required by law. Our Vendor Management policy ensures any third-party vendors are thoroughly vetted to meet our security and privacy standards.
Q: Is my data used to train the AI model?
A: No, CORTO partners with OpenAI for our generative AI needs. OpenAI ensures that client data is not used for training their models. (OpenAI Enterprise Privacy Policy)
Q: How are staff vetted and trained?
A: All CORTO staff with direct access to our critical infrastructure must undergo a rigorous vetting process, including police background checks. This guarantees that only verified team members are entrusted to manage our core platform.
All CORTO staff also participate in mandatory monthly cyber security training modules, ensuring our staff are up to date on the latest cyber safe practices and potential threats.
Q: How do you handle data breaches?
A: In the unlikely event of a data breach, CORTO follows a comprehensive incident response plan. We will notify affected users as required by law, take immediate steps to contain the breach, and conduct a thorough investigation to prevent future incidents. Our team works around the clock to mitigate any risks
If you notice that data is publicly accessible outside the CORTO Software, please contact CORTO immediately at [email protected].
Q: Where can I find CORTO's security statement?
A: CORTO’s security statement is available on our website. You can access it by visiting CORTO - Security Statement or the Information Security team ([email protected]) for more information.
Q: What should I do if I suspect a security issue with my account or have any questions about my data and it’s security?
A: If you suspect a security issue with your account, please contact CORTO immediately at [email protected]. We recommend changing your password to enhance security while our team investigates the matter. For any questions or concerns about your data and its security, our Information Security team is ready to assist you promptly at the same email address.