CORTEXR Technical and Organisational Measures
This document describes the technical and organisational security measures and controls implemented by CORTEXR to protect the data customers entrust to us as part of the CORTEXR service offerings.
“Developer” means a person with a CORTEXR account and is considered a Data Controller as per GDPR unless otherwise specified.
“Developer Data” means any information provided or submitted by the Developer that is processed by CORTEXR.
“End User” means a person who views an app or web page created by the Developer, which may or may not be linked to the CORTEXR platform.
“End User Data” means any information provided or submitted by the End User that is processed by CORTEXR.
“Personal Data” means any information relating to an identified or identifiable natural person.
“Personnel” means CORTEXR employees, consultants and authorised subprocessors.
“Strong Encryption” means the use of industry-standard encryption measures.
“CORTEXR” means CORTEXR a trading name of Gorilla In The Room Ltd headquartered in the United Kingdom.
Organisation Of Information Security
CORTEXR employs full-time engineering Personnel responsible for maintaining information security.
All Personnel responsible for information security report directly to the Chief Technology Officer or Chief Executive Officer.
All Personnel have signed legally reviewed confidentiality agreements.
All Personnel are given training for data privacy and information security upon hire.
The CORTEXR platform operates from several lead cloud providers that run inside certified third-party production data centers with a protected physical perimeter, strong physical controls, electronic access control, human security personnel, video surveillance, and electronic intrusion detection systems.
Power and telecommunications cabling carrying Developer Data and End User Data or supporting information services at the production data centers are protected from interception, interference and damage.
The production data centers and their equipment are physically protected against natural disasters, unauthorised entry, malicious attacks, and accidents.
Equipment at the production data center is protected from power failures and other disruptions caused by failures in supporting utilities and is appropriately maintained.
Access to CORTEXR systems is granted only to Personnel and access is strictly limited as required for those persons to fulfil their function.
CORTEXR has a password policy that prohibits the sharing of passwords and requires passwords to be changed on a regular basis. All passwords must fulfill defined minimum complexity requirements and are stored in encrypted form.
Access to systems containing Developer Data and End User Data require two-factor authentication and/or account federation via open-standards (OAuth2, SAML 2.0, or similar) from a certified third-party identity service with two-factor authentication.
All communication with systems containing Developer Data and End User Data requires the use of Strong Encryption via protocols such as HTTPS, SSL/TLS, and similar.
Access to Developer Data and End User Data is terminated when Personnel leave the company.
Personnel access to cloud services containing Developer Data and End User Data is logged and monitored.
CORTEXR restricts Personnel access to Developer Data and End User Data on a “need-to-know” basis.
Each such access and its subsequent operations are logged and monitored.
Personnel training covers access rights to and general guidelines on definition and use of Developer Data and End User Data.
Source code and configuration data is continually backed up to leading source control cloud provider.
Databases and compiled code are subject to regular automated backups.
Controls for separation of duties
Multi-tiered environments separate development, staging, and production servers into isolated systems.
Active development occurs on test databases in the development environment that are isolated from actual Developer Data and End User Data.
The staging environment allows CORTEXR Personnel to test and catch errors in new versions of the software prior to their release to the production environment.