At Cortex, protecting customer information is our priority. This matter has management level commitment and a risk driven Information Security & Data Protection Programme has been established to ensure secure and resilient products. We acknowledge that cyber threats change rapidly, with situational awareness and continuous improvement being key to delivering this.
Cortex processes personal data in many of its products, and such services are a core component of our offering. We recognise this data is a prime target for attack, and regularly review policies and controls to ensure we comply with Data Protection obligations. A Data Processing Agreement is included in our Terms and Conditions and you can find our Privacy Notice at: https://www.cortextech.io/privacy-notice
The systems involved in the development of Cortex products are certified to Cyber Essentials Plus, with the most recent external audit taking place in April 2025.
Information Security Policies, including Acceptable Use and Data Protection are approved and disseminated to staff.
Policies are reviewed at a minimum on a yearly basis.
A Senior Risk Owner for the enterprise has been assigned, alongside trained staff supporting governance, compliance, application and operations security responsibilities.
Regular governance meetings are held to monitor the effectiveness of our programme.
Key suppliers are tracked and their security posture is reviewed throughout the year.
New suppliers are onboarded following a risk assessment, including any Data Protection impact where appropriate.
A comprehensive Incident Response Plan is in place, with supporting playbooks for more detailed activities.
A cross business response team is responsible for managing any major incident.
Joiners and Leaver activities are tracked and authorised via our ticketing system, with leavers access being promptly removed at the end of employment.
Access reviews take place as a compensating control to reduce the likelihood of anything falling through the gaps.
Personal Data for both Customers and their users is only accessible by Cortex staff whose roles require access to that data to perform their job duties.
Privileged rights are restricted to only those with a business justification to require them.
All employees are subject to a contract of employment and staff handbook with requirements regarding compliance with non-disclosure and internal policies.
All employees are subject to a probationary period, during which an onboarding process is carried out.
All employees have mandatory yearly data protection training.
Regular engagements are provided to employees throughout the year on pertinent security topics and emerging threats. Guidance is provided on areas such as remote working, social engineering and on handling Subject Access Requests.
Employees are advised how to report security concerns.
User endpoints are fully managed, with vulnerability scanning, anti-malware agents and event monitoring.
Modern Anti-Malware controls are in use, with any detection alerts sent to our Security Operations team.
Devices have full disk encryption, USB storage devices are restricted, and screen lock timeouts enabled.
MFA is used extensively throughout our systems, and in place for all remote network access.
Regular vulnerability scanning takes place throughout the technology stack.
Vulnerability tickets are assigned to respective teams to address within the parameters directed in our standards.
All 3rd party software must be under vendor support, including the release of security updates.
Code scanning is automatically carried out to detect vulnerabilities prior to any product deployment.
We subscribe to vulnerability disclosure alert lists.
Penetration testing of key services is performed.
We will delete such data immediately following 30 days post termination. Within that 30-day period, a customer may request the return of that data in a common readable format.
Data is logically separated by tenant.
Customer databases are backed up, with point in time recovery capability.
Restore testing takes place to verify the integrity of backups.
Security events are forwarded from systems and correlated centrally, with threat intelligence applied to detect adverse events.
Alerts are sent to our Security Operations team for triage.
Web application firewalls, rate limiting and other security features are in place to protect web services from exploits and denial of service attacks.
Data is encrypted within database instances at rest.
TLS encryption is used for data in transit.
User endpoints have full disk encryption.
All code changes are tested through CI/CD software, with a staging environment prior to production.
The data centres used in the delivery of our products feature multiple levels of physical security, including onsite guarding, CCTV and access control.
Advanced redundant power and cooling, supported by generator backup is deployed.
At the end of its life, all hardware is disposed of in line with our disposal standard, requiring secure overwriting or destruction, ensuring no data is recoverable.
You can contact complaince@cortextech.io
