CORT logo

CORT Security and Privacy

CORT takes threats to the availability, integrity, and confidentiality of our clients' information seriously. As such, CORT is an ISO/IEC 27001:2013 certified provider whose Information Security Management System (ISMS) has received third-party accreditation from the International Standards Organization.

ISO/IEC 27001:2013 is an information security management system standard published in October 2013 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). A-LIGN, an independent, third-party auditor, found CORT to have technical controls in place and formalized IT Security policies and procedures. A-LIGN is an ISO / IEC 27001 certification body accredited by the ANSI National Accreditation Board (ANAB) to perform ISMS 27001 certifications. CORT has implemented several security measures and countermeasures that protect it from unauthorized access or compromise and IT personnel were found to be conscientious and knowledgeable in best practices.

Compliance with this internationally recognized standard confirms that CORT’s security management program is comprehensive and follows leading practices. The scope of our ISO/IEC 27001:2013 is contained in the ISO 27001:2013 Certification document link below.

ISO 27001:2013 Certification

CORT ISO Scope

The scope of the ISO 27001:2013 certification is limited to the ISMS supporting CORT’s information technology department and external and internal-facing applications managed by the CORT information technology department, including CORT’s IT personnel and IT systems, along with the policies, procedures, standards, tools, utilities, and data used in the business execution and the design, development, testing, and support of external and internal-facing applications.

Why does ISO compliance matter to CORT's customers?

To achieve our ISO certifications, CORT’s information security management system (ISMS) was thoroughly evaluated by an independent auditing firm, A-LIGN Compliance and Security Inc., which ensures verification from a trusted third party. The certification process demonstrates CORT's continued commitment to information security at every level and ensures the security of our customers data and information has been addressed, implemented, and properly controlled in all areas of our organization.

CORT’s Compliance with Data Privacy Frameworks

What is a Data Privacy Framework (DPF)?

The EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF were developed by the U.S. Department of Commerce, European Commission, UK Government, and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union, UK, and Switzerland to the United States in support of transatlantic commerce. On July 10th, 2023, the European Commission deemed the EU-U.S. Data Privacy Framework adequate to enable data transfers under EU law. The UK Extension entered into force on October 12, 2023. The Swiss Government is expected to announce the approval of the Swiss-U.S. Data Privacy Framework as a valid legal mechanism to comply with Swiss requirements when transferring personal data from Switzerland to the United States. CORT’s self-certification under the Data Privacy Framework Program enabled CORT to certify compliance with all three frameworks.

Which Organizations Participate in the Data Privacy Framework?

The authoritative list of Data Privacy Framework participants is available here. Thousands of organizations are Data Privacy Framework participants. These organizations span industry sectors and sizes. While many large multinational entities have self-certified, over fifty percent of participants are small and medium-sized companies. Although participants must be based in the United States, U.S. subsidiaries of EU-headquartered companies can and have self-certified.

What are the benefits for organizations that self-certify to the Data Privacy Framework?

The EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) provide a number of important benefits to U.S.-based organizations, as well as their partners in Europe. These include:

  • All Member States of the European Union will be bound by the European Commission’s adequacy decision for the EU-U.S. DPF, the United Kingdom and Gibraltar will be bound by the UK Government’s data bridge for the UK Extension to the EU-U.S. DPF, and Switzerland will be bound by the Swiss Federal Administration's recognition of adequacy for the Swiss-U.S. DPF once those government actions enter into force;
  • Participating organizations are deemed to provide “adequate” data protection (i.e., privacy protection), a requirement (subject to limited derogations) for the transfer of personal data outside of the European Union under the EU General Data Protection Regulation (GDPR), outside of the United Kingdom under the UK Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR), and outside of Switzerland under the Swiss Federal Act on Data Protection (FADP);
  • Because adequate protection is provided by participating organizations, contracts with such organizations for mere processing do not require prior authorization; and
  • Compliance requirements are clearly laid out and cost-effective, which should particularly benefit small and medium-sized enterprises.

CORT Privacy Policy