Data Security

Last updated: April 1, 2026

At Cortexa Holdings, Inc. ("Cortexa"), security is foundational to everything we build. As a platform trusted by therapy practices to handle sensitive operational and clinical data, we maintain rigorous security standards across our infrastructure, application, and organizational practices. This page provides a detailed overview of our security posture.

Security Certifications and Compliance

SOC 2 Type II

Cortexa has achieved SOC 2 Type II certification, which independently validates that our security controls are not only designed effectively but are operating effectively over a sustained period. Our SOC 2 audit covers the Trust Services Criteria for Security, Availability, and Confidentiality. We undergo annual audits conducted by an independent third-party auditing firm.

HIPAA Compliance

Cortexa is fully HIPAA compliant and operates as a Business Associate under HIPAA. We execute Business Associate Agreements with all applicable customers and maintain comprehensive administrative, physical, and technical safeguards. For detailed information, see our HIPAA Compliance page.

Encryption

Encryption at Rest

All data stored within the Cortexa platform is encrypted using AES-256 (Advanced Encryption Standard with 256-bit keys), one of the strongest encryption algorithms available and approved by the U.S. National Institute of Standards and Technology (NIST). This includes:

  • Primary databases and data stores
  • Database backups and snapshots
  • File storage and object stores
  • Log archives and audit trails

Encryption keys are managed through AWS Key Management Service (KMS) with automatic annual key rotation. Key access is tightly controlled and audited.

Encryption in Transit

All data transmitted to and from the Cortexa platform is encrypted using TLS 1.3, the latest version of the Transport Layer Security protocol. We enforce HTTPS on all endpoints and do not support older, deprecated protocol versions (SSL 3.0, TLS 1.0, TLS 1.1). Certificate management is automated to prevent lapses.

  • API communications between Cortexa and your EHR systems use TLS 1.3 with mutual authentication where supported
  • Internal service-to-service communication within our infrastructure is encrypted using mTLS
  • OAuth 2.0 tokens used for EHR integrations are encrypted and stored with short expiration windows

Infrastructure Security

Cloud Infrastructure

Cortexa's infrastructure is hosted exclusively on Amazon Web Services (AWS), a leading cloud provider with extensive security certifications including SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1, and FedRAMP. Our infrastructure utilizes:

  • Virtual Private Cloud (VPC): All resources operate within isolated VPCs with private subnets, network ACLs, and security groups that restrict traffic to only necessary ports and protocols
  • Multi-AZ Deployment: Critical services are deployed across multiple AWS Availability Zones for high availability and fault tolerance
  • Geographic Redundancy: Database backups are replicated to a separate AWS region for disaster recovery
  • DDoS Protection: AWS Shield and AWS WAF provide protection against distributed denial-of-service attacks and common web exploits

Network Security

  • Firewalls and security groups enforce strict ingress and egress rules
  • Intrusion detection and prevention systems (IDS/IPS) monitor for malicious activity
  • All administrative access to infrastructure requires VPN and multi-factor authentication
  • Network traffic is continuously monitored for anomalies

Application Security

Secure Development Practices

Cortexa follows secure software development lifecycle (SDLC) practices:

  • Code Reviews: All code changes undergo peer review before deployment
  • Static Analysis: Automated static application security testing (SAST) scans every code commit for vulnerabilities
  • Dependency Scanning: Third-party libraries and dependencies are continuously monitored for known vulnerabilities
  • Input Validation: All user inputs are validated and sanitized to prevent injection attacks (SQL injection, XSS, CSRF)
  • Least Privilege: Application components operate with the minimum permissions necessary

Authentication and Session Management

  • Passwords are hashed using bcrypt with industry-standard cost factors
  • Multi-factor authentication (MFA) is available for all accounts and required for administrative access
  • Session tokens are cryptographically generated and expire after periods of inactivity
  • Failed login attempts trigger rate limiting and account lockout protections

Access Controls

Customer Access

The Cortexa platform implements role-based access control (RBAC), allowing practice owners to assign granular permissions to clinicians and staff. Available roles include:

  • Owner: Full access to all practice data, settings, and user management
  • Administrator: Access to practice data and settings, but cannot modify billing or delete the account
  • Clinician: Access limited to their own performance data and caseload metrics
  • Viewer: Read-only access to designated dashboards and reports

Internal Access

Cortexa employee access to customer data is strictly controlled:

  • Principle of least privilege is enforced for all employees
  • Access to production systems requires MFA and is limited to authorized personnel
  • All access is logged, audited, and reviewed quarterly
  • Access is immediately revoked upon role change or employment termination
  • Background checks are conducted for all employees with data access

Vulnerability Management

  • Penetration Testing: We engage independent third-party security firms to conduct annual penetration tests of our application and infrastructure
  • Vulnerability Scanning: Automated vulnerability scans run continuously against our infrastructure and application
  • Patch Management: Security patches are evaluated and applied promptly. Critical vulnerabilities are patched within 24 hours of disclosure
  • Bug Bounty: We welcome responsible disclosure of security vulnerabilities. Please report findings to [email protected]

Incident Response

Cortexa maintains a documented incident response plan that is tested and updated regularly. Our incident response process includes:

  1. Detection and Alerting: 24/7 automated monitoring with real-time alerting for security events
  2. Triage and Classification: Incidents are classified by severity and assigned to the appropriate response team
  3. Containment: Immediate actions to contain the incident and prevent further impact
  4. Investigation: Thorough forensic investigation to determine root cause and scope
  5. Notification: Affected customers are notified within the timeframes required by applicable laws and regulations, including HIPAA Breach Notification requirements
  6. Recovery: Restoration of affected systems and services to normal operation
  7. Post-Incident Review: Detailed analysis of the incident with corrective actions to prevent recurrence

Business Continuity and Disaster Recovery

  • Automated Backups: Databases are backed up continuously with point-in-time recovery capability
  • Recovery Time Objective (RTO): Less than 4 hours for critical services
  • Recovery Point Objective (RPO): Less than 1 hour of data loss in the worst case
  • Disaster Recovery Testing: Recovery procedures are tested at least annually to verify effectiveness
  • Redundancy: Critical components have automatic failover capabilities across multiple availability zones

Data Disposal

When customer data is no longer needed (e.g., after account termination and the 30-day export period), it is securely deleted using cryptographic erasure — the encryption keys are destroyed, rendering the data unrecoverable. Physical media used by AWS is decommissioned and destroyed in accordance with NIST 800-88 guidelines.

Security Awareness

All Cortexa employees complete security awareness training upon hire and annually thereafter, covering topics including phishing recognition, secure coding practices, data handling procedures, and incident reporting. Targeted training is provided based on role and access level.

Contact Us

For questions about our security practices or to report a security concern, please contact us:

Cortexa Holdings, Inc.
Email: [email protected]
Website: www.usecortexa.com