Security Overview
Last updated: August 9, 2025
Informational summary of current practices. Contractual commitments are in the Terms of Service and Privacy Policy, with specific security and data-protection obligations in the DPA.
Contact (security incidents & responsible disclosure)
- Email: security@cortexium.io
- Phone (for customers with support plans): TBD
Scope
- Website:
cortexium.io(GitHub Pages). No cookies/tracking added; no additional server logs maintained by Cortexium. - App:
app.cortexium.io(Hetzner, Germany).
Data Protection Measures (TOMs)
- Identity & Access: least privilege; role‑based access; admin MFA enforced; periodic access reviews; immediate revocation on off‑boarding.
- Data Security: TLS in transit; encryption at rest where available; secrets management; network isolation.
- Logging & Monitoring: centralized logs; alerts; retention targets: access logs 30–90 days, audit/security logs up to 12 months.
- Backups & Continuity: encrypted backups 7 days retention (target 30 days); periodic restores; no cross‑region replication yet (Germany↔Finland may be enabled later).
- Development & Release: peer review; CI/CD least privilege; dependency scanning/patching; staging environment.
- Vendor/Subprocessor Mgmt: public list at Subprocessors; We aim to provide advance notice (typically 30 days) of material subprocessor changes; EU‑preferred; DPF/SCCs for US vendors; subscribe at legal-notices@cortexium.io.
- Privacy & Rights: single Policy covers website + app; processes for access/erasure/rectification/objection/portability.
- Incident Response: defined procedures; notify customers without undue delay per DPA; post-incident reviews.