CortexData

Security

Last updated: 9 May 2026.

CortexData is built for institutions that handle some of the most sensitive personal and financial data in the country. Security is a first-order architectural concern, not a compliance retrofit. This page summarises our public security posture.

Application security

  • OWASP Top-10 controls applied throughout the application layer.
  • Per-request authentication, authorisation, and audit logging.
  • Maker-checker workflows enforced at the application layer for sensitive operations.
  • Pre-merge and pre-release static-analysis + dependency-vulnerability scanning.

Data protection

  • RBI data-localisation by design — customer data resides in India (AWS ap-south-1 or your on-prem).
  • Encryption at rest via KMS or your equivalent.
  • Encryption in transit via TLS 1.3.
  • Field-level encryption for sensitive PII (PAN, Aadhaar, account numbers).
  • Audit log SHA-256 hash chain with S3 Object Lock retention sink.

Infrastructure

  • Network segmentation (VPC subnetting, private subnets for data tier).
  • WAF + DDoS protection at the edge (AWS deployments).
  • Secrets management via KMS or HashiCorp Vault.
  • mTLS service-mesh between internal services.
  • Multi-AZ deployment patterns for resilience.

Operational security

  • Annual VAPT (vulnerability assessment + penetration testing) for production deployments.
  • Quarterly internal security reviews.
  • Incident-response runbooks with defined RPO / RTO targets.
  • Audit log forwarding to customer SIEM where required.

Responsible disclosure

If you believe you’ve discovered a security vulnerability in CortexData, please report it confidentially to security@cortexdata.ai. We acknowledge reports within 48 hours and provide updates as we investigate. Please give us reasonable time to respond before public disclosure.