Harness the power of AI without compromising on privacy or security

• Your data remains exclusively yours, isolated and secure in your own instance on AWS with zero additional cost or maintenance burden.
• Opt to use your existing data warehouse on AWS or Snowflake with our enterprise plans, ensuring a tailored fit to your needs.

• Our robust authorization protocols ensure that only designated individuals can interact with data and system features.
• Row-level security ensures users only see the data they're authorized to access, giving you granular control over visibility across your organization.
• For customers with access to PII data, Google or Microsoft sign-in and two-factor authentication ensures passwords are not stored.

• Our secure infrastructure is hosted on AWS, providing enterprise-grade reliability, redundancy, and compliance across global data centers.
• Web Application Firewall (WAF) actively defends against cyber threats, safeguarding your online presence.
• State-of-the-art network controls, including VPCs and security group assignments, keep your operations running without interruption.
• Optional Business Associate Agreement (BAA) available to support HIPAA compliance.

• Continuously tested disaster recovery plans ensure data availability and resilience.
• Regular penetration testing scrutinizes our defenses, preempting vulnerabilities to maintain an impenetrable front.

• All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using industry-standard AES-256 encryption. All credentials and authentication secrets are transmitted over secure, logged channels.

• CorralData is hosted on Amazon Web Services (AWS), and our underlying infrastructure benefits from AWS’s SOC 2 Type II and ISO 27001 certified data centers. Each customer’s data is isolated in a dedicated instance with VPCs, security groups, firewalls, and a Web Application Firewall protecting public endpoints.

• We perform regular third-party penetration testing and run continuous code analysis through our security tooling. Comprehensive logging and alerting flag anomalous activity, with documented incident response procedures and customer notification commitments built into our agreements.

• Role-based access is tied to dataset attributes, with row-level security ensuring users only see what they’re authorized to see. Just-in-time access approvals are logged and reviewed, and high-risk privileges are reviewed semi-annually. Two-factor authentication is enforced on any account that can access PII or PHI, with Google or Microsoft SSO available so passwords are not stored.

• We commit to written breach notification SLAs in our customer agreements: within 72 hours for personal data breaches, within 10 business days for PHI breaches, and within 15 business days for other security incidents affecting the confidentiality, integrity, or availability of customer data.

• Our Data Processing Agreement supports compliance with GDPR, UK GDPR, CCPA/CPRA, the Texas Data Privacy and Security Act, the Colorado Privacy Act, the Virginia Consumer Data Protection Act, PIPEDA, and comparable U.S. state and Canadian provincial privacy laws. International data transfers use Standard Contractual Clauses (EU 2021/914, Module 2) or the UK International Data Transfer Addendum where applicable.

• We maintain a public list of sub-processors and provide at least 30 days’ prior written notice before adding a new one. All sub-processors are bound by obligations equivalent to our DPA.

• Your data remains yours. Upon termination, we return or delete customer data on request, except where retention is legally required. Our LLM integrations operate with zero data retention — your data is never stored or used to train models.

CorralData supports HIPAA-covered entities with:

• A Business Associate Agreement (BAA) available on request
• HIPAA-aligned administrative, physical, and technical safeguards consistent with the HIPAA Security Rule and Section 13401 of the HITECH Act
• PHI breach notification within 10 business days
• Subcontractors with access to PHI bound by equivalent BAA terms
• Safe Harbor de-identification standard (45 CFR §164.514(b)) applied to any internal analytics or benchmarking use
• Mutual indemnification for material breach involving PHI