Security
Secure by architecture, not by certificate. The structural decisions that keep customer data inside the customer's walls.
Customer data does not leave the building.
The single most important security decision in CORTX is also the simplest: customer data is processed on the customer's premises and stays there. There is no cloud database holding patient records. There is no remote service caching invoices. There is no telemetry pipe streaming behavior data to us.
The data is on a machine the customer owns, in a room the customer controls, behind a network the customer manages. We do not have the keys. We could not look at it if we wanted to.
This is not a feature. It is the foundation everything else sits on.
One small box. Sealed.
Every customer deployment runs on a Mac Mini. The Mini is configured once, sealed, and placed in the customer's office. It runs the agent, the local database, the vault directory, and the workflow engine.
The disk is encrypted. Physical access to the building is required to physically access the data. There is no remote shell, no SSH from the public internet, no admin console exposed to the world.
If the building burns down, the deployment burns down. We restore from the customer's backup. We do not have one.
No VPN. No open ports.
When customer staff need to use the system from outside the office — a coordinator working from home, the implementer logging in for an audit — they connect through Tailscale. Each device is enrolled individually, each session is authenticated, each connection is logged.
There is no VPN with a shared password. There is no port forwarded on the customer's router. There is no public endpoint. The only way in is by being a known device on a known account, and the access can be revoked from one screen.
Every action is logged.
Every task the agent runs is recorded in Plane. Every CLI call is logged with arguments and results. Every validation step is recorded with timestamps and outcomes. Every operator action goes through the cockpit, where it is also logged.
The audit trail is not a feature we added. It is a byproduct of the architecture. The agent could not function without it. The customer can read it any time.
The trail is queryable. "Show me everything that happened with this customer's claim last Tuesday" is a single query, and the answer is exhaustive.
The customer owns everything.
The MCPs are the customer's. The vault is the customer's. The audit trail is the customer's. The encryption keys are the customer's.
When a deployment ends, the customer keeps the machine. They keep the data. They keep the agent and its memory. We do not retain a copy. We do not retain access. The relationship can end and the customer's intelligence stays where it has always been: with them.
Naturally aligned, not retrofitted.
Most software companies face an ISO 27001 audit as a six-month adaptation project. CORTX is structured in a way that satisfies most of the controls by default.
- Physical access controls (sealed Mac Mini in customer office)
- Encrypted data at rest (full-disk encryption on every deployment)
- Network access controls (Tailscale, no public endpoints)
- Comprehensive audit logging (Plane native)
- Data minimization (no off-premises copies)
- Access control policy
- Backup procedure
- Incident response plan
- Risk assessment
- Vendor management policy
The architecture does the work. The documentation describes it.
Where we stand on the major frameworks.
- GDPR. The customer is the data controller. CORTX as a processor never sees the data, because the data does not leave the customer's premises.
- Israeli Privacy Protection Law. Equivalent posture. Local processing, customer-owned data.
- HIPAA-equivalent stances. For healthcare verticals: PHI never leaves the customer's environment. The architecture is consistent with covered-entity requirements.
- SOC 2. Type 1 in preparation. Type 2 will follow once we have the operating history.