Trust
Built for your audit. Honest about ours.
How we engineer sovereignty, where our own compliance stands today, and how to reach us.
Your data. Your model. Your mission.
The AI in Corticle is yours: trained on your data, learning your playbooks, isolated to your tenant, used only for you.
No external models or APIs
Nothing leaves your environment. Not for training. Not for inference. Not for telemetry. The platform makes zero external API calls to ours or anyone else's models in production.
Trained on your data
Your model continuously learns from your playbooks, runbooks, procedures, and historical decisions. It operates the way your team operates, not a generic vendor playbook.
Isolated to your tenant, yours alone
The intelligence trained on your data is isolated to your tenant. Never pooled with other customers. Never shared. Never used to train anyone else's model.
Deploy anywhere, same sovereignty
On-prem, in your cloud (AWS · Azure · GCP), or air-gapped. The deployment topology changes; your data isolation and tenant boundary do not.
Used only for your mission
We never use your data, your decisions, or your trained intelligence for anything else. Not for shared training pools. Not for product analytics. Not for benchmarking. Only your mission, full stop.
Certification status
Engineered against every framework we help you satisfy. Our own certifications are in progress. Here's exactly where we are.
| Framework | Customer enablement | Corticle's own status |
|---|---|---|
| SOC 2 Type II | Supported | Controls in place · audit planned |
| HIPAA | Supported | Engineered against · BAA-ready |
| CMMC | Supported | Engineered to controls |
| FedRAMP | Supported | Authorization on roadmap |
| NIST CSF 2.0 | Supported · 120 controls + 16 cross-mappings | Engineered against |
| PCI DSS | Supported | Engineered to controls |
| ISO 27001 | Supported | Engineered to controls |
| CJIS | Supported | Engineered to controls |
| IRAP | Supported | Engineered to controls |
| StateRAMP | Supported | Engineered to controls |
Status labels reflect Corticle's current attestation pipeline. We update them as audits progress.
Sub-processors
None on the platform side.
The Corticle platform makes no external API calls in production. Your data and your model never leave your environment.
The Corticle public website uses two sub-processors, both website-side only:
- Formspree processes demo-request form submissions. Each submission contains only the fields you enter (name, work email, company, role).
- Google Analytics 4 measures aggregate website usage. GA4 loads only after you accept analytics on the cookie banner; if you reject, no analytics data is collected and no GA cookies are set. We honor Google Consent Mode v2.
Privacy posture
Plain language about what we collect and what we don't.
Website: we collect form submissions (name, work email, company, role) when you book a demo. We use Google Analytics 4 to measure aggregate website usage, gated by Google Consent Mode v2: GA4 loads only if you accept on the cookie banner; if you reject, no analytics cookies are set. See the Sub-processors section above and our Privacy Policy for the full breakdown.
Platform: the deployed platform processes only the data inside your environment. No telemetry leaves your environment to us. See the Sovereignty section above.
Full website privacy policy: /privacy.
Security contact
Report a vulnerability.
Send the details to security@corticle.io. We acknowledge disclosures within five business days. Please don't publicly disclose until we've had a chance to investigate and remediate.
Want to walk through this in your environment?