Corus Security Statement
Last modified: October 3, 2020
Thank You for Choosing Corus!
Corus uses Stripe to securely collect credit card and debit card payments on our website. We are fully compliant with the Payment Card Industry’s Data Security Standards (PCI DSS 3.2).
Access to Corus’ technology resources is only permitted through secure connectivity (e.g., VPN, SSH). Our production password policy requires complexity, expiration, and lockout and disallows reuse. Corus grants access on a need to know on the basis of least privilege rules, reviews permissions quarterly, and revokes access immediately after employee or contractor termination.
Corus maintains and regularly reviews and updates its information security policies, at least on an annual basis. Employees must acknowledge policies on an annual basis, and undergo additional training as relevant for key job function.
Corus conducts background screening at the time of hire (to the extent permitted or facilitated by applicable laws and countries). In addition, Corus communicates its information security policies to all personnel (who must acknowledge this) and requires new employees to sign non-disclosure agreements.
Dedicated Security Personnel
Corus also has dedicated security personnel, who focus on application, network, and system security.
Vulnerability Management and Penetration Tests
Corus maintains a vulnerability management program, which includes periodic scans, identification, and remediation of security vulnerabilities on servers, workstations, network equipment, and applications. All networks, including test and production environments, are regularly scanned using trusted third-party vendors. Critical patches are applied to servers on a priority basis and as appropriate for all other patches. We also conduct regular internal and external penetration tests and remediate according to severity for any results found.
We encrypt customer data in transit using secure TLS cryptographic protocols. Corus customer data is also encrypted at rest.
Our development team employs secure coding techniques and best practices. Development, testing, and production environments are separated. All changes are peer reviewed and logged for performance, audit, and forensic purposes prior to deployment into the production environment.
Corus maintains an asset management policy which includes identification, classification, retention, and disposal of information and assets. Our company device policy requires full hard disk encryption, remote lock and wipe functionality, and up-to-date antivirus software and operating system patches.
Information Security Incident Management
Corus maintains security incident response policies and procedures covering the initial response, investigation, customer notification (no less than as required by applicable law), public communication, and remediation. These policies are reviewed regularly.
Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if Corus learns of a security breach, we will notify affected users so that they can take appropriate protective steps. Our breach notification procedures are consistent with our obligations under applicable country level, state and federal laws and regulations, as well as any industry rules or standards applicable to us. We are committed to keeping our customers fully informed of any matters relevant to the security of their account and to providing customers all information necessary for them to meet their own regulatory reporting obligations.
Information Security Aspects of Business Continuity Management
Corus’ databases are backed up on a rotating basis of full and incremental backups and verified regularly. Backups are encrypted and stored within the production environment to preserve their confidentiality and integrity and are tested regularly to ensure availability.
Logging and Monitoring
Application and infrastructure systems log information to a centrally managed log repository for troubleshooting, security reviews, and analysis by authorized Corus personnel.