Skip to main content
Corsa’s compliance program is designed for organizations that must demonstrate security and data protection to regulators, auditors, and enterprise customers. Our controls are independently verified and continuously monitored.

Accreditations

SOC 2 Type II

Corsa has completed a SOC 2 Type II examination - the gold standard for SaaS security assurance. Unlike a Type I report (point-in-time snapshot), a Type II report verifies that controls have been operating effectively over a sustained observation period, typically 6 to 12 months. The examination is conducted by an independent third-party auditor and evaluates Corsa against the AICPA Trust Services Criteria:
CriteriaWhat It Covers
SecurityProtection against unauthorized access - physical and logical.
AvailabilitySystem uptime meets agreed-upon service levels.
Processing IntegrityData processing is complete, valid, accurate, and timely.
ConfidentialitySensitive information is protected throughout its lifecycle.
PrivacyPersonal information is handled in accordance with commitments.
Customers and prospects can request the full SOC 2 Type II report under NDA. Contact support@corsa.finance.

Data Privacy

Corsa’s data handling practices comply with applicable data protection regulations, including:
  • GDPR - Corsa acts as a data processor on behalf of its customers, covering data subject rights, cross-border transfers, breach notification, and sub-processor management.
  • Sub-processor transparency - Corsa maintains a list of sub-processors and notifies customers of changes. Available upon request.

Controls in Scope

The following areas are covered by Corsa’s SOC 2 examination and internal control framework:

Access Control

  • Role-based access with least-privilege enforcement across all systems
  • Multi-factor authentication required for all internal access, with hardware security keys for production systems
  • Automated provisioning and deprovisioning tied to HR lifecycle events
  • Quarterly access reviews with mandatory recertification
  • Time-boxed elevated access with automatic expiration

Change Management

  • All infrastructure and application changes go through peer-reviewed pull requests
  • Automated CI/CD pipelines with required test suites, linting, and security scans
  • Production deployments require explicit approval from designated reviewers
  • Rollback procedures documented and regularly tested
  • Immutable, tamper-evident change logs

Data Protection

  • Encryption at rest (AES-256) and in transit (TLS 1.2+)
  • Internal service-to-service communication encrypted with mutual TLS (mTLS)
  • Customer-managed encryption keys via BYOK for PII fields
  • Secrets stored in a dedicated secrets management service with automatic rotation
  • Database backups encrypted, stored in separate regions, and restoration-tested regularly

Incident Response

  • Documented incident response plan with defined severity levels (SEV1–SEV4)
  • 24/7 on-call rotation with automated escalation
  • Post-incident reviews with root cause analysis and published remediation timelines
  • Customer notification within defined SLAs for incidents affecting their data
  • Annual incident response tabletop exercises

Monitoring & Logging

  • Centralized logging with tamper-evident storage and configurable retention
  • Real-time anomaly detection across infrastructure and application layers
  • Automated alerting for unauthorized access attempts, configuration drift, and policy violations
  • Regular log reviews and audit trail integrity checks

Vendor Management

  • Third-party vendors assessed against security and privacy requirements before onboarding
  • Ongoing monitoring of vendor security posture and certifications
  • Data processing agreements in place with all sub-processors
  • Annual vendor risk re-assessments

Business Continuity & Disaster Recovery

  • Multi-region infrastructure with automated failover
  • Recovery Time Objective (RTO) and Recovery Point Objective (RPO) defined per service tier
  • Backup restoration tested quarterly
  • Disaster recovery plan reviewed and updated annually

What This Means for Customers

  • Vendor risk assessments - Corsa’s SOC 2 Type II report, penetration test summaries, and security questionnaire responses streamline your vendor due diligence process.
  • Regulatory confidence - For regulated institutions, our certifications support your own compliance obligations.
  • Audit-ready - Corsa provides the documentation and evidence your auditors need without back-and-forth delays.

Requesting Documentation

To request compliance documentation (SOC 2 Type II report, pen test summary, sub-processor list, or security questionnaire responses), contact your account manager or email support@corsa.finance.