Data protection and compliance

At Ortto, we take data protection seriously. We are compliant with modern data protection standards, as follows:

• General Data Protection Regulation (GDPR)
• ISO 27001
• ISO 27701
• Health Insurance Portability and Accountability Act (HIPAA)
• System Organization and Controls (SOC) 2
• Australian Privacy Act 1988
• Australian Prudential Regulation Authority (APRA) requirements

We also meet the EU-US privacy shield framework.

As part of our data protection commitments, we undergo penetration testing every 6 months.

The results of these audits are contained in SOC2 reports, which are available upon request. Please contact our team at help@ortto.com or get in touch with your account manager (if applicable). 

How Ortto complies with the GDPR

Ortto maintains a GDPR compliance policy which applies to all employees, contractors, and vendors that doing business with Ortto and others who have access to European Union (EU) and the European Economic Area (EEA) data subject information (“personal data”) in connection with Ortto’s operating activities.

You can read the GDPR compliance policy on our website: https://ortto.com/gdpr/.

What are Ortto’s sub-processors?

Under the GDPR, an entity such as Ortto which processes personal data is called a processor. To support our technical and operational needs (such as data storage or feature provision, like email and SMS messaging), Ortto engages a number of third-party entities, known as sub-processors. In order to provide services to Ortto, these sub-processors may access or process personal data.

Ortto will not transmit EU or UK PII to any third-party or vendor until an appropriate Data Protection Addendum has been fully executed by Ortto and the third-party.

The list of sub-processors can be found within Ortto’s GDPR Addendum document, accessible in your Ortto account via Settings > Privacy, security & GDPR > Policies, documents and GDPR addendum.

How do I report a security vulnerability?

Our security team promptly investigates any reported security issues. If you believe you have found a security vulnerability, please read our Responsible disclosure policy and submit a vulnerability report via our Bug Bounty program. See ortto.com/security/ for details on how to submit an issue.

Provide as much information as possible about the potential issue you have discovered. The more information you provide, the quicker our security team will be able to validate the issue.

If a Vulnerability Report is submitted, we will respond as soon as possible. We ask that you do not publicly disclose the issue until it has been addressed by the Ortto team.