Key information

💽 Hosting

🇫🇷 All of our Data is hosted in France on AWS Servers

🔐 Compliance

We have received the ISO 27001 certification

🙅 Data protection

We collect limited PII (Personal Identifiable Information) which is pseudo-anonymized on send (details below)

☁️ Sub-Providers

Our main sub-providers are :

• AWS (cloud)

• Google (IdP)

• Github (Version Control)

• Vercel (Deployment)

• Heroku (Backend & API)

More detailed info on the data collected at Corma

Extensions

We capture URLs visited by a user on the browser that has the extension deployed and authenticated. For each of those logs we get :

• User ID

• Timestamp (when was the URL visited)

• Website_name (raw URL)

• Active duration (number of seconds spent of the URL)

• url_host (e.g. claude.ai - everything before the first /)

• Subdomain (everything before the url_host)

• url path (everything after the url_host)

• Saas Id (id in our saas list database)

• Internal Saas ID (id if it matches a url of a client's internal app)

• Saas status (status of the app in Corma - Authorized etc...)

• Saas directory ID (ID of the app in Corma for this customer)

  Those visited URLs are filtered by the extension using a whitelist system to keep only professional-related usage (youtube, impots.gouv, etc... are filtered out and removed before reaching our database)

Direct Integrations

• username

• email

• last activity

• Date granted

• Granted by

• Roles

• License type

• Groups

OS Agents

• Installed apps:

  • Packages installed from the Microsoft Store

  • Regular applications

  • Command-line tools configured in PATH

• Activity:

  • Regular applications/packages

    • Usage in background

    • Usage in foreground

  • Command lines executed from terminal

SSO Integrations

• List of Users (email, name, Id, team, admin status)

• Third party apps

• SSO / SAML logs

• Token of authentication for external apps

• Timestamp of tokens

• Scopes granted to external apps

Other types of Integrations

• HR tools

  • Start date

  • termination date

  • Job title

  • Team/department

  • Manager

  • Country

  • personal email

• Accounting software

  • Invoices (Cost, currency, date, supplier)

• Ticketing / ITSM systems

  • Ticket ID

  • Title

  • assignee

  • content

Recognized Applications

All applications that are part of our Whitelist can be recognized by Corma. This whitelist currently contains more than 31,000 apps listed. This whitelist is also :

• Editable

• Continuously updated

• Can contain custom client URLS for on premise applications accessed via the browser

Integration requirements

Client companies must be using the following systems to work with us efficiently :

• Google Workspace or Microsoft Tenant ID (Azure AD) workspace

• Use mainly Chrome, Chromium, Edge, or Firefox browsers

• Have significant web-based SaaS-Usage

Authentification methods

We currently support 3 methods of authentication into our app, all 3 methods are systematically included in all pricing versions :

• Google SSO

• Microsoft SSO

• Email + Password