Security
Stringent, enterprise-grade security you can trust
Stay protected with semantic search, AI recommendations, and unified personalization - all built following meticulous security standards.
Keep your interactions secure and your business protected
The entire Coveo Platform™ is built with security at the forefront: Governance certified by ISO international data security standards. Maturity models based on CoBIT. Security processes defined by the ISM3. And, measures taken from the NIST special publications.
ISO 27001 certified, HIPAA compliant, SOC2 compliant, and 99.999% SLA resilient. We’ve thought of everything so you don’t have to.
Compliance
-
We are certified in one of the best industry standards in security management, which showcases our continuous commitment to data security, a robust information security management system, and risk mitigation for our customers and partners.ISO 27001
-
Coveo completes the industry-standard AICPA SOC 2 Type II audit annually. Not only is our data center compliant, but so are our internal protocols.AICPA SOC 2 Type II
-
We keep sensitive patient data secure for our healthcare customers by offering HIPAA-compliant hosting environment. We undergo biennial HIPAA-compliance audits and make our Business Associate Agreement (BAA) available for execution.HIPAA
-
We document our security controls in the Cloud Security Alliance (CSA) STAR registry in accordance with their cybersecurity framework for cloud computing and standards for cloud security assurance and compliance.Cloud Security Alliance
-
Coveo is ISO 27018:2019 certified, which demonstrates that we adhere to globally recognized privacy standards and that we treat our customers' personal information with a high level of integrity and confidentiality.ISO 27018:2019
Data security
Data ownership
You own your data and what is sent to Coveo. You control what content is indexed and which interactions will be tracked.
Data encryption
Data is encrypted in transit using TLS 1.2 and at rest with minimum cipher parameters of AES-256.
Data residency
Know where your data is processed and governed by choosing the region in which it is replicated and hosted.
Access management
You decide which type of user has access to your data. We use Single Sign-On (SSO), so that we do not need to manage or store your user passwords.
Document-level permissions
Our native connectors ensure that authenticated users can only see documents they are authorized to see in your own systems.
Security controls
Coveo Information Security Program
We maintain state-of-the-art security policies and controls. This covers internal processes such as application changes and personnel security, and external ones including vendor and sub-processor management.
Coveo security architecture
We use the latest security technologies to ensure enterprise-grade access controls, event monitoring, and intrusion prevention. Our security controls are documented in the Cloud Security Alliance (CSA) STAR registry.
Third-party audits
Every year, Coveo undergoes third-party audits, such as the industry-standard AICPA SOC 2 Type II in addition to rigorous self-assessments and testing.
Vulnerability management
Strict code review and testing processes are part of our vulnerability management practices. We use static application security testing, software composition analysis and malware scanners before every release.
Bug bounty program
We maintain an active bug bounty program through HackerOne and generate an annual report of the vulnerabilities discovered by third-party experts. Users and members of the broader security community are also encouraged to report suspected vulnerabilities.
When providing the hosted service, Coveo acts as a data processor and the customer acts as the data controller.
Customers can configure precisely what data is sent to Coveo, by adjusting custom objects and fields to be indexed, or by disabling, obfuscating, or encrypting any usage metric visible in the dashboard. The Coveo Platform can be used for multiple purposes and the relevant data will differ between use cases. For example, Commerce usually includes catalog data, while service and support would include cases.
Coveo is hosted using AWS in data centers in Canada, the United States, the European Union, and Australia, which use a combination of physical and logical controls to segment data, systems, and networks.
Customer data is unified in a single Coveo index. These indexes are proprietary and stored on binary files, compressed using proprietary algorithms, and encrypted at rest using AES-256 or better.
Coveo provides a number of documents under Non-Disclosure, including its SOC 2 Type II Examination Report and ISO 27001 certification, penetration tests, security bundles for customers that include our politics and processes, and pre-filled questionnaires. Contact us to make a request.
