Stringent, enterprise-grade security you can trust

Stay protected with semantic search, AI recommendations, and unified personalization - all built following meticulous security standards.

Implement secure enterprise search in your organization

Keep your interactions secure and your business protected

The entire Coveo Platform™ is built with security at the forefront: Governance certified by ISO international data security standards. Maturity models based on CoBIT. Security processes defined by the ISM3. And, measures taken from the NIST special publications.

ISO 27001 certified, HIPAA compliant, SOC2 compliant, and 99.999% SLA resilient. We’ve thought of everything so you don’t have to.


  • ISO 27001
    We are certified in one of the best industry standards in security management, which showcases our continuous commitment to data security, a robust information security management system, and risk mitigation for our customers and partners.
  • AICPA SOC 2 Type II
    Coveo completes the industry-standard AICPA SOC 2 Type II audit annually. Not only is our data center compliant, but so are our internal protocols.
    We keep sensitive patient data secure for our healthcare customers by offering HIPAA-compliant hosting environment. We undergo biennial HIPAA-compliance audits and make our Business Associate Agreement (BAA) available for execution.
  • Cloud Security Alliance
    We document our security controls in the Cloud Security Alliance (CSA) STAR registry in accordance with their cybersecurity framework for cloud computing and standards for cloud security assurance and compliance. 
  • ISO 27018:2019
    Coveo is ISO 27018:2019 certified, which demonstrates that we adhere to globally recognized privacy standards and that we treat our customers' personal information with a high level of integrity and confidentiality.

Data security

Coveo observes the highest standards of search cloud security

Data ownership

You own your data and what is sent to Coveo. You control what content is indexed and which interactions will be tracked.

Data encryption

Data is encrypted in transit using TLS 1.2 and at rest with minimum cipher parameters of AES-256. 

Data residency

Know where your data is processed and governed by choosing the region in which it is replicated and hosted. 

Access management

You decide which type of user has access to your data. We use Single Sign-On (SSO), so that we do not need to manage or store your user passwords.

Document-level permissions

Our native connectors ensure that authenticated users can only see documents they are authorized to see in your own systems.

Security controls

Our enterprise search solution follows the principle of secure by design

Coveo Information Security Program

We maintain state-of-the-art security policies and controls. This covers internal processes such as application changes and personnel security, and external ones including vendor and sub-processor management. 


Coveo security architecture

We use the latest security technologies to ensure enterprise-grade access controls, event monitoring, and intrusion prevention. Our security controls are documented in the Cloud Security Alliance (CSA) STAR registry.

Third-party audits

Every year, Coveo undergoes third-party audits, such as the industry-standard AICPA SOC 2 Type II in addition to rigorous self-assessments and testing.

Vulnerability management

Strict code review and testing processes are part of our vulnerability management practices. We use static application security testing, software composition analysis and malware scanners before every release.

Bug bounty program

We maintain an active bug bounty program through HackerOne and generate an annual report of the vulnerabilities discovered by third-party experts. Users and members of the broader security community are also encouraged to report suspected vulnerabilities.


Find answers to your security questions. Don’t see your question? Get in touch.


When providing the hosted service, Coveo acts as a data processor and the customer acts as the data controller.

Customers can configure precisely what data is sent to Coveo, by adjusting custom objects and fields to be indexed, or by disabling, obfuscating, or encrypting any usage metric visible in the dashboard. The Coveo Platform can be used for multiple purposes and the relevant data will differ between use cases. For example, Commerce usually includes catalog data, while service and support would include cases.

Coveo is hosted using AWS in data centers in Canada, the United States, the European Union, and Australia, which use a combination of physical and logical controls to segment data, systems, and networks.

Customer data is unified in a single Coveo index. These indexes are proprietary and stored on binary files, compressed using proprietary algorithms, and encrypted at rest using AES-256 or better.

Coveo provides a number of documents under Non-Disclosure, including its SOC 2 Type II Examination Report and ISO 27001 certification, penetration tests, security bundles for customers that include our politics and processes, and pre-filled questionnaires. Contact us to make a request.

drift close

Hey 👋! Any questions? I can have a teammate jump in on chat right now!

drift bot