Security

Bring search and personalization securely to the cloud

Relevance backed by enterprise-grade security and privacy every step of the way.

At Coveo, security by design means governance inspired by ISO 27001, maturity models based on CoBIT, security processes defined by the ISM3, and measures taken from the NIST special publications.

Compliance

AICPA SOC 2 Type II Coveo completes the industry-standard AICPA SOC 2 Type II audit annually. Not only is our data center compliant, but so are our internal protocols.
HIPAA We keep sensitive patient data secure for our healthcare customers by offering HIPAA-compliant hosting environment. We undergo biennial HIPAA-compliance audits and make our Business Associate Agreement (BAA) available for execution.
EU GDPR, CCPA We help customers address their obligations under the California Consumer Privacy Act and the EU General Data Protection Regulation. Coveo allows you to implement consent management mechanisms and answer Data Subject Requests.
Cookie and Privacy Policy We provide detailed information about the data we collect and how we use it in our Privacy Policy, including the use of cookies on our website.

Data security

We follow industry best practices to help you meet your security needs, from data ownership to data residency.

Data ownership You own your data and what is sent to Coveo. You control what content is indexed and which interactions will be tracked.
Data encryption Data is encrypted in transit using TLS 1.2 and at rest with minimum cipher parameters of AES-256.
Access management You decide which type of user has access to your data. Secure filters restrict access to sources or content. We exclusively use Single Sign-On (SSO), and will never manage or store your user passwords.
Data residency Know where your data is processed and governed by choosing the region in which it is replicated and hosted.

Security controls

From both the inside and out, we continuously verify our security controls and ensure they’re up to date.

Coveo Information Security Program We maintain state-of-the-art security policies and controls. This covers internal processes such as application changes and personnel security, and external ones including vendor and sub-processor management.
Coveo security architecture We use the latest security technologies to ensure enterprise-grade access controls, event monitoring, and intrusion prevention. Our security controls are documented in the Cloud Security Alliance (CSA) STAR registry.
Third-party audits Every year, Coveo undergoes third-party audits, such as the industry-standard AICPA SOC 2 Type II in addition to rigorous self-assessments and testing.
Vulnerability management Strict code review and testing processes are part of our vulnerability management practices. These include manual and automated security testing and third-party verification.
Bug bounty program We maintain an active bug bounty program through HackerOne and generate an annual report of the vulnerabilities discovered by third-party experts. Users and members of the broader security community are also encouraged to report suspected vulnerabilities.

Frequently asked questions

Is Coveo a processor or a controller?

When providing the hosted service, Coveo acts as a data processor and the customer acts as the data controller.

What type of data is transferred to Coveo?

There are two types of data transferred to Coveo: Index and Analytics Data. Customers can configure precisely what data is sent to Coveo, by adjusting custom objects and fields to be indexed, or by disabling, obfuscating, or encrypting any usage metric visible in the dashboard.

Where does Coveo store customer data?

Coveo is hosted using AWS in data centers in the United States, Europe, and Australia, which use a combination of physical and logical controls to segment data, systems, and networks.

How do you protect customer data at rest?

Customer data is unified in a single Coveo index. These indexes are proprietary and stored on binary files, compressed using proprietary algorithms, and encrypted at rest using AES-256 or better.

Does Coveo provide documentation to demonstrate its compliance?

Yes, Coveo provides a number of documents under Non-Disclosure, including its SOC 2 Type II Examination Report, penetration tests, and pre-filled questionnaires. Contact us to make a request.