Data and security
Data and security
This is for:
System AdministratorCoveo is committed to offering a product that provides the highest protection standards to its customers.
Coveo is a multi-tenant solution that logically separates customers and leverages Amazon Web Services (AWS) infrastructure for its Hosted Services. Coveo permanently stores Customer Data in an isolated Coveo Index, whereby each customer has their own index, assuring segmentation and total control. A Coveo index is encrypted at rest, guaranteeing data security and privacy at all levels. Coveo now offers bring your own key (BYOK) as a security enhancement. To learn more, see Bring your own key.
Coveo Hosted Services uses a multi-tier architecture that hides all servers except front-end systems. The production infrastructure is hosted in AWS data centers, which are protected by AWS-managed firewalls. They’re configured to deny any network connection that a firewall rule doesn’t explicitly authorize. Predefined security groups are used to assign role-based access privileges and segregate access to data to the scope systems.
Data encryption
Customer Data is encrypted at rest with minimum cipher parameters of AES-256 to ensure maximum encryption security.
The Coveo Index is isolated and encrypted at rest. Coveo also features security at the item level, further preventing unauthorized access to customer content.
Data is encrypted in transit using TLS 1.2. Coveo supports TLS 1.3. All external communications use industry-accepted encryption standards to protect the transmission of Customer Data or confidential information. Coveo supports Perfect Forward Secrecy (PFS) using Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) key exchange. Transmissions use at least a 128-bit SSL certificate and 2048-bit RSA public keys.
Master keys are used to generate individual keys used for each disk drive and encryption activity. Master keys are rotated every year and the entire rotation process is automated.
Network isolation
Coveo ensures that Customer Data stays within the production environment, which is totally separated from the corporate network. No Customer Data is stored on Coveo’s internal systems and corporate media.
Credential management
Coveo Hosted Services support Single Sign-On (SSO) with multiple identity providers using the OAuth 2.0 standard (Google, Microsoft, and Salesforce), and identity providers supporting the SAML 2.0 standard (see Log in to Coveo and Coveo SAML SSO). Architecture design, passwords, password rules, and user provisioning are completely managed by the customers, and therefore Coveo doesn’t store or manage passwords.
Source credentials
Some connectors may require you to upload source credentials to Coveo. Source credentials, keys, API Keys, and certificates are encrypted at the file level or stored in a vault. See Source credentials leading practices.
Access controls
Coveo provisions access following the principle of least privilege based on job function. Access rights are audited and reviewed every quarter. Multi-factor authentication (MFA) is required for the console that manages server provisioning, network administration, etc. MFA is also required for the VPN network access to the back-end environment.
Event logging and monitoring
Coveo maintains logs of all calls made to public APIs, system access logs, solutions logs, and third-party service logs such as AWS and Snowflake. All logs are included in regular backups and maintained for a period of one year. All logs and events from the production environment are centralized in a Security Information and Event Management (SIEM) system, which manages alerting based on predefined rules. Depending on the level of alerts, they may be sent to a user console for review and/or trigger a ticket for resolution.
Clock synchronization
Coveo uses AWS Time Sync Service for accurate and precise clock synchronization. To learn more, see AWS Time Sync.
Incident management
Coveo leverages Host-Based Intrusion Detection System (HIDS) and collects, aggregates, indexes, and analyzes that data to alert Coveo’s security team.
Coveo has a complete Incident Response Plan and procedures to notify customers promptly after becoming aware of a security incident.
Coveo maintains a dedicated Security Operations Center (SOC) for continuous monitoring and protection.
Data hosting locations
Coveo’s hosting partner, Amazon Web Services (AWS), hosts and manages the physical infrastructure. AWS ensures third-party validation for leading compliance requirements such as SOC 2, ISO 27001, C5, CSA STAR, and HIPAA. Data centers are housed in nondescript, critical facilities that can withstand adverse weather and other reasonably predictable natural conditions. Physical access is strictly controlled by professional security staff utilizing video surveillance, state-of-the-art intrusion detection systems, and other electronic means both at the building perimeter and at building ingress points. Authorized staff must pass two-factor authentication multiple times to access data center floors. All visitors and contractors must present identification, register, and be continually escorted by authorized staff.
See Data residency for data center locations and more.