How Does Coveo Secure My Data and Services?

Security at Coveo is job zero. Coveo Cloud V2 customers benefit from an infrastructure and platform built to satisfy the requirements of the most security-sensitive organizations. We are committed to preserve the confidentiality, integrity, and availability of our customers’ information assets. Coveo’s commitment to security is affirmed by our SOC examination.

Logo_SOC

Cloud and Data Centers

Coveo Cloud is built on tier-one cloud providers, taking advantage of multiple zones, regions, and compliance standards.

Confidentiality and Privacy

Ensuring our customers’ data privacy is something we take very seriously. We protect information from unauthorized access and enforce rigorous policies and controls to safeguard the collection, use, and disclosure of customer data.

Unless explicitly permitted or requested by a customer, our employees never access customer data. We monitor and audit all accesses and change requests; the resulting audit logs are periodically reviewed by only a handful of specialized employees.

Integrity

Coveo only maintains indexes with customer data. As such, Coveo cannot and does not modify any source content, thereby making data corruption impossible. Furthermore, Coveo indexes are continually refreshed, ensuring no discrepancies. Access rights are included and iterated during every indexing operation, ensuring updates to access rights are included into every index update.

Availability and Scalability

The availability of Coveo Cloud is of paramount importance to us; this is why our systems are redundant across multiple data centers to prevent downtime. Our status page provides availability information such as current status, incident notes, and downtime information for all indexing, search, and analytics services Coveo offers (see Coveo Cloud Platform Status Page).

We create backups on a regular basis. All backups are replicated in several data centers and at a remote location. Coveo Cloud solutions are constantly monitored for performance, and measured against performance thresholds and target response time. Built on dynamic processing power environments and thanks to its scalable architecture, Coveo Cloud is able to seamlessly scale computing systems to maintain optimal user experience.

Incident Response and Disaster Recovery

Coveo enforces aggressive policies and procedures pertaining to incident response and disaster recovery, executes periodic drills and ensures continuous improvement of those processes. With 24/7 support and monitoring, Coveo is committed to resolving any issue as quickly as possible.

Platform Security

The Coveo Cloud security team performs automated and manual application security testing on a regular basis to identify and patch potential security vulnerabilities and bugs. Coveo also works with third-party security specialists, as well as other industry security teams, to keep Coveo Cloud safe and secure.

Data Security and Ownership

Data processed by Coveo Cloud is encrypted both at rest and in transit using industry standards algorithms. As previously stated, Coveo Cloud customers retain full ownership of their data and search results and suggestions are always pointing back to a customer’s official systems for the best data integrity. Transparent procedures pertaining to data retention and destruction are in place and audited.

Segregation of Duties

At Coveo, before any change to the production environment can be made, it must undergo a formal control process. The application change management process controls what, when and by whom changes can be performed. Additionally, segregation of duties is enforced between development and cloud operations to prevent unsolicited modifications to any Coveo Cloud application.

Personnel Security

All personnel at Coveo, including third parties, are aware, well trained and accountable to uphold our security standards. All Coveo employees undergo a third-party background check. This verification covers a wide variety of areas, including prior employment, education, criminal and financial verification in both US and Canada.

Disclosure and Security Concerns

Coveo prioritizes security and encourages users and members of the broader security community to privately report suspected vulnerabilities.

All issues reported to the Coveo security team are investigated promptly in collaboration with the reporter and remediated as quickly as possible. The security team may elect to not disclose information publicly, or to refrain from disclosure until the relevant issues are mitigated and affected customers are notified.

When reporting a security concern, please provide as much details as possible, including:

  • The URL and parameters demonstrating the vulnerability.

  • Your system configuration including any browser or user-agent information.

  • The exact reproduction steps.

  • Your IP address and account, if available, to coordinate with our logs.

If the information is sensitive, please ask us for a secure exchange method, and do not send any executable attachments.

Vulnerability and Penetration Testing

The Coveo Customer Agreement prohibits performance, stress, load, security, integrity, penetration, vulnerability or similar testing on one or more Coveo services without a prior authorization from Coveo (see Can I Conduct a Performance Test on Coveo?).