Data and security

Customer Data is encrypted at rest with minimum cipher parameters of AES-256 to ensure maximum encryption security.

The Coveo Index is isolated and encrypted at rest. Coveo also features security at the item level, further preventing unauthorized access to customer content.

Data is encrypted in transit using TLS 1.2. All external communications use industry-accepted encryption standards to protect the transmission of customer data or confidential information. Communications during transmissions use at least a 128-bit SSL certificate and 2048-bit RSA public keys.

Master keys are used to generate individual keys used for each disk drive and encryption activity. Master keys are rotated every year and the entire rotation process is automated.

Coveo ensures that customer data stays within the production environment, which is totally separated from the corporate network. No customer data is stored on Coveo’s internal systems and corporate media.

Coveo Hosted Services support Single Sign-On (SSO) with multiple identity providers using the OAuth 2.0 standard (Google, Microsoft, and Salesforce), and identity providers supporting the SAML 2.0 standard (see Log in to Coveo and Coveo SAML SSO). Architecture design, passwords, password rules, and user provisioning are completely managed by the customers, and therefore Coveo doesn’t store or manage passwords.

Coveo provisions access following the principle of least privilege, based on job function. Access rights are audited and reviewed on a quarterly basis. Multi-Factor Authentication (MFA) is required for the console that manages server provisioning, network administration, etc. MFA is also required for the VPN network access to the back-end environment.

The physical infrastructure is hosted and managed by Coveo’s hosting partner, Amazon Web Services (AWS). AWS ensures third-party validation for leading compliance requirements such as SOC 2, ISO 27001, C5, CSA STAR, and HIPAA. Data centers are housed in nondescript, critical facilities capable of withstanding adverse weather and other reasonably predictable natural conditions. Physical access is strictly controlled both at the building perimeter and at building ingress points by professional security staff utilizing video surveillance, state-of-the-art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication multiple times to access data center floors. All visitors and contractors are required to present identification, and are logged in and continually escorted by authorized staff.

See Data residency for data center locations and more.