Data and security

This is for:

System Administrator

Coveo is committed to offer a product providing the highest protection standards to its customers.

Coveo is a multi-tenant solution that logically separates customers and leverages Amazon Web Services (AWS) infrastructure for its Hosted Services. Coveo permanently stores Customer Data in an isolated Coveo Index, whereby each customer has their own index assuring its segmentation and total control. A Coveo Index is encrypted at rest and guarantees data security and privacy in all levels.

Coveo Hosted Services uses a multi-tier architecture which hides all servers except front-end systems. The production infrastructure is hosted in AWS data centers which are protected by AWS managed firewalls. They are configured to deny any type of network connection that is not explicitly authorized by a firewall rule. Predefined security groups are utilized to assign role-based access privileges and segregate access to data to the scope systems.

Data encryption

Customer Data is encrypted at rest with minimum cipher parameters of AES-256 to ensure maximum encryption security.

The Coveo Index is isolated and encrypted at rest. Coveo also features security at the item level, further preventing unauthorized access to customer content.

Data is encrypted in transit using TLS 1.2. Coveo supports TLS 1.3. All external communications use industry-accepted encryption standards to protect the transmission of Customer Data or confidential information. Coveo supports Perfect Forward Secrecy (PFS) using Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) key exchange. Transmissions use at least a 128-bit SSL certificate and 2048-bit RSA public keys.

Master keys are used to generate individual keys used for each disk drive and encryption activity. Master keys are rotated every year and the entire rotation process is automated.

Network isolation

Coveo ensures that Customer Data stays within the production environment, which is totally separated from the corporate network. No Customer Data is stored on Coveo’s internal systems and corporate media.

Credential management

Coveo Hosted Services support Single Sign-On (SSO) with multiple identity providers using the OAuth 2.0 standard (Google, Microsoft, and Salesforce), and identity providers supporting the SAML 2.0 standard (see Log in to Coveo and Coveo SAML SSO). Architecture design, passwords, password rules, and user provisioning are completely managed by the customers, and therefore Coveo doesn’t store or manage passwords.

Source credentials

Some connectors may require you to upload source credentials to Coveo. Source credentials, keys, API Keys, and certificates are encrypted at the file level or stored in a vault. See Source credentials leading practices.

Access controls

Coveo provisions access following the principle of least privilege, based on job function. Access rights are audited and reviewed every quarter. Multi-Factor Authentication (MFA) is required for the console that manages server provisioning, network administration, etc. MFA is also required for the VPN network access to the back-end environment.

Data hosting locations

Coveo’s hosting partner, Amazon Web Services (AWS), hosts and manages the physical infrastructure. AWS ensures third-party validation for leading compliance requirements such as SOC 2, ISO 27001, C5, CSA STAR, and HIPAA. Data centers are housed in nondescript, critical facilities that can withstand adverse weather and other reasonably predictable natural conditions. Physical access is strictly controlled by professional security staff utilizing video surveillance, state-of-the-art intrusion detection systems, and other electronic means both at the building perimeter and at building ingress points. Authorized staff must pass two-factor authentication multiple times to access data center floors. All visitors and contractors must present identification, register, and be continually escorted by authorized staff.

See Data residency for data center locations and more.