Data and security

Customer Data is encrypted at rest with minimum cipher parameters of AES-256 to ensure maximum encryption security.

The Coveo Index is isolated and encrypted at rest. Coveo also features security at the item level, further preventing unauthorized access to customer content.

Data is encrypted in transit using TLS 1.2. Coveo supports TLS 1.3. All external communications use industry-accepted encryption standards to protect the transmission of Customer Data or confidential information. Coveo supports Perfect Forward Secrecy (PFS) using Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) key exchange. Transmissions use at least a 128-bit SSL certificate and 2048-bit RSA public keys.

Master keys are used to generate individual keys used for each disk drive and encryption activity. Master keys are rotated every year and the entire rotation process is automated.

Coveo ensures that Customer Data stays within the production environment, which is totally separated from the corporate network. No Customer Data is stored on Coveo’s internal systems and corporate media.

Coveo Hosted Services support Single Sign-On (SSO) with multiple identity providers using the OAuth 2.0 standard (Google, Microsoft, and Salesforce), and identity providers supporting the SAML 2.0 standard (see Log in to Coveo and Coveo SAML SSO). Architecture design, passwords, password rules, and user provisioning are completely managed by the customers, and therefore Coveo doesn’t store or manage passwords.

Coveo provisions access following the principle of least privilege based on job function. Access rights are audited and reviewed every quarter. Multi-factor authentication (MFA) is required for the console that manages server provisioning, network administration, etc. MFA is also required for the VPN network access to the back-end environment.

Coveo maintains logs of all calls made to public APIs, system access logs, solutions logs, and third-party service logs such as AWS and Snowflake. All logs are included in regular backups and maintained for a period of one year. All logs and events from the production environment are centralized in a Security Information and Event Management (SIEM) system, which manages alerting based on predefined rules. Depending on the level of alerts, they may be sent to a user console for review and/or trigger a ticket for resolution.

Coveo leverages Host-Based Intrusion Detection System (HIDS) and collects, aggregates, indexes, and analyzes that data to alert Coveo’s security team.

Coveo has a complete Incident Response Plan and procedures to notify customers promptly after becoming aware of a security incident.

Coveo maintains a dedicated Security Operations Center (SOC) for continuous monitoring and protection.

Coveo’s hosting partner, Amazon Web Services (AWS), hosts and manages the physical infrastructure. AWS ensures third-party validation for leading compliance requirements such as SOC 2, ISO 27001, C5, CSA STAR, and HIPAA. Data centers are housed in nondescript, critical facilities that can withstand adverse weather and other reasonably predictable natural conditions. Physical access is strictly controlled by professional security staff utilizing video surveillance, state-of-the-art intrusion detection systems, and other electronic means both at the building perimeter and at building ingress points. Authorized staff must pass two-factor authentication multiple times to access data center floors. All visitors and contractors must present identification, register, and be continually escorted by authorized staff.

See Data residency for data center locations and more.