Information Security Program
Coveo maintains an Information Security Program based on an information security management system (ISMS) as defined under ISO 27001, which focuses on information security management and IT-related risks. The governing principle behind Coveo’s Information Security Program is continuous improvement. Therefore, Coveo’s Information Security Program is reviewed regularly by its Security Committee. The Committee is lead by senior management and ensures that security measures remain effective and efficient by adapting to both internal and external changes.
Coveo’s security strategies and documents are based on OWASP, NIST 800-53 for control selection, ISO 27001 for its information security management system (ISMS), CoBIT for the Maturity Model, and ISM3 for some security-relevant processes.
Segregation of Duties
Changes to the production environment undergo a formal control process. The application change management process controls what, when and by whom changes can be performed. Additionally, segregation of duties is enforced between development and cloud operations to prevent unsolicited modifications to any Coveo application.
Coveo segregates the following duties:
Development & Source Code
Architecture, design and code writing of the products.
Access and management of the source code repositories.
Quality Control & Assurance
- Validation of the correct behavior for the new features, improvements and bug fixes added to the products and possible collateral impacts.
Production deployment & Approval
- Authorization and deployment of application changes in the production environment.
For more information, see Coveo Application Change Control Process.
All personnel at Coveo, including third parties, are aware, well trained and accountable to uphold our security standards. All Coveo employees undergo a third-party background check. This verification covers a wide variety of areas subject to applicable local laws, including prior employment, education, criminal and financial verification.
Each new vendor is subjected to a risk analysis performed by the security team. Coveo regularly monitors Suppliers’ compliance with the provisions of the supplier agreements.
Coveo maintains a Disaster Recovery Plan (DRP) that defines the requirements for information security and the recovery of the Coveo Hosted Services in case of a major outage.
Coveo also maintains a Business Continuity Plan (BCP).
Both plans are tested at least annually.
Security at Coveo is job zero. The Coveo Hosted Services customers benefit from an infrastructure and a platform built to satisfy the requirements of the most security-sensitive organizations. As a result, Coveo:
Successfully passed SOC 2 Type II Examination;
Participates in the Privacy Shield and conforms to its requirements;
Hosted Services are GDPR-Compliant, as outlined on our Compliance page;
Offers a HIPAA-Compliant version of its Hosted Services. A Business Associate Agreement must be signed between Coveo and all HIPAA customers. See the About the Coveo HIPAA Platform page.