Log in
Security & Compliance

Your data doesn't leave.
Your clients stay protected.

We combine enterprise-grade public cloud hosting, strict role-based isolation, and contract-enforced AI privacy standards. Explore our continuous compliance efforts to safeguard your agency's operations.

SOC 2 Type II Certified Badge HIPAA Compliant Badge
How we protect you

Built for sensitive work,
from day one.

"Securing broker workflows and protecting sensitive client data is not just a feature—it is the foundation upon which all our AI solutions are built."
— Akash Samant, CTO, Coverflow
/ 01

Enterprise AI Boundaries

Data is processed solely in transit via dedicated model endpoints. Individual contractual SLAs guarantee that your client documents are never retained or used to train public LLM foundation models.

/ 02

Secure Cloud Architecture

Your application data and documents are stored in secure databases hosted on leading SOC-audited public cloud infrastructure. We isolate broker documents using strict metadata partition boundaries.

/ 03

End-to-End Encryption

All insurance broker document assets and structured records are encrypted in transit using TLS protocols, and secured at rest using industry-standard AES-256 cryptographic algorithms.

/ 04

Role-Based Access Control

Manage account access using Role-Based Access Control (RBAC) to separate administrator privileges from standard users. Integrated SAML SSO and Multi-Factor Authentication (MFA) are scheduled for release in the second half of 2026.

Security Operations

Operational excellence,
governed by policy.

Personnel Security & Training

All Coverflow employees undergo rigorous background checks prior to employment. We enforce mandatory annual security awareness training and restrict internal access to production environments following the principle of least privilege.

Disaster Recovery & Resilience

We maintain detailed Business Continuity and Disaster Recovery plans. Our encrypted database backups are geographically replicated and tested regularly to guarantee strict Recovery Time (RTO) and Recovery Point (RPO) objectives.

Incident Response SLA

Coverflow operates under a formalized Incident Response Plan. In the highly unlikely event of a security anomaly or data breach, we commit to notifying affected customers within 72 hours of verification.

Looking for official compliance reports?

Visit our Trust Center to request copies of our SOC 2 Type II audit documentation, download active safety certificates, sign security NDAs, or view detailed security materials.

Go to Trust Center
Frequently Asked

FAQs

/ 01 Where is my data hosted, and who can access it?
All client documents and analysis results are stored on secure, SOC-audited public cloud servers located within the United States. Access to production environments is strictly controlled, logged, and limited to essential operational tasks under strict role-based policies.
/ 02 Do you share my data or use it to train AI models?
Absolutely not. We process broker documentation and provide workflows using secure APIs. We have strict, individual contractual agreements with our AI model providers ensuring your prompts and processed documents are never used for model training and are automatically purged from their networks within 30 days.
/ 03 What models do you use to analyze documents?
We utilize industry-leading, enterprise-grade AI foundation models. All data transmissions are encrypted and protected by API-level agreements that guarantee private, isolated data processing, keeping your clients' information confidential.
/ 04 How are accounts and permissions controlled?
Currently, Coverflow enforces Role-Based Access Control (RBAC) to separate administrator privileges from standard users. Authentication is handled via secure username and password credentials. SAML Single Sign-On (SSO) and Multi-Factor Authentication (MFA) integrations are scheduled for release in the second half of 2026.
/ 05 Is my agency's data isolated from others?
Yes. We enforce logical tenant separation. Your uploaded broker files, vector databases, and analysis records are isolated from other accounts using unique partition keys and strict access control lists (ACLs). These isolation controls are verified regularly as part of our annual independent security assessments.
/ 06 What happens when a record is updated or deleted?
All updates and deletions are propagated to active databases immediately. For safety, disaster recovery, auditing, and compliance policy constraints, encrypted database backups are retained for up to 1 year in isolated storage without active user access before being purged.
/ 07 What are Coverflow's disaster recovery objectives (RTO and RPO)?
Coverflow operates a cloud-native SaaS platform hosted on AWS with data stored in MongoDB Atlas. Infrastructure can be recreated through Infrastructure-as-Code and operational procedures. MongoDB Atlas provides continuous backup and point-in-time recovery capabilities. Based on current architecture, staffing, and operational maturity, Coverflow has established an RTO of 8 hours and an RPO of 1 hour.
/ 08 How often do you perform penetration testing?
We engage independent, CREST-accredited third-party security firms to perform comprehensive penetration testing of our application, APIs, and cloud infrastructure at least once a year. These tests cover OWASP Top 10 vulnerabilities, logical tenant isolation boundaries, and privilege escalation vectors. The executive summaries of our latest reports can be requested in our Trust Center.
/ 09 How do you monitor infrastructure security?
Our cloud infrastructure is continuously monitored using AWS Config and automated security tooling against industry-standard security benchmarks. Any configuration drift or compliance alert is immediately routed to our security operations team for remediation.
/ 10 Do you carry Cyber Liability Insurance?
Yes. Coverflow carries comprehensive Cyber Liability Insurance covering data breach response, network security liability, and business interruption. Proof of coverage can be requested through our Trust Center.
/ 11 Can we request a BAA or download your SOC 2 report?
Yes. Customers can request copies of our SOC 2 Type II audit report and internal security policies directly through our Trust Center. We are actively working on HIPAA compliance readiness to support Business Associate Agreements (BAAs) in the future.
/ 12 Who do I contact about a security issue?
If you believe you have discovered a vulnerability or have a security-related inquiry, please email our dedicated security response team at security@coverflow.tech. We review all reports immediately.
/ 13 Who are your third-party subprocessors?
We partner with leading, SOC-audited vendors to provide cloud hosting, database management, vector search indexes, and enterprise foundation model APIs. We sign strict Data Processing Addendums (DPAs) with each of our subprocessors. A formal, detailed list of our subprocessor legal entities is publicly available and can be viewed directly in our Trust Center.
/ 14 Does Coverflow publish service availability or system status reports?
Yes. Coverflow maintains high-availability cloud infrastructure and publishes real-time operational status, system performance metrics, and historical uptime data. Customers can view our live systems status at any time by visiting our public Status Dashboard.