For AI agents: a documentation index is available at https://docs.coverbase.com/llms.txt — this page is also available in markdown by appending .md to the URL.
Coverbase backs its security claims with independent assurance. We are examined by an outside SOC 2 auditor and tested by an outside penetration-testing firm, and we make the resulting reports available to customers and prospects under NDA.
SOC 2 Type II
The Coverbase platform is SOC 2 Type II audited. A Type II report covers the operating effectiveness of our controls over a continuous observation period — not just their design at a point in time — across the Security (Common Criteria) trust services category.Scope
The audit covers the production Coverbase platform: the application, its data stores, and the cloud infrastructure it runs on. The API and the MCP server inherit the same controls as the core product.
Cadence
We maintain continuous coverage, renewing the Type II examination each audit period so there is no gap between reports.
Independent auditor
The examination is performed by an accredited third-party auditing firm, not self-attested.
Report access
Request the current report under NDA from security@coverbase.ai.
Penetration testing
Coverbase engages an independent, top boutique penetration-testing firm — a team of dedicated security researchers — to test the platform at least annually, as well as after significant architectural changes.- Independent and external. Testing is performed by an outside firm whose business is offensive security research, not by the engineers who built the feature.
- Scope. Engagements cover the web application, the public API, authentication and authorization, and tenant-isolation boundaries.
- Remediation. Findings are triaged by severity, tracked to closure, and verified by retest. Material findings are remediated on a priority timeline appropriate to their severity.
- Evidence. A summary letter or attestation of the most recent engagement is available to customers under NDA.
We share a penetration-test summary letter or attestation rather than the raw report, which can contain sensitive technical detail. The summary confirms scope, methodology, the testing firm, and that findings were remediated.
Continuous control monitoring
Point-in-time audits are necessary but not sufficient. Between formal examinations we continuously monitor the controls that underpin our compliance posture — access reviews, infrastructure configuration, vulnerability status, and change management — so drift is caught and corrected rather than discovered at the next audit.Vulnerability disclosure
We welcome reports from the security community and from customers.Report a vulnerability
Email security@coverbase.ai. We acknowledge reports within one business day and follow responsible-disclosure timelines. Please do not test against other tenants’ data or perform denial-of-service testing.
Requesting documentation
Email the security team
Send your request to security@coverbase.ai, naming the documents you need (SOC 2 report, penetration-test attestation, completed security questionnaire).
Execute an NDA
Reports are shared under a mutual NDA. If one is already in place between our organizations, reference it.