For AI agents: a documentation index is available at https://docs.coverbase.com/llms.txt — this page is also available in markdown by appending .md to the URL.
Security at Coverbase is governed, not improvised. We maintain a documented control program with named ownership, periodic review, and the same risk-management discipline we help our customers apply to their own third parties.
Governance program
Documented policies
A maintained set of information-security policies — access control, data classification, secure development, incident response, business continuity, and acceptable use — reviewed at least annually.
Named ownership
Security is owned by leadership, not left ambient. Each control area has an accountable owner responsible for its operation and review.
Risk management
We run a recurring risk-assessment process to identify, rate, and treat risks to the platform and to customer data, with treatment tracked to closure.
Policy review
Policies and the controls behind them are reviewed on a fixed cadence and after material changes to the product or infrastructure.
Access control
We operate on least privilege and need-to-know.- Role-based access. Access to systems and to customer data is granted by role, scoped to what the role requires, and reviewed periodically.
- Strong authentication. Workforce access to internal systems requires SSO with multi-factor authentication. Customer access to the dashboard is authenticated through our identity provider (Clerk).
- Production access is gated. Access to production systems is restricted to authorized personnel, granted on need, and logged.
- Joiner / mover / leaver. Access is provisioned on role and revoked promptly on role change or departure.
- Scoped API credentials. API keys default to no elevated scopes; admins grant the minimum scope required, and a scoped key can never escalate its own access. See API key scopes.
Personnel security
- Background checks are conducted on personnel where permitted by law.
- Security awareness training is delivered at onboarding and refreshed periodically.
- Confidentiality obligations apply to all personnel with access to customer data.
Vendor and subprocessor management
We assess our own vendors and subprocessors before onboarding and on a recurring basis — and yes, we use Coverbase to do it.- Subprocessors are vetted for security and privacy posture before they touch customer data.
- A current list of subprocessors is available on request, and material changes are communicated in line with our agreements.
Business continuity and disaster recovery
Resilient infrastructure
The platform runs on managed cloud infrastructure across multiple availability zones to tolerate component failure.
Backups
Customer data is backed up regularly. Restoration is tested so backups are known to be recoverable, not merely present.
Recovery objectives
We maintain defined recovery objectives (RTO/RPO) and a documented plan to restore service after disruption.
Tested plan
The continuity and recovery plan is exercised and updated, not left on a shelf.
Incident response
We maintain a documented incident-response plan with defined roles, severity levels, and escalation paths.Notify
Where an incident affects customer data, we notify affected customers in line with our contractual and regulatory obligations.
Suspect a security incident involving Coverbase? Contact security@coverbase.ai immediately.