For AI agents: a documentation index is available at https://docs.coverbase.com/llms.txt — this page is also available in markdown by appending .md to the URL.
Coverbase is the system of record for your third-party risk program. We hold vendor data, assessment evidence, contracts, and findings — the same material your auditors and regulators ask about. We hold ourselves to the standard we help you hold your own vendors to.
This section documents how we govern the platform, how we secure it, and how we make every action on it auditable. It is written for the security, compliance, and procurement teams who evaluate Coverbase as a vendor.
Our security model
Our program is built on the same principles top security organizations operate by: independent assurance, defense in depth, least privilege, and verifiable auditability. Nothing here is aspirational — each pillar maps to a control that is in place today and is exercised in our SOC 2 Type II audit.Compliance and assurance
SOC 2 Type II, independent annual penetration testing, and continuous control monitoring. Request our reports under NDA.
Security governance
Documented policies, named ownership, role-based access, personnel security, and a tested incident-response and business-continuity program.
Data protection
Encryption in transit and at rest, strict per-organization tenant isolation, managed key storage, and defined retention and deletion.
Secure development
A secure SDLC with mandatory review, automated type/lint/test gates, dependency and secret scanning, and least-privilege CI/CD.
AI governance
How we select, test, and constrain the AI models that power Coverbase — including evaluation, human oversight, and customer-data handling.
Audit trails
Every action — in the dashboard, over the API, and through AI assistants — is logged and exportable through the audit API.
Principles
Independent assurance over self-attestation
Independent assurance over self-attestation
We do not ask you to take our word for it. Our controls are examined annually by an independent SOC 2 auditor and tested by an outside penetration-testing firm. See Compliance and assurance.
Least privilege everywhere
Least privilege everywhere
Access — for our people, our systems, and your API credentials — defaults to the minimum required. Production access is gated and logged; API keys carry no elevated scopes unless an admin grants them. See Security governance and API conventions.
Tenant isolation by construction
Tenant isolation by construction
Every record is scoped to its owning organization, and that scope is enforced in depth at the data-access layer — not just at the edge. See Data protection.
Everything is auditable
Everything is auditable
Dashboard actions, public-API calls, and AI assistant tool calls all land in the same audit trail, which you can read and export programmatically. See Audit trails.
Contact
Security team
Reach our security team at security@coverbase.ai for reports, questionnaires, or documentation requests.
Request reports
SOC 2 reports and penetration-test summary letters are available to customers and prospects under NDA.
Privacy policy
See the Coverbase Privacy Policy for how we handle personal data.