We keep your data private, safe, and secure


At Covey, we are committed to keeping our customers’ data secure

We employ rigorous security measures at the organizational, architectural, and operational levels to ensure that your data, applications, and infrastructure remain safe.

Organizational Security

All Covey employees receive security, privacy, and compliance training on their first day of employment. Though the extent of involvement may vary by role, security is everybody’s responsibility at Covey. This commitment to security extends to our executives. The Covey Security Council, a cross-functional group of executives spanning the enterprise, shapes our security programs, drives executive alignment across our organization, and ensures that security awareness and initiatives permeate throughout our organization.

Data Encryption

Covey encrypts sensitive customer data before it’s persisted in a database. We use the Advanced Encryption Standard (AES) algorithm with a key size of 256 bits. Transport Layer Security (TLS) protects user access via the internet, helping to secure network traffic from passive eavesdropping, active tampering, or message forgery.

Application Security

Covey has implemented an enterprise Secure Software Development Life Cycle (SDLC) to help ensure the continued security of Covey applications. This program includes an in-depth security risk assessment and review of Covey features, as well as both static and dynamic source code analyses, all of which are performed to help integrate enterprise security into the development lifecycle. The development process is further enhanced by application security training for developers and penetration testing of the application.

Vulnerability Assessments

Covey contracts with third-party expert firms to conduct independent internal and external network, system, and application vulnerability assessments.


We contract with a leading third-party security firm to perform an application-level security vulnerability assessment of our web application annually. The firm performs testing procedures to identify standard and advanced web application security vulnerabilities, for example:

  • Security weaknesses associated with Cross-site request forgery (CSRF)
  • Improper input handling (such as cross-site scripting, SQL injection, XML injection, and cross-site flashing)
  • Weak-session management
  • Data validation flaws and data model constraint inconsistencies
  • Insufficient authentication or authorization
  • HTTP response splitting
  • Misuse of SSL/TLS
  • Use of unsafe HTTP methods
  • Misuse of cryptography


External vulnerability assessments scan all internet-facing assets (including: firewalls, routers, and web servers) for potential weaknesses that could allow unauthorized access to the network. An authenticated internal vulnerability network and system assessment is performed to identify potential weaknesses and inconsistencies with general system security policies.


Global Data Privacy

Covey demonstrates compliance with international privacy regulations by maintaining a comprehensive global data protection program that contains technical and organizational safeguards designed to prevent unauthorized access to and use or disclosure of customer data.

General Data Protection Regulation (GDPR)

On May 25, 2018, the GDPR significantly changed the European data privacy landscape. The GDPR harmonized the patchwork of data protection laws in Europe. Covey is confident that we can process our customers’ personal data in alignment with the GDPR.

Some highlights of how Covey’s robust privacy and security practices support GDPR compliance include:

  • Recurring role-based employee training on security and privacy practices
  • Well-developed processes to capture Privacy Impact Assessments
  • Offering data transfer mechanisms to legalize transfers of personal data outside of the European Economic Area
  • Maintaining records of processing activities
  • Privacy by Design and Privacy by Default is integrated deeply into all Covey Services.

Covey continues to monitor guidance that EU supervisory authorities issue to ensure that our compliance program remains up-to-date.

Data Processing Relationship

Our customers serve as the data controller while Covey is the data processor. This means that you have full control of the data entered into services, as well as all setup and configurations.

Purpose for Data Processing

For fulfillment of contractual obligations (Art. 6 para. 1b of the GDPR)

Data is processed in order to provide and receive services in the context of carrying out our contracts with our clients and suppliers or to carry out pre-contractual measures that occur as part of a request. The purposes of data processing are primarily in compliance with the specific services provided or received. You can find more specific details about the purposes of data processing in the relevant contract documents and terms and conditions.

In the context of balancing interests (Art. 6 para. 1f of the GDPR)

Where required, we process your data beyond the actual fulfillment of the contract for the purposes of the legitimate interests pursued by us or a third party. Examples include:

  • Reviewing and optimizing procedures for needs assessment for the purpose of direct customer discussions
  • Asserting legal claims and defense in legal disputes
  • Guarantee of our company's IT security and IT operation
  • Prevention and clarification of crimes
  • Measures for site security (e.g. access controls)
  • Measures for business management and further development of services and products
  • Risk control

We also obtain personal data from publicly available sources.

Data Transfer Mechanisms

Covey offers customers that operate inside of the European Union with GDPR compliant data transfer mechanisms. Covey’s Data Processing Agreement (DPA) includes the European Commission’s Standard Contractual Clauses (SCC), which enable the transfer of personal data from the European Economic Area to the United States.

How Long Will Your Data Be Stored?

We will process and store your personal data for as long as it is necessary in order to fulfill our contractual and statutory obligations. It should be noted here that our business relationship is a long-term obligation, which is set up on the basis of periods of years.

If the data is no longer required in order to fulfill contractual or statutory obligations, it is deleted, unless its further processing is required – for a limited time – for fulfilling obligations to preserve records according to commercial and tax law.

Data Subject Request

You can make a GDPR data request by filling out the form here.