At Covey, we are committed to keeping our customers’ data secure
We employ rigorous security measures at the organizational, architectural, and operational levels to ensure that your data, applications, and infrastructure remain safe.
Organizational Security
All Covey employees receive security, privacy, and compliance training on their first day of employment. Though the extent of involvement may vary by role, security is everybody’s responsibility at Covey. This commitment to security extends to our executives. The Covey Security Council, a cross-functional group of executives spanning the enterprise, shapes our security programs, drives executive alignment across our organization, and ensures that security awareness and initiatives permeate throughout our organization.
Data Encryption
Covey encrypts sensitive customer data before it’s persisted in a database. We use the Advanced Encryption Standard (AES) algorithm with a key size of 256 bits. Transport Layer Security (TLS) protects user access via the internet, helping to secure network traffic from passive eavesdropping, active tampering, or message forgery.
Application Security
Covey has implemented an enterprise Secure Software Development Life Cycle (SDLC) to help ensure the continued security of Covey applications. This program includes an in-depth security risk assessment and review of Covey features, as well as both static and dynamic source code analyses, all of which are performed to help integrate enterprise security into the development lifecycle. The development process is further enhanced by application security training for developers and penetration testing of the application.
Vulnerability Assessments
Covey contracts with third-party expert firms to conduct independent internal and external network, system, and application vulnerability assessments.
We contract with a leading third-party security firm to perform an application-level security vulnerability assessment of our web application annually. The firm performs testing procedures to identify standard and advanced web application security vulnerabilities, for example:
External vulnerability assessments scan all internet-facing assets (including: firewalls, routers, and web servers) for potential weaknesses that could allow unauthorized access to the network. An authenticated internal vulnerability network and system assessment is performed to identify potential weaknesses and inconsistencies with general system security policies.
Global Data Privacy
Covey demonstrates compliance with international privacy regulations by maintaining a comprehensive global data protection program that contains technical and organizational safeguards designed to prevent unauthorized access to and use or disclosure of customer data.
General Data Protection Regulation (GDPR)
On May 25, 2018, the GDPR significantly changed the European data privacy landscape. The GDPR harmonized the patchwork of data protection laws in Europe. Covey is confident that we can process our customers’ personal data in alignment with the GDPR.
Some highlights of how Covey’s robust privacy and security practices support GDPR compliance include:
Covey continues to monitor guidance that EU supervisory authorities issue to ensure that our compliance program remains up-to-date.
Our customers serve as the data controller while Covey is the data processor. This means that you have full control of the data entered into services, as well as all setup and configurations.
For fulfillment of contractual obligations (Art. 6 para. 1b of the GDPR)
Data is processed in order to provide and receive services in the context of carrying out our contracts with our clients and suppliers or to carry out pre-contractual measures that occur as part of a request. The purposes of data processing are primarily in compliance with the specific services provided or received. You can find more specific details about the purposes of data processing in the relevant contract documents and terms and conditions.
In the context of balancing interests (Art. 6 para. 1f of the GDPR)
Where required, we process your data beyond the actual fulfillment of the contract for the purposes of the legitimate interests pursued by us or a third party. Examples include:
We also obtain personal data from publicly available sources.
Covey offers customers that operate inside of the European Union with GDPR compliant data transfer mechanisms. Covey’s Data Processing Agreement (DPA) includes the European Commission’s Standard Contractual Clauses (SCC), which enable the transfer of personal data from the European Economic Area to the United States.
We will process and store your personal data for as long as it is necessary in order to fulfill our contractual and statutory obligations. It should be noted here that our business relationship is a long-term obligation, which is set up on the basis of periods of years.
If the data is no longer required in order to fulfill contractual or statutory obligations, it is deleted, unless its further processing is required – for a limited time – for fulfilling obligations to preserve records according to commercial and tax law.
You can make a GDPR data request by filling out the form here.