Coveo is deeply committed to security, it’s effectively ingrained in every element of our work – we consider it a shared responsibility. Every single Coveo employee is trained on best practices and we’ve even gamified certain elements of keeping folks security-focused. Our customers can rest assured that we are always working hard and investing in their security and protection.
An integral part of our commitment to security is our SOC II compliance and the rigorous auditing and testing that comes with it. We’ve recently completed this process for 2018, and are happy to share that once again, we’ve successfully passed the SOC 2 Type II Examination.
To learn more about our obligation to security, I spoke with Pierre-Alexis Tremblay (PA), our inhouse Data Protection Officer and Director of Information Security.
Isaac: Tell me a little about your role and the security team at Coveo.
PA: As the Director of Information Security, I oversee everything that happens at Coveo with regards to Security, under our CISO’s guidance. In other words, I run around making sure everyone has all the knowledge and tools needed to do their job in a safe way, including my own team members, and that our CISO’s vision gets materialized.
Coveo’s security team covers all spheres of the organization. From internal and external penetration tests, to contract negotiations, data governance, risk management and compliance (GRC), all the while devising tools and learning the latest technologies to help defend against all sorts of attacks. Coveo’s security analysts work with every single team in the company to build and maintain the security culture and continuously evolve our great security practices. No two days are the same!
Isaac: Security is top priority at Coveo, how do we enable our employees to keep up with the ever-changing threat landscape?
PA: We have several initiatives that are really cool: hack-a-day events to bolster awareness and serve as an internal bug bounty program, and our internal community of security champions. Primarily, I live by two sayings. The first is “Since we already have the world to defend against, we need our own colleagues to be on our side” – one of the ways we achieve that is by following this precept – “In security, the goal is non-negotiable, but the means to get there, are.”
Isaac: Why is it so important, now more than ever, to protect customer and partner information?
PA: Security is one of Coveo’s key differentiators. It is built right into the way we index customer’s data, with early binding and security filters. Furthermore, different countries have different regulations and legal frameworks. International companies need providers like us that understand the nature of their business and these constraints. Coveo respects the Privacy Shield, has a HIPAA-Compliant service offering, is GDPR Compliant and is audited for Security Certifications every year. Maintaining those standards requires a constant vigilance, automated tools and a lot of friends in R&D (Thanks R&D!).
Isaac: Tell us a little about SOC 2 compliance testing.
PA: SOC Type 2 was designed by the American Institute of Certified Public Accountants (AICPA). It’s THE industry standard that assesses controls at a service organizations such as Coveo. They primarily focused on evaluating Coveo Cloud Platform’s security and protection from unauthorized access, availability for operation, and confidentiality of client information.
Isaac: Why does Coveo undertake this testing?
PA: It’s a matter of utmost importance to ensure that our Coveo Cloud infrastructure is built securely. It’s important to our customers, which means it’s important to us. They trust us with sensitive data, such as health records and Index data and it’s our responsibility to keep that data safe, a responsibility that we take very seriously. Our completion of the SOC 2 Type 2 is an affirmation of our standards, our practices, and our security values.
Isaac: How often is the audit performed?
PA: Coveo started the SOC journey in 2014 and obtained its first certification in June of 2015. Our compliance has evolved a lot since then, moving progressively from a SOC 1 Type I to the current SOC 2 Type II with 3 Trust Service Criteria – this is the same one that services such as Amazon Web Services gets examined against.
Isaac: Where can our customers see the SOC II audit report?
PA: The SOC Report contains confidential information on our internal practices so it’s not publicly available. However, we are happy to share the report with customers that ask for it. The best way to do so is by heading over to our Support Portal.
Isaac: How do our security practices align with our core values and vision?
PA: Security affects everyone, in a myriad of ways. Often times people will recall the one time where security failed. But that isn’t what security really means. Security is getting access to the information you need, when you need it, and sharing it with only those that need it. It means being able to trust the information you access, and it means protecting the things in our lives that we hold dear. Security grants trust, provides integrity, and allows for collaboration. This is what we are passionate about, this is what security-minded people wake up in the morning for. Our only goal is to protect others and what they hold dear.
We work extremely hard on a daily, even hourly, basis to ensure our clients have the best protection we can deploy from the leading AI-powered search and recommendations provider. They deserve only the best, and we only give our best. If you’re curious to discover more information about our investment in security, visit our page here, or if you want to delve further, you can find our FAQ here.