Security at CoverProof

We help you prove your security posture to insurers. That means our own security must be impeccable.

All data is encrypted using AES-256 at rest and TLS 1.3 in transit. Database connections use SSL certificates.

We use industry-standard OAuth 2.0 for all third-party integrations. We never store your passwords for connected services.

We request only the permissions necessary to verify your security posture. Read-only access where possible.

Our infrastructure runs on SOC 2 Type II certified cloud providers with 99.9% uptime SLA.

We conduct regular penetration testing and vulnerability assessments by third-party security firms.

Data is stored in US-based data centers. Enterprise customers can request specific data residency requirements.

SOC 2 Type II

In Progress • 2026

ISO 27001

Planned • 2026

GDPR Compliant

Compliant • 2025

CCPA Compliant

Compliant • 2025

Category	✓ We Collect	✗ We Never Collect
Identity Data	User counts, MFA status, admin roles	Passwords, personal emails, authentication tokens
Endpoint Data	Device counts, protection status, OS versions	File contents, browsing history, user activity
Network Data	Firewall rules, VPN configurations, network topology	Traffic logs, packet data, IP addresses of users
Backup Data	Backup schedules, retention policies, success rates	Backup contents, file names, restore points

Microsoft 365 / Azure AD

OAuth 2.0 with delegated permissions. We request Directory.Read.All and Policy.Read.All scopes only.

Google Workspace

OAuth 2.0 with read-only admin directory access. No access to email or drive contents.

CrowdStrike / SentinelOne

API keys with read-only access. We verify device protection status only.

Firewall Configs

Configs are analyzed in-memory and not stored. Only rule summaries are retained.

Our security team is available to answer questions and provide additional documentation.