Security

Last updated: March 2026

Covren is built for teams that need their product data handled with care. This page explains the security controls we use to protect your information at every layer.

1. Data encryption

In transit: All connections use TLS (HTTPS). We enforce HTTP Strict Transport Security (HSTS) so browsers always connect securely. Cookies are marked Secure and SameSite=Lax.

At rest: Sensitive credentials (webhook secrets, delivery keys) are encrypted using AES-256-GCM with per-tenant key derivation (HKDF-SHA256). Passwords are hashed with bcrypt — we never store plaintext passwords.

2. Tenant isolation

Every query is scoped to your tenant at the database layer. There is no implicit shared context between tenants. Your data is never visible to other customers, and access controls are enforced on every request — not just at the application boundary.

3. Authentication and access control

Covren supports email/password login with bcrypt hashing and optional SSO (OIDC and SAML 2.0). Sessions are stored server-side with HTTP-only, Secure cookies. Accounts lock after repeated failed login attempts to prevent brute-force attacks.

Role-based access control (RBAC) governs what each team member can do. Four roles — Editor, Member, Admin, and Super Admin — control access to features like draft approval, content export, and tenant administration. Permission checks are logged for audit purposes.

4. Webhook and integration security

Incoming webhooks (GitHub, GitLab, Bitbucket, Azure DevOps) are verified using HMAC-SHA256 signature validation with constant-time comparison to prevent timing attacks. Webhook payloads are automatically redacted before storage — secrets, tokens, and API keys are stripped recursively.

Duplicate webhook deliveries are handled through idempotency keys, so the same event is never processed twice.

5. How we handle your code data

Covren ingests metadata about code changes (commit messages, PR descriptions, diff summaries) — not your full source code. When LLM processing is enabled, we send only the minimum context needed to generate documentation drafts. No raw webhook payloads, secrets, PII, or API keys are sent to the LLM.

All LLM-generated content goes through human review before it reaches your end customers. Nothing is auto-published.

Per-tenant usage budgets prevent runaway LLM costs, and all LLM interactions are logged for observability (operation type, model, token count — never content).

6. API and application security

• Rate limiting: Redis-backed sliding-window rate limits protect all endpoints, with per-tenant and per-IP bucketing. Limits are applied to webhooks, login, signup, and API calls independently.
• Input validation: All request bodies are validated through typed schemas. Request body size is limited (default 20 MB) to prevent abuse.
• CORS: Console and API endpoints restrict cross-origin requests to an explicit allowlist. Only the delivery and widget paths (designed for cross-domain embedding) allow open access.
• Security headers: Every response includes X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy: strict-origin-when-cross-origin, and HSTS.
• Idempotency: POST endpoints accept an Idempotency-Key header to prevent duplicate actions on network retry.
• Error handling: API errors return a structured response with a support ID for correlation. No stack traces, internal paths, or secrets are exposed in error responses.

7. Audit trail

Covren maintains append-only audit logs for all significant actions: logins, logouts, change events, approvals, rejections, assignments, settings changes, and content queries. These logs are immutable — rows are inserted but never updated or deleted. Each entry includes a timestamp and actor ID for full traceability.

8. Billing security

Payments are handled entirely through Stripe. We never store credit card numbers or payment details. Stripe webhook events are verified using signature validation before processing. Subscription state is checked on every authenticated request to enforce plan limits.

9. Infrastructure

• PostgreSQL with TLS connections and configurable SSL mode
• Connection pooling with health checks (pool_pre_ping) and statement timeouts to prevent resource exhaustion
• Redis for rate limiting (optional, fails open — availability is not compromised if Redis is down)
• Secrets loaded from environment variables with TTL-based refresh (300s), enabling credential rotation without restarts
• Health endpoints (/health, /health/ready) for monitoring, with Redis status reported as informational (not blocking readiness)

10. Monitoring and alerting

Seven alert rules monitor critical failure modes: LLM error rate, LLM latency, request error rate, queue backlog, database connection pool exhaustion, LLM budget exhaustion, and worker stalls. Alerts fire through configurable webhooks when thresholds are breached.

11. AI data handling

Covren uses Anthropic's Claude API for impact classification and draft generation. All data is redacted (secrets, PII, raw code stripped) before reaching the AI provider. Anthropic does not use API customer data for model training. For details, see our sub-processor list and privacy policy.

12. Verification & trust signals

We use independent, publicly verifiable assessments to demonstrate our security posture:

• CSA STAR Level 1 — Self-assessment published on the CSA STAR Registry
• OWASP ASVS Level 1 — Self-assessment against the Application Security Verification Standard
• Mozilla Observatory — View scan results
• SSL Labs — View TLS report
• security.txt — RFC 9116 vulnerability disclosure file
• Dependency scanning — Automated vulnerability scanning via pip-audit in CI

13. Incident response

In the event of a confirmed data breach, we will notify affected customers within 72 hours of becoming aware of the incident, as required by GDPR Article 33. Notifications include: (a) the nature and scope of the breach, (b) the data categories affected, (c) the measures taken or proposed to address the incident, and (d) a point of contact for follow-up. Incident communications are sent to the account owner email and any contacts specified in your order form.

14. Responsible disclosure

If you discover a security vulnerability, please contact us at security@covren.com or see our security.txt. We take all reports seriously and will respond promptly.

Download

Download Security & Compliance Brief (PDF) — a 2-page summary for RFP responses and compliance reviews.

Questions?

If you have security questions not covered here, reach out through the console or contact security@covren.com. We are happy to discuss our security posture in detail for your compliance review.