CovenantFlow

Security

Built for the security review your bank actually runs.

Commercial banks ask the same questions every TPRM cycle: encryption, audit, residency, sub-processors. This page is answering them, not marketing.

security@covenantflow.ai

Certifications & attestations

Independent audits, current status.

SOC 2 Type IIActive

SOC 2 Type II

Annual independent audit of our security, availability, and confidentiality controls.

ISO
Roadmap

ISO 27001

Information security management system. Targeting certification in 2027.

PCI
Not applicable

PCI DSS

We do not store, process, or transmit cardholder data. PCI scope avoided by design.

The four pillars

How customer data is protected, end to end.

01

Encryption

  • TLS 1.2+ for every connection. HSTS enforced on all production domains.
  • AES-256 at rest for documents, financials, and audit logs.
  • Customer-managed encryption keys (CMK) available for enterprise tenants.
  • Secrets segregated in Vercel and Supabase secret stores; never in source control.
02

Identity & access

  • SAML 2.0 SSO with Okta, Microsoft Entra ID, and Ping Identity.
  • SCIM 2.0 for automated provisioning and de-provisioning.
  • Row-level security mirrors your nCino RM assignments, so bankers see only their book.
  • MFA required for all internal access. Hardware keys for production.
03

Audit & observability

  • Append-only audit log for every covenant edit, document upload, and access event.
  • Actor, timestamp, IP, user-agent, and before/after diff captured per event.
  • 7-year retention by default; longer on request.
  • On-demand export to your data warehouse (Snowflake, Databricks).
04

Privacy & data handling

  • US-region data residency by default (us-east-1). EU and Canadian regions available.
  • Borrower data is processed under your bank's existing legal basis. We are a sub-processor.
  • Granular retention and deletion. Right-to-erasure honored at the borrower level.
  • BAA and DPA available pre-baked; no legal review delays.

Application security

Practices baked into the development lifecycle.

Secure development

Every change passes typed code review and CI checks. Dependency scanning (Dependabot + Snyk) gates merges. Secrets detection prevents credential leaks at the commit boundary.

Production hardening

Multi-region failover. WAF in front of all customer-facing surfaces. Rate limiting on every authenticated route. Vercel + Supabase shared-responsibility model with documented boundaries.

Penetration testing

Annual penetration test by an independent firm; remediation tracked to closure with target SLAs (Critical: 7 days, High: 30 days). Reports available under NDA.

Vulnerability management

Continuous scanning across application, infrastructure, and container layers. Known vulnerabilities triaged within 24 hours. Security advisories monitored across the dependency graph.

Sub-processors

Every third party that touches your data.

Sub-processors are listed by category. The full named list, along with our DPA and SIG/CAIQ response, is available under NDA on request. We notify customers 30 days before adding a new sub-processor.

CategoryPurposeCertificationsRegion
Application hosting & CDNServes the product UI, API, and edge network routingSOC 2 Type II, ISO 27001, PCI DSS, HIPAA-readyGlobal, primary US
Managed database & file storagePostgres for tenant data, file storage, edge functionsSOC 2 Type II, HIPAA, GDPR DPA availableConfigurable per tenant
Cache & marketing-site CMSRedis for ephemeral state and Insights contentSOC 2 Type II, ISO 27001, GDPR DPA availableUS
AI & machine learningDocument extraction (text only, no PII persistence)SOC 2 Type II, no-training contractual termsUS
Cloud infrastructureUnderlying compute, storage, and networkingSOC 2 Type II, ISO 27001/27017/27018, FedRAMP, HIPAAConfigurable per tenant

Compliance documents

Pre-baked for your TPRM cycle.

Every document below is ready to go. Most require an NDA; legal review is days, not quarters.

  • SOC 2 Type II reportUnder NDA, on request
  • Penetration test summaryUnder NDA, on request
  • Sub-processor list (named)Under NDA, on request
  • BAA (HIPAA Business Associate Agreement)On request
  • DPA (Data Processing Addendum)On request
  • SIG / CAIQ questionnaire responsePre-completed, on request
  • Security architecture diagramUnder NDA, on request
  • Incident response runbookUnder NDA, on request

Responsible disclosure

Found something? Tell us.

We treat every report seriously. Email security@covenantflow.ai with a description and reproduction steps. We acknowledge within 24 hours and will keep you updated through closure.

Researchers acting in good faith and within our policy will not face legal action. We thank you publicly (with your consent) and credit material findings in our security advisories.

In scope

  • app.covenantflow.ai (production application)
  • *.covenantflow.ai (any subdomain)
  • API endpoints and authentication flows
  • Edge functions (process-document, etc.)

Out of scope

  • Social engineering, phishing of staff
  • Physical attacks on Catalyze Labs offices
  • Denial-of-service or stress testing
  • Spam-only findings (missing rate limits on public forms)

Your TPRM team will love this.

Send us your security questionnaire. We have answers pre-prepared for SIG, CAIQ, and the long-form bank questionnaires. Most reviews close in days.

Email security@covenantflow.ai