CoverTree uses subservice organizations to provide application maintenance and support services. Complementary subservice organization controls, that are suitably designed and operating effectively are necessary, along with controls at CoverTree, to achieve CoverTree‘s service commitments and system requirements based on the applicable trust services criteria. CoverTree’s controls, the applicable trust services criteria, and the types of complementary subservice organization controls are assumed in the design of CoverTree’s controls.
The controls are suitably designed to provide reasonable assurance that CoverTree’s service commitments and system requirements would be achieved based on the applicable trust services criteria if its controls operated effectively, and if the subservice organization and user entities applied the complementary controls assumed in the design of CoverTree’s controls.
The controls operated effectively to provide reasonable assurance that CoverTree’s service commitments and system requirements were achieved based on the applicable trust services criteria if complementary subservice organization controls and complementary user entity controls assumed in the design of CoverTree’s controls operated effectively.
Security commitments to user entities are documented and communicated in the privacy policy, terms of use, and other customer agreements, as well as in the description of the service offering provided online. Security commitments are standardized and include, but are not limited to, the following:
CoverTree policies ensure the Principle of Least Privilege. Security principles within the fundamental designs of the CoverTree applications are designed to permit system users to access the information they need based on their role in the system while restricting them from accessing information not needed for their role.
CoverTree policies classify the information into various kinds depending upon their level of confidentiality and sensitivity. Controls are well-defined per classification level for the acquisition, processing, storage, retention, and archival of the information, within CoverTree’s security policies.
Appropriate monitoring and observability are implemented within the CoverTree systems to identify and report any issues and incidents.
Regular vulnerability scanning is performed to ensure our systems are protected from any defects leading to potential security issues.
Use of encryption technologies to protect customer data both at rest and in transit.
CoverTree establishes operational requirements that support the achievement of security commitments, relevant laws and regulations, and other system requirements. Such requirements are communicated in CoverTree’s system policies and procedures, system design documentation, and contracts with customers. Information security policies define an organization-wide approach to how systems and data are protected. These include policies around how the service is designed and developed, how the system is operated, how the internal business systems and networks are managed, and how employees are hired and trained. In addition to these policies, standard operating procedures have been documented on how to carry out specific manual and automated processes required in the operation and development of CoverTree’s software systems.
For live monitoring of our security aspects, visit CoverTree’s Trust Monitor.