1. Overview

Covlant AI, Inc. takes the security of Customer Content seriously. This Security Policy describes the administrative, physical, and technical safeguards Covlant maintains to protect Customer Content against unauthorized access, disclosure, alteration, or destruction. This policy is incorporated by reference into the Covlant Master Cloud Services Agreement.

2. Infrastructure Security

Covlant hosts the Service on industry-leading cloud infrastructure providers (currently GCP) that maintain SOC 2 certification. We can host on-prem also.

• All data in transit between Customer and the Service is encrypted using TLS 1.2 or higher

• Production environments are logically separated from development and staging environments

• Network access to production systems is restricted through firewalls, security groups, and private networking controls

• Infrastructure is monitored continuously for anomalous activity, availability, and performance

3. Access Controls

Covlant enforces strict access control practices across its systems:

• Access to production systems and Customer Content is granted on a need-to-know, least-privilege basis

• All Covlant personnel with access to production systems are required to use multi-factor authentication (MFA)

• Access privileges are reviewed periodically and revoked promptly upon employee offboarding or role change

• Customer Content is not accessed by Covlant personnel except as necessary to provide the Service, deliver technical support, or comply with applicable law

• All access to Customer Content by Covlant personnel is logged and auditable

4. Application Security

Covlant follows secure software development lifecycle (SDLC) practices, including:

• Code reviews and security testing as part of the development process

• Regular vulnerability scanning of application components and dependencies

• Penetration testing conducted at least annually by qualified internal or third-party personnel

• Prompt remediation of identified vulnerabilities based on severity, following industry-standard severity classifications (e.g., CVSS)

• Customers must obtain Covlant's prior written consent before conducting their own penetration or security testing against the Service

5. Organizational Security

Covlant maintains the following organizational safeguards:

• All employees and contractors with access to Customer systems or data are subject to confidentiality obligations

• Security awareness training is provided to all relevant personnel upon onboarding and periodically thereafter

• Covlant maintains and tests an incident response plan on a regular basis

• Vendor and sub-processor relationships are subject to security due diligence and contractual data protection obligations

6. Subprocessors and Third-Party Services

Covlant may engage third-party subprocessors to operate certain components of the Service (such as cloud hosting, monitoring, or analytics). All subprocessors are evaluated for security posture and are contractually required to maintain safeguards no less protective than those described in this policy. A current list of Covlant's subprocessors is available upon request.

7. Security Incident Response

In the event of a confirmed security breach affecting Customer Content, Covlant will:

1. Contain and investigate the incident promptly upon discovery

2. Notify affected Customers without undue delay, and in any event within the timeframe required by applicable law

3. Provide reasonable information about the nature of the breach, data affected, and remediation steps taken

4. Cooperate with Customer's reasonable requests for information related to the incident

Customers who discover or suspect a security vulnerability or incident affecting the Service should report it immediately to legal@covlant.ai.

8. Business Continuity and Disaster Recovery

Covlant maintains backup and disaster recovery procedures designed to minimize data loss and service disruption in the event of a system failure. Customer Content is backed up regularly. Covlant tests its recovery procedures periodically to validate their effectiveness. Customers remain responsible for maintaining their own independent backups of Customer Content as set out in the Master Cloud Services Agreement.

9. Compliance

Covlant's security program is designed to align with the SOC 2 framework. Covlant will make available, upon Customer's reasonable written request and subject to confidentiality obligations, its SOC 2 report to support Customer's vendor due diligence processes.

10. Policy Updates

Covlant reviews and updates this Security Policy periodically to reflect changes in its practices, technology, or applicable legal requirements. Material updates will be communicated to Customers with reasonable prior notice. Continued use of the Service following notice of an update constitutes acceptance of the revised policy.

For security-related inquiries or to report a vulnerability, contact: legal@covlant.ai