Covinly moves money and handles compliance-critical documents. This page explains, in plain language, how we protect the data you trust us with — the infrastructure we run on, the controls we enforce, and how we respond when something goes wrong.
Where your data lives and how it travels.
Hosted on Vercel's edge network. Requests are served from North American and European regions via CDN, with automatic failover between regions.
PostgreSQL managed by Neon. Encrypted at rest, continuously replicated, with automatic daily backups and point-in-time recovery.
Uploaded documents are stored in Cloudflare R2 with AES-256 encryption at rest. Access is restricted to presigned URLs.
Cloudflare provides DDoS mitigation, bot management, and WAF rules at the edge before traffic reaches our application servers.
All data is encrypted in transit and at rest. Sensitive fields get an extra layer on top.
All API and browser traffic is encrypted with TLS 1.3. HTTPS is enforced and HSTS is enabled at the edge.
Every byte of customer data written to disk — database rows, object storage, and backups — is encrypted with AES-256.
Sensitive fields are encrypted with per-field keys on top of disk encryption: bank account numbers, routing numbers, TINs and EINs, and wire instructions.
Uploaded documents are served through presigned URLs that expire after one hour. Expired URLs cannot be replayed.
Proving you are who you say you are.
Primary authentication uses better-auth with email/password. Passwords are hashed with bcrypt — never stored in plain text.
Sessions are invalidated and re-issued when a password is changed, a role is modified, or a team membership is revoked.
TOTP-based 2FA is available for the vendor portal and can be required by account administrators.
Repeated failed login attempts trigger account lockout with exponential backoff. Locked accounts can be recovered via email verification.
Password reset links are signed with HMAC, scoped to a single account, and expire after a short window.
Every change to a financial record is recorded, hashed, and retained.
State changes on financial records (invoices, approvals, payments, waivers) are written to an append-only log with per-row and chain hashes (rowHash / chainHash) that make tampering detectable.
Audit and financial records are retained for seven years on partitioned storage. Older partitions are cold-stored but remain searchable.
Accounts and records can be placed on legal hold, which overrides normal retention and soft-delete rules until the hold is released.
Data Subject Request (DSR) workflows cover access, correction, deletion, and export. CCPA-compliant handling applies to residents of covered jurisdictions.
Catching problems before they reach you.
All application logs are structured (JSON) with request IDs, user IDs, and customer IDs for fast incident triage. PII is redacted at source.
External probes check availability of public endpoints continuously. On-call engineers are paged when checks fail.
Vendor behaviour is monitored for drift (sudden amount changes, routing-number swaps, velocity spikes). Suspicious patterns raise review alerts.
External integrations are wrapped in circuit breakers that open on error thresholds, fail gracefully, and retry with backoff.
If you find something, tell us. Here's what happens next.
Report security vulnerabilities to security@covinly.com. Please include reproduction steps and, if possible, a proof of concept. We will not pursue good-faith researchers.
Acknowledgement
Within 24 hours
Initial assessment
Within 72 hours
Customer notification
Within 72h of confirmed incident
Machine-readable disclosure details are published at /.well-known/security.txt.
We believe in being honest about what we have and what we're working toward.
SOC 2 Type II — audit in progress
We are currently undergoing our SOC 2 Type II audit with a planned report availability in Q3 2026. Until the report is final, we do not claim SOC 2 certification. Customers who need a security questionnaire or Data Processing Agreement can request one from security@covinly.com.
The subprocessors we depend on, and how we vet them.
Covinly uses a small, carefully chosen set of subprocessors for hosting, storage, AI, email, and payments. Every vendor is evaluated for security posture and compliance (GDPR/CCPA/SOC 2) before being added, and reviewed periodically after onboarding.
If you're evaluating Covinly for your organization and need a security review, DPA, or questionnaire, get in touch. We'll respond within one business day.
security@covinly.comProcess your first invoice in under 2 minutes. No setup, no templates, no training required.
Plans from $1,299/month