Q: We need government projects to stay on servers of that country. For example, USA government projects would need to be on a server in the US. A project for the UK would need to stay on a server located in UK. Can cove.tool do this?
A: Like most other cloud-based AEC software, information is not stored in a particular geographic area. Analysis can be conducted so that all sensitive information is protected.
Our platform uses the highest security settings on Amazon Web Services (AWS) to host our application and data. AWS is the industry gold standard for security and reliability. Even the US Department of Defense (DoD) trusts AWS as one of the cloud service's most notable clients. For the US market, AWS is FedRAMP Certified.
Although AWS server's location is typically based on the country and region where the user is located, this is constantly shifted around for security and optimized capacity reasons. In the US, numerous AWS server sites allow for more stability so it becomes unlikely your information will be stored anywhere else. When necessary, we can verify where the data on a project is stored to comply with any audits. Even other AEC industry tools such as Autodesk BIM 360 and Outlook do not store data locally but follow the same stringent security measures to guarantee cyber protection.
For those still uncertain, cove.tool has supported national security clients in the past and found ways to run analysis so that nothing sensitive was ever mentioned in the project. For example, in government projects where location information cannot be shared, a user can put the project address as the closest airport to further anonymize it. They will need to upload any context buildings to the shading device layer. The project name can be set to a code name for an extra layer of anonymization. Lastly, room and layout information can be left out altogether as it is not an essential part of early-stage energy analysis and benchmarking.
Even when we use machine learning on a cost optimization, we are only strictly analyzing options within that specific project, and we do not reference other projects even from the same firm.
Does the cove.tool team have a Non-disclosure agreement?
Yes, the cove.tool team has signed an NDA that covers user data. Each company in our platform has its data encrypted and siloed and there is no sharing of data between companies.
In addition to hosting your app in the AWS cloud, we have also gone through an AWS Security Audit which tested for network and data vulnerabilities and implemented infrastructure improvements based on the findings. Also, we have the following best practices in place (the “Customer Responsibility” according to AWS) to keep our user's data secure:
Data is hosted behind a firewall and accessed directly by the server, not via a public URL.
All connections to and from the server are encrypted with HTTPS.
Any cove.tool employees accessing the data must use two-factor authentication (2FA) and use HTTPS/SSL.
Database backups stored under the same encryption
Users can only access the data belonging to their firm
Users are required to verify their email addresses and all passwords are encrypted.
Best practices such as Cross-Site Scripting and Request Forgery prevention and SQL injection prevention are in place to prevent unauthorized access to the application/data.
Limited user, business, and project data is collected - see the full list here
If we missed anything, please reach out to your sales representative to set up a question and answer with our support and technology team.