cove.tool uses Amazon Web Services (AWS) to host our application and data as they are the industry gold standard for security and reliability. In addition, we have also gone through an AWS Security Audit which tested for network and data vulnerabilities and implemented infrastructure improvements based on the findings. Also, we have the following best practices in place (the “Customer Responsibility” according to AWS) to keep our user's data secure:
Data is hosted behind a firewall and accessed directly by the server, not via a public URL.
All connections to and from the server encrypted with HTTPS.
Any cove.tool employee accessing the data must use two-factor authentication (2FA) and use HTTPS/SSL.
Database backups stored under the same encryption
Users can only access the data belonging to their firm
Users are required to verify their email address and all passwords are encrypted.
Best practices such as Cross Site Scripting and Request Forgery prevention and SQL injection prevention are in place to prevent unauthorized access to the application/data.
The cove.tool team has signed an NDA that covers user data. Each company in our platform has their data encrypted and siloed and there is no sharing of data between companies.
Even when we use machine learning on a cost optimization, we are only strictly analyzing options within that specific project, and we do not reference other projects even from the same firm. This is due to the fact that many of our customers are also government contractors in the US, Canada, and UK. For specific national security requirements, we can verify where the data on a project is stored to comply with any audits.
For government projects where location information cannot be shared, a user can put the project address as the closest airport to further anonymize it. They will need to upload any context buildings to the shading device layer. The project name can be set to a code name for an extra layer of anonymization.
Users have two options for logging into cove.tool: using their username/password or logging in using single sign-on (SSO) with their Microsoft credentials.
Using Plug-ins with SSO
For users who use SSO for authentication, the process for using the plugins is as follows:
Log into cove.tool using SSO (as detailed below)
Navigate to the user profile page (click "Hi username" in the top right corner and then select "Your Profile")
Scroll down to the bottom and copy the token in the "Plugin Authorization Token" field
In the plugin, when logging into the cove.tool, paste the token copied from the above step into the password field and use the email address associated with the SSO account as the email address.
Note that this token is only valid while logged into the application, and it changes each time a user logs into or out of the application for maximum security.
Before using SSO to log into cove.tool, the user's business must already have an account registered with cove.tool. This is typically achieved by an administrator (usually the person responsible for managing the plan or an IT administrator) registering an account with cove.tool (note that it is not necessary for all users on a plan to register an account with cove.tool prior to using SSO; only one initial account is necessary). The domain in the email address (located after the @ symbol) must match the domain associated with the Microsoft credentials that will be used for SSO.
Note that users who have been using cove.tool prior to the introduction of SSO should be able to use their Microsoft credentials to log in without further configuration (as long as the domain restriction mentioned above is satisfied).
To log in using SSO, navigate to the login page and click the "Sign in with Microsoft" button.
After clicking the "Sign in with Microsoft" button, users will be redirected to Microsoft to enter their credentials or will be prompted to select an account if they are already logged in to their Microsoft account. Note that these credentials are not shared with cove.tool; they are sent only to Microsoft.
Depending on how users' Microsoft accounts are configured, they may be presented with a screen requesting permissions (see attached image below). These are the permissions necessary for us to authenticate the user. After clicking "Accept", if the user is allowed to access the application, they will then be logged in and directed to their Project Dashboard or to fill out their profile (if they are a new user). For more information, visit https://help.covetool.com/en/articles/5409352-using-azure-active-directory-single-sign-on-sso.