How Covrabl protects customer and agency data — and an honest accounting of where we are.
All traffic between your browser and Covrabl is encrypted with TLS. Uploaded documents and policy data are encrypted at rest using AES-256 in Cloudflare R2 (object storage) and Postgres (Railway, managed). No customer data is stored on the frontend host.
Covrabl supports TOTP-based two-factor authentication on every account. Once enabled, sign-in requires both your password and a code from an authenticator app (Authy, 1Password, Google Authenticator, etc.). Recovery codes are issued at setup. Agency owners can require MFA across their team.
Customer data is never sold, rented, or shared with third parties for marketing or lead generation. Covrabl does not use customer data to train AI models. Aggregated, fully-anonymized analytics may be used internally to improve the product, never shared externally.
Significant actions on your account — sign-ins, document downloads, policy edits, share-link creation and revocation, agency-membership changes — are recorded in an audit log. Account owners and agency owners can review their log at any time. Coverage is expanding; gaps in events captured are tracked openly rather than glossed over.
When an insurance agency invites you onto Covrabl, your data is yours by default. The agency sees only the policies and reviews you choose to share with them — what they share with you, and what you actively share back. You can revoke an agency's access from your profile at any time; revoking is immediate and irrevocable on the agency side.
Agencies (and their producers) see only clients explicitly assigned to them and only the policies those clients have chosen to share. Producer access can be scoped by their agency owner: who they can view, who they can edit, and which clients they can re-assign. All cross-agency access is logged.
Covrabl is hosted on Railway (US — application + database) and Vercel (global edge — frontend assets only). Object storage is Cloudflare R2. Source code is on GitHub. The complete list of services that may process customer data, with what data each one handles and where, is published openly.
Covrabl is not yet SOC 2 audited. We are working toward Type I when our customer base makes the audit ROI work. In the meantime: TLS in transit, AES-256 at rest, MFA available on every account, audit logging, no third-party data sales, and no use of customer data for AI training.
If you believe you have found a security vulnerability in Covrabl, please report it to security@covrabl.com. We acknowledge reports within two business days and will work with you on a fix and a coordinated disclosure timeline. We do not pursue legal action against researchers acting in good faith.
For non-security questions, contact support@covrabl.com or read the full Privacy Policy.