Security — Cove Teams Inc.

Overview

Cove is built with industry-leading administrative, physical, and technical safeguards to protect Protected Health Information (PHI). Our platform follows HIPAA and HITECH requirements and is designed to support secure collaboration between therapists, clinics, and families.

We also offer a Business Associate Agreement (BAA) to all Covered Entities using Cove with PHI.

Administrative Safeguards

  • HIPAA & HITECH Compliance: We follow all applicable requirements, including privacy, security, and breach notification rules.

  • Business Associate Agreements (BAAs): Cove signs BAAs with clinics, group practices, and licensed providers who use the platform to create, store, or share PHI.

  • Role-Based Access Control: Users only access the minimum necessary information required for their role (therapist, supervisor, parent/guardian).

  • Staff Training: All Cove personnel with access to systems containing PHI complete ongoing HIPAA compliance and security training.

  • Audit Logging: Access to PHI is logged and monitored to prevent unauthorized or inappropriate activity.

  • Regular Risk Assessments: We perform periodic security reviews and vulnerability assessments to ensure safeguards remain effective.

Technical Safeguards

  • Encryption In Transit: All data transmitted between users and our servers is encrypted using TLS 1.2+.

  • Encryption At Rest: All stored PHI, including files, notes, and media, is encrypted using AES-256 standards.

  • Secure Authentication: Strong password policies are enforced. Support for MFA (multi-factor authentication) is available.

  • Device-Level Protection: Mobile data is stored in encrypted containers; no PHI is stored unencrypted on personal devices.

  • Permissions & Restrictions: Therapists only see clients assigned to them. Parents only see their own child’s information. Administrative users have restricted access.

  • Session Monitoring & Lockouts: Automatic timeouts and failed-attempt lockouts protect against unauthorized logins.

Physical Safeguards

  • Secure Hosting Environment: Cove is hosted on HIPAA-ready cloud infrastructure with SOC 2 / ISO 27001 certified data centers.

  • Firewalls & Intrusion Detection: Network protections include advanced firewalling, intrusion detection, and continuous monitoring.

  • Redundancy & Backups: Encrypted backups and real-time data replication ensure availability and resiliency.

  • Disaster Recovery: We maintain disaster recovery procedures to ensure continuity in case of an outage or regional failure.

Breach Notification Procedures

In the event of a data breach involving PHI, Cove will notify affected entities without unreasonable delay and in accordance with HIPAA Breach Notification Rules.

Subprocessors

Cove uses limited third-party service providers (e.g., secure cloud hosting, analytics) that are contractually obligated to maintain HIPAA-compliant safeguards and, where appropriate, sign BAAs with Cove.

A list of subprocessors can be provided upon request.

Questions?

We welcome questions from clinic administrators and compliance teams.

Contact: [email protected]

Last Updated: 12/2/2025