The safest data is the data we never touch.
You are about to connect your customers' support history to a vendor you just met. Fair question: can you trust us with it? Our answer isn't a badge. It's the architecture. Read-only by construction, your own AI keys, embeddings computed on our own hardware, credentials encrypted at rest. Less trust required, not more.
The architecture is the security story.
Most security pages open with a wall of certification logos. We don't have those yet, and we won't pretend otherwise. What we have is a design where the risky things are either structurally impossible or kept out of our hands. Five decisions do most of the work.
Read-only by construction
In Shadow Mode, Cove connects to your Zendesk with a read-only API token. It reads tickets so it can draft against them. It cannot write, reply, close, tag, or change anything in your Zendesk. Drafts are never sent while you evaluate. This is not a policy we promise to honour. It is the access level the token grants. We literally cannot write to your helpdesk.
Your AI keys, your provider, your agreement
Cove runs no middleman AI model. Drafting and chat calls go to your own AI provider account (Anthropic, OpenAI, whichever you choose) using your own keys, under your own agreement with that provider. We add no AI markup and we do not train any model on your data. Your ticket content reaches exactly one AI provider: the one you already have a contract with.
Local embeddings. No third-party embedding API.
Retrieval needs embeddings. We compute them on our own infrastructure with an open-source model (MiniLM). Your ticket text is never shipped to a third-party embeddings service. The vectors that power search stay inside Cove.
Encrypted credentials at rest, TLS in transit
The credentials we do hold (a read-only Zendesk token in Shadow Mode; IMAP/SMTP or Gmail OAuth credentials in live mode; your AI provider keys) are encrypted at rest with Fernet, an AES-based symmetric scheme. TLS protects everything in transit. We hold few secrets, and the ones we hold are never stored in the clear.
Per-company isolation
Each customer's data is isolated at the application layer. One company's tickets, documents, and keys are never blended with another's. If your competitor down the street also runs Cove, their data and yours never meet.
/ 02
What we hold, and why.
Here is every category of data Cove touches on your behalf, why we touch it, and where it lives. No mystery columns.
There is no analytics, CRM, or advertising sub-processor on your ticket data. Your customers' personal data does not flow into a marketing tool. It goes to the servers that run Cove and, for drafting, to the one AI provider you designated.
/ 03
Retention & deletion.
Data you can't get rid of is a liability. So the defaults lean toward removal.
- Walk away from an evaluation and it's gone. If a pilot is declined or expires without converting, we purge the imported data within 30 days. You do not have to chase us for it.
- Delete anytime. While your account is active, you can ask us to delete your data at any point. That is a contractual commitment, not a support-ticket favour.
- On termination, exported then deleted. If you close a live account, your data is exported and then deleted within 60 days unless a legal hold applies, consistent with our Terms.
While your account is active we retain your data, because the product needs it to draft, cite, and thread. Retention is in service of the work, not a moat.
/ 04
The DPA.
If you are a UK or EU business, you are the data controller and CodeRock Ltd is your processor under UK/EU GDPR Article 28. That relationship belongs on paper before any of your real data moves.
We have a Data Processing Agreement ready to go. Read it, print it, countersign it. It is signed before any of your real customer data moves into Cove, not after.
A note on where we sit: CodeRock Ltd is registered in Jersey, which has its own Data Protection (Jersey) Law 2018 and holds an EU adequacy decision. Data can move to us from the UK and EU without extra transfer machinery.
/ 05
Sub-processors.
We keep this list short on purpose. The fewer parties that can see your data, the less there is to trust.
- Infrastructure / hosting provider — runs the dedicated servers Cove operates on.
- AI model providers, customer-designated. Because you bring your own keys, your drafting calls go to the provider you chose, under your own terms with them. Technically that is processing you direct, but we list it here for transparency anyway.
- No analytics, CRM, or advertising sub-processor ever touches your ticket data.
/ 06
We're small. That's the point.
We are not going to show you a SOC 2 seal we don't hold or an ISO number we haven't earned. Here is the honest version: Cove is a small, focused vendor, and its security comes from architecture, not from a compliance department.
The safest data is the data we never touch. Shadow Mode can't write to your systems. Your AI calls go to your own provider on your own keys. Your embeddings never leave our hardware. The credentials we hold are few and encrypted. That is less trust required of us, not more. When we do earn certifications, we will list them here with dates. Until then, read the DPA, run a read-only pilot, and judge us on what the software can and cannot do.
Questions a page can't answer? Email hello@covesupport.io or book a founder call. When you're ready, start with a read-only Shadow Mode pilot. Nothing writes, nothing sends, nothing leaves your provider.
Tell us about your stack.
Four fields. We reply within a working day, usually faster. We will not put you in a sales sequence; we will read what you wrote and write back.
Run by founders. Read by founders. Replied to by founders.