Trust & Security

Your school owns its data. We process it on your behalf to provide the service and do not sell or share it.

Application data is hosted on infrastructure located in the United States with reputable cloud providers.

Admins can export their school's data at any time from Settings → Audit and the Reports section, and can request a full export by emailing privacy@covermate.app.

All connections to CoverMate are encrypted in transit using TLS 1.2 or higher. Data is encrypted at rest on managed cloud storage with industry-standard ciphers.

Staff sign in with Google or Microsoft single sign-on. Anonymous sign-ups are disabled, and admins control who can join the school via approved email domains or one-time invite links.

Enterprise customers can request SAML SSO. Contact sales@covermate.app for details.

Role-based access separates admins from staff. Staff only see their own duties and school directory. Admins can manage positions, schedule, and people for their school only.

All sensitive actions (creating duties, fulfilling coverage on behalf of others, removing users) are recorded in an admin-visible audit log.

CoverMate does not collect, process, or store student personally identifiable information. We deal exclusively with staff scheduling.

Our practices align with FERPA principles for the limited staff data we handle. COPPA does not apply because no information about students under 13 is collected.

We maintain point-in-time backups of customer data and test restoration regularly. Our target recovery point objective is under 24 hours; our target recovery time objective is under 8 hours.

CoverMate uses vetted subprocessors for cloud hosting, transactional email delivery, and payment processing. We maintain a current list available on request as part of a Data Processing Agreement.

We run automated security scans against our infrastructure and dependencies on a regular cadence and patch high/critical findings promptly.

Security researchers can responsibly disclose vulnerabilities to security@covermate.app. We respond within two business days.

In the event of a security incident affecting customer data, we notify impacted school admins via email without undue delay and provide details about the scope and remediation.

We follow industry best practices for SaaS security and are actively building toward formal SOC 2 attestation. We will publish certifications here as they are completed — we will not claim what we have not earned.