Security and data protection

Organizational security

All our employees and external contractors sign confidentiality agreements before gaining access to our code and data. Everybody at Coview is trained and made aware of security concerns, as well as being committed to data secrecy.

Access control

Access to the servers is strictly limited to a select group of verified persons who need access for their day to day work. Remote connections are established either through a secure tunnel or a portal protected by two-factor authentication. The system captures activity in auditable logs.

Customer data

Keeping customer data safe is a top priority for Coview. We acknowledge our responsibility and work hard to shield you from the latest threats. We treat your data with the same care we treat our own sensitive information.


Communication between you and us is encrypted in transit. We use a verified certificate and support strong cipher suites.


Your data is split into standalone chunks and written to multiple disk locations while being backed up daily. Both data records and backups are encrypted. Account passwords are hashed and salted using the bcrypt algorithm.

Deletion and export

When you cancel your account, all your content will become inaccessible immediately. After 30 days, the information can not be recovered as it will be permanently deleted from our servers.

User data

We are not a spying tool. On the contrary, your website visitors get privacy by default with Coview. We only collect data required for the service to function properly - and only after direct interaction with the Coview widget.

Data Masking

As a matter of fact, you are in control of what’s being sent to our servers from users’ devices when they are using features like screenshot or co-browsing. Any text content could be marked as forbidden for transfer. Passwords are never transmitted.


We also comply with EU GDPR policy. You can offer extended data protection to your users by enabling GDPR consent in your project’s settings.


We run the service on state-of-the-art Google Cloud infrastructure. Our chosen data center is located in Frankfurt a.M., Germany and has multi-layered protection on both physical and digital levels.

Our product receives rigorous care when it comes to security and privacy:

  • We apply the latest security patches;
  • We give special consideration to potential vulnerabilities (XSS, CSRF, etc.) when introducing changes to the source code;
  • We use modern authentication mechanisms, including two-factor methods;
  • We monitor suspicious activity;
  • We offer continuous customer support.


The wIdget script doesn’t affect your page load time in a negative way - the compressed code weighs about 10kB, and the browser loads it in a non-blocking way from our CDN. Once ready, the snippet stays put until a user interacts with the widget.

Session access

The widget’s access is strictly restricted to a single tab and the current domain. Users always have to grant their permission for initiating a session. We are using JWT cookies to authenticate session participants.

Agent back office

To show an agent what a user is seeing at the moment, we replicate the page in a sandboxed iframe which has only the most essential privileges. Sandboxing and tight restrictions on framed content mitigates many risks (beyond what is already possible with Content Security Policy) associated with the inclusion of third-party content, one of the most dangerous being the injection of malicious code.

Production sign-off

We have a clear separation between production and test environments. Before updating production systems, changes to the source code are thoroughly tested (automated test suites, as well as manual QA), reviewed by qualified engineering peers and pushed through CI and CD pipelines. These efforts help to reduce surface area for bugs, attest that everything works as intended and keep our development efforts aligned with industry best practices.


Integrations with other applications, such as Intercom, are all opt-in and authenticate via OAuth or other applicable mechanisms required by the third party application.


When you pay for Coview, we ask for your credit card and billing address - so we can charge you for the service and send you invoices. Your credit card data is passed straight to our PCI DSS compliant payment processor (Stripe) and never touches our servers.

To maintain account history and support billing, we use what Stripe allows us to see - that is, only a record of the payment transaction along with the last 4 digits of the credit card number.

Incident management

No online system is completely invincible, and no one can guarantee 100% availability. We are aware of potential risks and are prepared to take action. We stick to robust internal procedures in the event of an incident. If your account is affected, we would notify you and work together until the point of resolution.

Law enforcement

Coview won’t share your data with law enforcement unless they have a valid court order. We’ll always inform you about such requests as long as we aren’t legally prevented from it.