Security, Reliability, and Protecting Client Data

While our products and customer service are best-in-class, the backbone of our success is providing a safe and trustworthy platform to protect our customers, policyholders, and members.

Cowan leverages cloud providers that provide foundational security for our environment. These cloud providers help us ensure privacy, security, and compliance, and they have audited controls such as ISO 27001, CSA STAR, SOC 1 Type 2, SOC 2 Type 2, and SOC 3.

Above that, we leverage high-end cloud compliance and security tools and processes to ensure that our systems have high compliance scores and meet ever-evolving industry standards.

Successful completion of SOC 2 Type I Security Audit

In August 2023, Cowan received an independent service auditors' report confirming that information security controls were suitably designed to meet the SOC 2 Type I standards as of June 30, 2023. We are now working to attain SOC 2 Type II for the period July 1 to December 31, 2023.

Cowan is committed to the SOC 2 security designation, which provides extra assurance to our clients and business partners that we meet their stringent security requirements.

SOC 2 (Systems and Organization Controls) is a security standard for service organizations that certifies our company's commitment to the protection and privacy of our clients' data.  The American Institute of Certified Public Accountants (AICPA) developed the SOC 2 standards, and independent AICPA-certified auditors assess companies to those standards.

www.aicpa.org/soc4so

Data Centre and Office Protections

Physical Security

  • Our products are hosted in Microsoft Azure in Canada which maintains SOC 1 Type 2, SOC 2 Type 2, SOC 3, CSA STAR, and ISO 27001 certifications, among others. The certified protections include dedicated security staff, strictly managed physical access control, and video surveillance.
  • To protect against unauthorized access to our offices, we utilize Two-Factor Authentication (2FA) at each entry door.
  • Access to critical infrastructure within our offices is also controlled with Two-Factor Authentication.

Security Assurance

Vulnerability Assessment

We test for potential vulnerabilities on a recurring basis. We run static code analysis, and infrastructure vulnerability scans.

Penetration Testing

Cowan leverages third party penetration testing firms on an annual basis to test our systems and infrastructure.

Third Party Vendor Assessments

We regularly conduct security risk assessments of our vendors, and our platform continually monitors them for new Business and Cyber risks that come to light over time.

Employee Training and Testing

Cowan employees must complete annual security awareness training and we regularly conduct simulated campaigns (e.g., phishing emails) to ensure that employees can practice what they’ve learned in the awareness training.

Frequently Asked Questions

System Reliability

Q. How does Cowan make its system reliable and resilient?

A. We build our software platform so that it is available and accessible in a variety of disaster scenarios. Every service also has a corresponding test environment where changes are deployed before they are migrated to production.

Q. Are services always available?

A. Our goal is that you can always access your account. There are times when services will be unavailable due to planned maintenance or due to a component failure. In such cases, our staff are paged as soon as the failure is detected and work to make sure the service is back up in the shortest possible time.

Q. How do we make sure outages due to component failures do not reoccur?

A. When an outage or significant failure occurs, Cowan’s primary goal is to get the service up and available to customers. After the issue has been resolved, the team that owns the affected service holds a formal review of the incident to determine the root cause of the event and to develop a list of immediate action items to make sure this event, and other events like this one, do not re-occur.

If additional details on our cloud infrastructure are needed, please contact your Cowan Account Executive.

 

Data Safety

Q. Is my data safe? 

A. Our platform uses a variety of datastores to store data and ensure data safety. Each datastore is architected using best practices for data safety and recovery. Cowan’s applications are hosted with Microsoft Azure. Data is replicated three times within the same server, and then replicated to a second data center. If a server in one data center fails, the processing is switched to a replica server in another regional data center with minimal service interruptions.  Cowan also maintains backups that are geo-replicated to another regional data centre.

Q. Is my data secure?

A. All communications between a web client and Cowan systems are protected using TLS (1.2) protocol encryption using 2048 bit keys. To prevent unauthorized access, our employees use Two-Factor Authentication to access our systems. Data is encrypted at rest to help protect against unauthorized access.

 

Recoverability and Reliance

Q. Where is our data stored? 

A. Cowan’s data is primarily stored in the Azure Canada Central region. A critical subset of data is also replicated and backed up to the Azure Canada Eastern region.

Q. How do we ensure all data is backed up and can be restored in case of a disaster?

A. Our disaster recovery strategy uses a combination of snapshots of data, replication to a second region, and backups to ensure that there are multiple copies of data available to be restored. Snapshots are designed to provide a quick recovery mechanism where the recovery can happen in minutes. Full backups are used when snapshots are not available to recover the data.

Q. What does Cowan do to monitor its systems?

A. Operations and engineering teams use industry-leading tools and instrumentation of services to monitor and analyze the behavior of our platform. Metrics from services and our cloud infrastructure are fed into an alerting framework. For security monitoring, we have a 24/7 Managed Detection and Response service that has documented procedures in place to alert appropriate staff and escalate as needed.

Q. How does Cowan let its customers know and keep them updated?

A. If we find issues that might affect your ability to use our services, we will inform you right away via web site postings and/or email.