Security and Data Stewardship at CovenantIQ

Lenders working with middle-market borrowers on cash-flow-based loans depend on accurate, timely financial data to monitor health and ensure compliance. Yet the traditional ways of sharing this information (emailing spreadsheets, uploading to Dropbox, or stashing files in SharePoint folders) are no longer adequate. Once financial data leaves a company’s digital boundaries, the organization loses direct oversight. This creates real risks: lack of visibility into who has access, uncontrolled sharing beyond the intended audience, and no ability to expire or revoke files once they are sent. These gaps not only create inefficiencies but also fall short of the security standards regulators and institutions expect.

At CovenantIQ (CIQ), we’ve built our platform from the ground up with one goal in mind: to give lenders and borrowers confidence that sensitive data is handled securely and responsibly, while still making collaboration simple. In this blog article, we wanted to give those interested in upping their loan monitoring game a glimpse into how our platform helps and what our engineers think about daily.

Borrowers Stay in Control

As part of the loan agreement and reporting requirements, borrowers are responsible for sharing financial data with their lenders. CIQ makes this process simple and collaborative, ensuring both sides stay on the same page without friction. One of our guiding principles is that borrowers remain in charge of their own data. They decide when to make their financial information visible, and our publishing workflows give them the final say on when their lender can see results. This transparency keeps the process balanced rather than one-sided, ensuring borrowers never feel like they are handing over control to a “black box.”

For lenders, once data is published, it becomes immediately accessible through the CIQ user interface. Dashboards and reports highlight key financial statements and covenant performance, making it easy to see whether requirements are being met. Notifications alert analysts when new data is available, and clear UI indicators show whether thresholds and trends are on track or at risk. This gives lenders timely insight into borrower health without digging through spreadsheets or chasing down files.

At the same time, lenders are not limited to the user interface. Any published data can also be exported through APIs, providing full portability and integration into downstream systems. This ensures the information lenders rely on is accurate, deliberate, and fully attested.

Thoughtful Access and Permissions

Just as important as getting data into the system is making sure it is only seen by the right people. CIQ uses a fine-grained authorization model that maps individual actions into broader roles like lender administrator, lender analyst, or borrower administrator. We rely on modern tools like Envoy and Open Policy Agent to enforce rules at the API and method level, so access is always precise and auditable.

This approach means analysts don’t need to take shortcuts. No more saving sensitive spreadsheets to their laptops just to get the job done. Everything happens within a secure, role-based environment designed to protect both lenders and borrowers.

Secure and Flexible Data Onboarding

Every borrower has different workflows and comfort levels, so we provide multiple secure ways to bring financial data into CIQ. Borrowers may choose to upload reports directly through our web interface, others prefer automated transfers using SFTP or S3, and the easiest option is a direct connection to accounting systems (e.g. QuickBooks via OAuth 2.0).

No matter which method is used, the principle remains the same: data flows straight into our platform (encrypted both in transit and at rest) and never through email attachments or unsecured devices. This eliminates the risk of misplaced files and ensures information is always available in a secure, auditable environment.

A Foundation of Security

Security is not an optional feature in our world, it is a fundamental requirement. CIQ has enlisted an independent auditor to validate the product for SOC 2 Type II certification. This will certify that our controls are both well-designed and consistently operating over time. It reflects our commitment to protecting sensitive information through practices such as strong encryption, robust access controls, continuous monitoring, and structured vulnerability management.

We rely on Vanta as our central compliance repository and monitoring tool, giving us real-time visibility into our controls and ensuring nothing falls through the cracks. In addition, all code pushed through GitHub is automatically scanned for vulnerabilities, with remediation tracked until completion. These measures, paired with regular security reviews and ongoing employee training, keep our environment strong, resilient, and responsive.

We separate infrastructure access management from our deployment automation. This ensures that production environments are provisioned and maintained without human intervention, reducing the risk of error or malice. Humans do not need direct access to production, eliminating one of the most common security risks.

Finally, we recognize the sensitivity of the financial information we process. We collect only what is required for monitoring the loan, secure it according to strict controls, and limit access to a need to know basis. For lenders, this translates into peace of mind. You can rely on CIQ to safeguard financial data with the same rigor you expect across the broader financial ecosystem.

Built on Best Practices

Our platform runs on Amazon Web Services (AWS), the same infrastructure trusted by banks, regulators, and financial institutions around the world. We align with AWS best practices to ensure security, resilience, compliance, and data privacy. For example, all production access requires multi-factor authentication, with privileged access to firewalls and encryption keys limited only to those with a business need. We run vulnerability scans through Vanta, track remediation in Jira, and perform penetration testing to validate and strengthen our defenses. Our documented incident response plan is tested each year through tabletop exercises, ensuring we are ready to detect, contain, and resolve issues if they arise.

Just as important, AWS provides the scale lenders expect. Built-in redundancy across regions and availability zones, strong disaster recovery options, and high uptime ensure we can reliably handle large volumes of financial data. On top of that, CIQ adds automated disaster recovery processes, including regular backups, secure data export, and full system recovery capabilities. We also maintain alerting on unusual behavior in AWS and logging of application and system errors, so potential issues are identified and resolved before they can affect lenders or borrowers. Combined with CIQ’s layered design, the result is a platform that is both robust and familiar to the financial services industry.

Why It Matters

The result is a platform lenders can trust. Sensitive borrower data is protected, compliance expectations are met, and collaboration becomes easier, not harder. Borrowers know they are in control of when and how their data is shared, while lenders gain timely access to accurate information. By raising the bar on security, we actually lower the barriers to collaboration. Lenders and borrowers can work together with confidence, without the friction of outdated tools or risky workarounds.

CovenantIQ combines the discipline of SOC 2 certified controls, the reliability of AWS best practices, continuous compliance monitoring through Vanta, separation of human access from automation, and modern cloud design to deliver one thing above all: trust. And in cash-flow-based lending, trust is the foundation of every relationship. With CIQ, lenders don’t just reduce risk, they gain a secure and scalable platform built to support stronger partnerships and better lending decisions for years to come.