Covenant Help Center

Everything you need to run Covenant on your own — from adding your first vendor to interpreting an explainable risk score, sending a security questionnaire, tracking a HIPAA BAA, and signing in to the optional cloud tier. These pages are written to answer your question without contacting anyone.

What Covenant is, in one line: a local-first vendor / third-party risk management (TPRM) and HIPAA Business Associate Agreement (BAA) tracker that runs entirely in your browser. Know who you trust, prove it, watch them. No signup is needed and the free tier makes zero network calls.

Browse by topic

Getting startedFirst run, the five tabs, loading the sample clinic portfolio, and the core flow end to end. Vendors & tieringAdd, edit, import, export and delete vendors; how Critical/High/Medium/Low tiering works. Security questionnairesThe four built-in templates, conditional questions, scoring, and risky-answer flags. Vendor email portalThe tokenized magic-link, the vendor's no-account fill flow, reminders, expiry, and importing the response. External posture scanWhat is probed live via DNS vs deferred to the hosted runner, the SSRF guard, and per-finding evidence. Risk scoringThe explainable 0–100 composite, inherent vs residual, grades, and the factor table. BAA trackingBAA lifecycle, §164.504(e) clause gap-check, subcontractors, the renewal calendar and the inventory CSV. Evidence attachmentsSOC 2 / ISO / pen-test PDFs and the executed BAA document; storage, expiry, and the R2 boundary. Framework coverageHow vendor evidence maps to NIST SR, CMMC, HIPAA, SOC 2 and ISO 27001. Cloud & ProOpt-in sign-in, what syncs, publishing evidence, and the Pro/Team/MSP entitlements. Security & privacyLocal-first storage, the SSRF guard, no-secrets payloads, masked targets and the PHI boundary. Troubleshooting & FAQExpired links, deferred scans, uploads, offline sends, and the message reference.

New here? Read these three first

  1. Getting started — open the app and load the sample data so you have something to click.
  2. Risk scoring — understand the score before you change anything, so every move is intentional.
  3. BAA tracking — if you handle PHI, this is the wedge that keeps you audit-ready.
A note on labels. Some capabilities require the optional, signed-in cloud tier or a hosted backend that ships in a later wave. Throughout these docs we mark them clearly: free works offline with no account; cloud needs sign-in; deferred means the seam is wired but the live backend is not yet enabled, with a local stand-in so the flow still works. We never claim a deferred feature is live.