Under Submission – Experience with the COVID-19 response in some countries has shown that using smartphones to monitor citizens' whereabouts and health status can provide authorities with near real-time statistics on contacts, infections, and their circumstances at high spatio-temporal resolution. Due to the highly sensitive nature of such data, however, countries with more liberal traditions have deliberately and justifiably foregone this opportunity in favor of citizens' privacy. Instead, they have deployed more modest apps for decentralized risk notification, which have helped to some extent in breaking infection chains, but fall far short of providing health authorities with relevant analytics of personal data. The apparent tension between data analytics and individual citizen’s privacy is not inherent. In fact, the relevant analytics queries are statistical and do not (need to) reveal information about individuals. The problem is the lack of an analytics platform that citizens can trust with their sensitive personal data, to be used exclusively for specific analytics queries. CoVault aims to be such a platform. It uses a defense-in-depth approach based on a novel combination of secret-sharing, multiparty secure computation, and trusted execution environments. Subject to a strong threat model that allows the compromise of any one party, component, or secure hardware implementation as well as side channels, CoVault ensures that data cannot be used except by a specific set of analytics queries to which users have consented. CoVault’s security has its costs, but the tremendous benefits of such high-stakes analytics more than outweigh the cost.