This is the standard template under which CoverProof (processor) handles personal data on behalf of a subscribing firm (controller). It forms part of our terms of service. To request a countersigned copy, email privacy@coverproof.co.uk.
Last updated: 27 May 2026
The firm is the data controller and CoverProof is the data processor. CoverProof processes personal data only to provide the CoverProof service — SM&CR gap analysis, declaration cycles, counterparty requests, and board evidence packs — and only on the controller's documented instructions, including those given through the product.
CoverProof processes personal data for the duration of the subscription and the retention periods described in clause 8.
CoverProof ensures that personnel authorised to process personal data are bound by confidentiality obligations.
CoverProof implements appropriate technical and organisational measures, including database-enforced tenant isolation, encryption in transit and at rest, passwordless authentication, and an immutable audit trail. These are described on our Security page, which is incorporated by reference.
The controller authorises the sub-processors listed on our Trust Centre. CoverProof imposes data-protection terms on each sub-processor no less protective than this agreement. CoverProof will give at least 14 days' advance notice before adding or replacing a sub-processor, giving the controller a reasonable opportunity to object.
CoverProof assists the controller in responding to data-subject rights requests and in meeting its security, breach-notification, and impact-assessment obligations. Firm administrators can export and erase data directly from the dashboard; CoverProof will notify the controller without undue delay after becoming aware of a personal-data breach. CoverProof will notify the controller within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons.
On termination, CoverProof deletes or returns personal data except where retention is required by law. Signed declarations and the immutable audit trail are retained as business-record evidence under UK GDPR Art. 17(3)(b)/(e) for the applicable statutory period, as explained in our Privacy Policy.
Where personal data is transferred outside the UK, CoverProof relies on appropriate safeguards such as the UK International Data Transfer Agreement / Addendum or Standard Contractual Clauses.
CoverProof makes available information necessary to demonstrate compliance with this agreement. This agreement is governed by the law of England and Wales.
Where the controller is subject to regulatory oversight (including by the FCA or PRA), CoverProof will cooperate with any audit, inspection, or information request made by the controller's regulator that relates to CoverProof's processing of personal data on the controller's behalf. CoverProof may satisfy an audit right by providing a current SOC 2 Type II report or equivalent third-party certification in lieu of an on-site inspection.