This is the standard template under which CoverProof (processor) handles personal data on behalf of a subscribing firm (controller). It forms part of our terms of service. To request a countersigned copy, email privacy@coverproof.co.uk.
Last updated: 27 May 2026
The firm is the data controller and CoverProof is the data processor. CoverProof processes personal data only to provide the CoverProof service — SM&CR gap analysis, declaration cycles, counterparty requests, and board evidence packs — and only on the controller's documented instructions, including those given through the product.
CoverProof processes personal data for the duration of the subscription and the retention periods described in clause 8.
CoverProof ensures that personnel authorised to process personal data are bound by confidentiality obligations.
CoverProof implements appropriate technical and organisational measures, including database-enforced tenant isolation, encryption in transit and at rest, passwordless authentication, and an immutable audit trail. These are described on our Security page, which is incorporated by reference.
The controller authorises the sub-processors listed on our Trust Centre. CoverProof imposes data-protection terms on each sub-processor no less protective than this agreement and will give notice before adding a new sub-processor.
CoverProof assists the controller in responding to data-subject rights requests and in meeting its security, breach-notification, and impact-assessment obligations. Firm administrators can export and erase data directly from the dashboard; CoverProof will notify the controller without undue delay after becoming aware of a personal-data breach.
On termination, CoverProof deletes or returns personal data except where retention is required by law. Signed declarations and the immutable audit trail are retained as court-admissible evidence under UK GDPR Art. 17(3)(b)/(e) for the applicable statutory period, as explained in our Privacy Policy.
Where personal data is transferred outside the UK, CoverProof relies on appropriate safeguards such as the UK International Data Transfer Agreement / Addendum or Standard Contractual Clauses.
CoverProof makes available information necessary to demonstrate compliance with this agreement. This agreement is governed by the law of England and Wales.