CoverProof
Help / Declarations

Declarations — how the cycle works

Declaration requests are emailed to each confirmed gap individual. They complete a short form on a secure page. This guide explains the full cycle: sending, statuses, what signing means, and what happens to the data.

How declaration requests are sent

When you trigger a declaration (either individually or using “Trigger All Declarations”), CoverProof sends an email to the individual’s email address from your uploaded register. Each email contains a unique, single-use link for that individual.

The link opens a secure declaration form on CoverProof’s declarations service. No account or password is required — the link is the access control. Links expire 30 days after they are issued.

Microsoft 365 Safe Links: If your firm uses M365, automated email security scanners may pre-fetch links. CoverProof’s declaration form requires an explicit “Continue” click before the form opens — scanner pre-fetches are a GET request and do not trigger the form, so the link is not consumed by security software.

What recipients see

When a recipient clicks the link and confirms access, they see a short declaration form pre-populated with:

  • Their name (from your uploaded register)
  • Their job title (if provided in the register)
  • Your firm’s name
  • The date the declaration was issued

The form asks them to confirm their name and tick a declaration checkbox. They can also choose to decline, in which case a decline record is created in the audit trail.

For the recipient-facing FAQ — including questions about what the request is, who sent it, and what completing it means — see I received a CoverProof request — is this legitimate?

What the statuses mean

Pending

The declaration request has been sent and the link has not yet been used. The individual has 30 days from the issue date to complete it.

Submitted

The individual has completed the declaration form and submitted it. The submission timestamp and their confirmed name are recorded in the audit trail.

Expired

The 30-day window has passed without submission. The link is now inactive. You should re-trigger the declaration to issue a new link with a fresh 30-day window.

Bounced

The email could not be delivered — the address may be incorrect, the mailbox full, or the domain rejecting mail. Check the email address in your register and re-trigger after correcting it.

Declined

The individual opened the form and chose to decline. A decline record is created in the audit trail. Contact the individual directly to understand their objection; you may need to re-trigger after resolving it.

What signing the declaration means

Completing the CoverProof declaration form is a simple electronic signature (SES) under the eIDAS Regulation and the Electronic Communications Act 2000. The individual confirms their name, ticks a declaration checkbox, and submits the form. Their IP address, browser fingerprint, and the submission timestamp are recorded.

A SES is the lowest level of electronic signature under eIDAS. It indicates that a person submitted the form, but does not carry the same evidentiary weight as an advanced or qualified electronic signature. The declaration is evidence that you requested and received a governance acknowledgement — it is not a statutory declaration in the legal sense, and it is not a guarantee of any regulatory outcome.

Important: The declaration cycle is governance evidence — it documents that the firm identified its Section 250 population and sought acknowledgement. It does not constitute a legal defence to any prosecution and does not create a contractual obligation on the individual. Whether any particular declaration is admissible in any particular proceeding depends on the facts and is a matter for the court.

CoverProof records, for each submitted declaration: the individual’s confirmed name, the submission timestamp (UTC), the issuing firm, the methodology version used for classification, and the full audit trail of link-issued, link-opened, and form-submitted events. This record is included in the board evidence pack.

Chasing outstanding declarations

On the Declarations page you can re-trigger a declaration for any individual whose status is Pending, Expired, or Bounced. This issues a new email with a new 30-day link. Previous link records remain in the audit trail; the new link is an additional issuance, not a replacement.

The RAG (Red–Amber–Green) banners on the Declarations page surface individuals requiring urgent attention:

  • Amber: submission window closes within 30 days — review whether a reminder is needed.
  • Red: declaration has expired or bounced — re-trigger required.

Data handling and retention

Declaration data — including individual names, email addresses, submission records, and audit events — is held on CoverProof’s servers. Data is tenant-scoped: your firm’s data is isolated from other firms’ data at the database level.

Individuals’ personal data is processed on the basis of your firm’s legitimate interest in maintaining Section 250 governance records. The declaration link contains a unique token but no other personal data. CoverProof’s privacy policy governs retention periods and data subject rights.

← Back to Help Centre