What a pack contains
Each evidence pack is generated from the live state of your gap analysis and includes:
- Gap analysis summary — every individual classified, their Section 250 status, governance coverage, and gap tier at the time of generation.
- Declaration statuses — for each individual sent a declaration: sent date, completion date (if submitted), or outstanding status.
- Audit log — a hash-chained append-only record of every material event (scope affirmation, classification, review, declaration sent/submitted). Embedded as an XML attachment inside the PDF.
- Methodology appendix — the evaluation snapshot, methodology version pinned at generation time, and disclosure of the AI classification process.
- Scope affirmation — the verbatim scope confirmation entered by your compliance officer before classification ran.
- Integrity metadata — SHA-256 hash of the final document bytes, recorded in the database at generation time and verifiable via the public verifier.
Format and tamper-evidence
Packs are generated in PDF/A-3B format (ISO 19005-3), which is the archival subset of PDF designed for long-term preservation. PDF/A-3B prohibits active content (JavaScript, encryption keys) and requires embedded metadata — making the document self-describing and stable for archive or disclosure.
Tamper-evidence works in two ways:
- Document hash: the SHA-256 hash of the PDF bytes is stored in the database at generation time. You can re-verify the file has not changed using the public verifier at
/verify/[firmId]/[hash]. - Audit chain: every event in the embedded audit log is hash-chained (each event references the hash of the previous event). Tampering with any single event breaks the chain, which is detectable from inside the file.
Admissibility note: CoverProof produces a contemporaneous, tamper-evident business record. Whether any particular pack is admissible in any particular proceeding is a question for the court on the facts — CoverProof does not and cannot guarantee admissibility. The pack is designed to support business-record admissibility under the Civil Evidence Act 1995 ss. 8–9; a solicitor familiar with the specific context should advise on its use in any proceedings.
When packs are generated
Packs are generated automatically when you complete a full classification-and-declaration cycle — specifically, after the last outstanding declaration is submitted or the cycle closes. You can also generate a pack on demand from the Board Evidence Packs page.
Prerequisite: a pack cannot be generated until a scope affirmation has been confirmed for the current SM&CR import. The scope affirmation gate ensures the pack’s covered-persons population is explicitly confirmed before any output is produced. If you see a “scope affirmation required” message, go to the gap analysis page and complete the affirmation step first.
See Scope affirmation — what it is and why it matters for details on what the affirmation covers.
What the pack is and is not
Important: Section 250 of the Crime and Policing Act 2026 is an attribution-of-liability provision — it does not require firms to produce declarations or evidence packs. CoverProof does not create or discharge any statutory obligation. The pack is a governance record and evidential mitigation; it is not a statutory defence, a regulatory safe harbour, or a guarantee of any outcome under Section 250.
You should treat the pack as one part of a broader governance response to Section 250. Your legal adviser or compliance counsel should review the pack and advise on how it fits within your firm’s regulatory posture.
Downloading and sharing the pack
Completed packs are available from the Board Evidence Packs dashboard. Each pack shows the generation date, the methodology version used, and a download button.
You can also share the board status summary with your board or senior leadership using the “Share board status” button. This generates a read-only summary link that does not expose individual classifications.
Related guides
- Declarations — how the cycle works
- Scope affirmation — what it is and why it matters
- FCA Register data — sources, freshness, and IRN handling
- Methodology — classification, review gates, and versioned evidence context
- Methodology FAQ — plain-English verifier and claim-gate answers
- Sample evidence pack — synthetic PDF/A-3B example
- Trust Centre — methodology, verifier, and evidence links