Trust Centre
Everything a procurement or compliance team needs to evaluate CoverProof in one place — who we rely on, the terms we process your data under, and a candid view of our certification status.
Last updated: 27 May 2026
Everything a procurement or compliance team needs to evaluate CoverProof in one place — who we rely on, the terms we process your data under, and a candid view of our certification status.
Last updated: 27 May 2026
These are the third parties that process data to deliver CoverProof. We will update this list before adding a new sub-processor.
| Sub-processor | Purpose | Location |
|---|---|---|
| Railway | Application hosting and managed PostgreSQL database | United States |
| Cloudflare R2 | Encrypted storage of generated board evidence-pack PDFs | Configurable region |
| Anthropic | AI classification of SM&CR gap analysis (Claude API) | United States |
| Resend | Transactional email (magic-links, declaration invites, reminders) | United States |
| Stripe | Subscription billing and payment processing | United States / UK |
| PostHog | Consent-gated, IP-anonymised product analytics | European Union |
For firms (our controllers), our Data Processing Agreement sets out how we process personal data on your behalf, including security measures, sub-processor terms, and international-transfer safeguards. To request a countersigned copy for your records, email privacy@coverproof.co.uk.
We will not display a badge we have not earned. CoverProof holds no third-party security certification today. The following is a forward-looking roadmap, not a statement of current compliance:
| Programme | Status |
|---|---|
| Independent penetration test | Planned — not yet commissioned |
| SOC 2 Type II | Roadmap — not started |
| ISO/IEC 27001 | Roadmap — not started |