Procurement Bundle

Everything your IT and legal team needs to evaluate CoverProof — DDQ-style answers assembled from verified production facts, not marketing copy. Share this URL directly.

Last updated: 10 June 2026

Hosting and data residency

Source for every claim: Trust Centre sub-processor list. Contradictory copy on other marketing pages has been noted for correction.

Question	Answer
Where is the application hosted?	Railway (United States). Railway provisions the Node.js application server and managed PostgreSQL database.
Where is primary data stored?	PostgreSQL managed by Railway. The database server is in the United States.
Where are evidence-pack PDFs stored?	Cloudflare R2 (configurable region — not yet restricted to EU/UK; the bucket jurisdiction has not been set to a specific region). PDFs are encrypted at rest.
What international-transfer safeguards apply?	Data transfers to US processors (Railway, Anthropic, Resend, Stripe) are covered by UK GDPR Chapter V safeguards (Standard Contractual Clauses or equivalent adequacy). Details in the Data Processing Agreement.
Is data available from within the UK or EEA?	The application is accessible from any jurisdiction. Data at rest resides in the United States. No EU/EEA-only storage option is currently offered.

Sub-processors

Full list at /trust. We will notify existing customers before adding a new sub-processor.

Sub-processor	Purpose	Location
Railway	Application hosting and managed PostgreSQL database	United States
Cloudflare R2	Encrypted PDF storage	Configurable region (not yet restricted)
Anthropic	AI gap-classification (Claude API). Only role-function text is sent — no IRNs, no personal data.	United States
Resend	Transactional email (magic-links, declaration invites, reminders)	United States
Stripe	Subscription billing and payment processing	United States / UK
PostHog	Consent-gated, IP-anonymised product analytics	European Union

Access control and tenant isolation

Question	Answer
How is tenant data isolated?	PostgreSQL Row-Level Security (RLS) with `FORCE ROW LEVEL SECURITY` on every business table. A database query can only return rows belonging to the authenticated firm — even a bug in application-layer filtering cannot expose another tenant's data. See /security for the full technical description.
What database role does the application use?	A dedicated `coverproof_app` role with `NOSUPERUSER` and `NOBYPASSRLS`. The superuser connection is kept separate for schema migrations only.
Is the audit log append-only?	Yes. The `audit_events` table grants UPDATE/DELETE to no role — only INSERT is permitted for the application role. Verified by production database inspection.
How is authentication handled?	Magic-link email + optional password, via Better Auth. Sessions are short-lived (httpOnly cookie). Multi-factor authentication is not yet supported.
Does CoverProof personnel have access to my firm's data?	Only for support purposes and only with explicit consent. No data is sold or used for model training.

AI use and boundaries

AI-assisted classification — constrained to a fixed verdict schema. Compliance officer review required before declarations.

Question	Answer
What data is sent to Anthropic (Claude API)?	Only the individual's functional role description as submitted by the firm. FCA Individual Reference Numbers (IRNs), names, email addresses, and other personal data are not sent to the Claude API.
Is output deterministic?	Temperature is set to 0. The same input returns the same verdict. The methodology version is pinned and logged with every classification.
Is the AI output audited?	Yes. Every classification records the prompt, raw response, model ID, and methodology version in the database audit trail.
Can AI output be overridden?	Yes. A compliance officer must review every classification before declarations are sent. The platform enforces this workflow — it does not automate the send.
Is AI output used to train Anthropic models?	No. Anthropic's API terms prohibit training on customer API calls by default. CoverProof does not opt in to any model-improvement programme.

Data retention

Data type	Retention
Active subscription data (declarations, gap analyses, evidence packs)	Held for the duration of the subscription plus 30 days post-cancellation.
Data after cancellation (30-day window)	Accessible to export for 30 days after cancellation, then securely deleted.
Audit events	Retained for the life of the subscription. Append-only; cannot be modified or deleted by application code.
Evidence-pack PDFs (Cloudflare R2)	Retained for the subscription period. Deleted on account closure.
Analytics (PostHog)	Consent-gated, IP-anonymised. Retention follows PostHog's EU-hosted data policy.

Full retention terms in the Data Processing Agreement and the Privacy Policy.

Certifications — current status, not a claim

CoverProof holds no third-party security certification today. The table below is a forward-looking roadmap. We do not display a badge we have not earned.

Programme	Status
Cyber Essentials	Not started — no application submitted, no badge held.
Independent penetration test	Planned — not yet commissioned.
SOC 2 Type II	Roadmap — not started.
ISO/IEC 27001	Roadmap — not started.

Key documents for your team

Security questionnaire answers — SIG-lite / CAIQ-style answers with honest "not yet" entries.
Data Processing Agreement — Controller/processor roles, SCCs, sub-processor terms, your rights.
Security controls — Tenant isolation, encryption, audit trail, vulnerability disclosure.
Trust Centre — Sub-processor list, DPA, certifications roadmap.
Model quality & drift monitoring — Judge model, sampling rate, alert threshold, benchmark results.
Privacy Policy — Lawful bases, data-subject rights, international transfers.
Responsible Disclosure — How to report a vulnerability; safe harbour.
Methodology — How the SM&CR gap classifier works; statutory basis; limitations.

To request a countersigned DPA or a custom security questionnaire response, email hello@coverproof.co.uk with “Procurement pack request” in the subject line.