Security Questionnaire Answers
Honest answers to common SIG-lite / CAIQ-style security questions. Version 2026-06-10 v1. Entries marked "Not yet" are gaps we acknowledge — not omissions.
Last updated: 10 June 2026
Honest answers to common SIG-lite / CAIQ-style security questions. Version 2026-06-10 v1. Entries marked "Not yet" are gaps we acknowledge — not omissions.
Last updated: 10 June 2026
This document is intended for IT security reviewers and procurement teams at firms evaluating CoverProof. It covers the most common question areas from SIG-lite, CAIQ, and standard IT due-diligence questionnaires. Answers are as of 2026-06-10 v1.
Status codes: Yes = in place and verified; Partial = partially implemented or compensating controls exist; Not yet = not currently in place (acknowledged honestly); N/A = not applicable to this deployment model.
For a single-page procurement summary, see the Procurement Bundle. For the full security controls narrative, see /security.
| Area | Question | Answer | Status |
|---|---|---|---|
| Certifications | Does the vendor hold Cyber Essentials or Cyber Essentials Plus? | No. No application has been submitted and no badge is held. Cyber Essentials is on our roadmap. | Not yet |
| Certifications | Does the vendor hold ISO/IEC 27001 certification? | Not yet. Roadmap item — not started. | Not yet |
| Certifications | Has the vendor completed a SOC 2 Type I or Type II audit? | Not yet. Roadmap item — not started. | Not yet |
| Certifications | Has an independent penetration test been conducted in the last 12 months? | Not yet. An independent pen test has not been commissioned. We plan to commission one; no date has been set. | Not yet |
| Governance | Does the vendor have a dedicated information security function or CISO? | Not yet. CoverProof is a single-founder company. Security responsibilities are held by the founder. No dedicated security FTE. | Not yet |
| Governance | Does the vendor have a documented Information Security Policy? | Partial. Security controls are documented at /security. A formal ISO-27001-style ISMS policy has not been drafted. | Partial |
| Governance | Does the vendor have a vulnerability disclosure / responsible disclosure programme? | Yes. Published at /responsible-disclosure. Includes safe harbour, contact method, and response SLO. | Yes |
| Governance | Is there a Business Continuity Plan (BCP) / Disaster Recovery (DR) plan? | Not yet. No formal BCP/DR document exists. Railway's managed Postgres includes daily automated backups with point-in-time recovery. The application is single-region; no failover region is configured. | Not yet |
| Access control | Does the vendor enforce multi-factor authentication (MFA) for staff access to production systems? | Partial. Production database access requires Railway account authentication; Railway itself supports MFA. Application-layer MFA for end-users is not yet supported. | Partial |
| Access control | Is production data access limited to least-privilege roles? | Yes. The application connects to production as a dedicated coverproof_app role with NOSUPERUSER and NOBYPASSRLS. Row-Level Security is enforced at the database level. The superuser connection is used only for schema migrations. | Yes |
| Access control | Are customer data rows isolated between tenants? | Yes. PostgreSQL Row-Level Security (RLS) with FORCE ROW LEVEL SECURITY on every business table. A query in one tenant context cannot return rows belonging to another tenant. Verified by production database inspection. | Yes |
| Access control | Does vendor staff have access to customer data? | Only for support purposes and only with explicit consent. No data is sold or used for model training. | Partial |
| Data & hosting | Where is customer data stored? | PostgreSQL managed by Railway. The database server is in the United States. No EU/EEA-only data residency option is currently offered. | Yes |
| Data & hosting | Is data encrypted at rest? | Yes. Railway's managed PostgreSQL encrypts volumes at rest. Cloudflare R2 (PDF storage) encrypts objects at rest. | Yes |
| Data & hosting | Is data encrypted in transit? | Yes. All traffic uses TLS 1.2 or higher. Railway enforces HTTPS. No plaintext API or database connections from the application. | Yes |
| Data & hosting | Are international data transfers covered by adequate safeguards under UK GDPR? | Yes. Transfers to US-based sub-processors (Railway, Anthropic, Resend, Stripe) are covered by UK GDPR Chapter V safeguards (SCCs or equivalent adequacy). See the Data Processing Agreement. | Yes |
| Data & hosting | Is the service single-region or multi-region? | Single-region (Railway, United States). No multi-region failover is configured. Availability depends on Railway's infrastructure. | Partial |
| Logging & audit | Does the vendor maintain an audit log of data access and changes? | Yes. Every declaration, gap analysis, evidence pack, and key user action is recorded in an append-only audit_events table. The application role has no UPDATE or DELETE privileges on this table. | Yes |
| Logging & audit | Are logs tamper-resistant? | Yes. The audit log is append-only at the database level (no UPDATE/DELETE privileges for the application role). Logs cannot be modified or deleted by application code. | Yes |
| Logging & audit | How long are logs retained? | Audit events are retained for the duration of the subscription. After account closure, they are deleted within 30 days alongside all other customer data. | Yes |
| Incident response | Does the vendor have a documented incident response procedure? | Partial. The responsible-disclosure policy covers security vulnerability reports. A formal internal incident response playbook has not been documented. | Partial |
| Incident response | Will the vendor notify customers of a data breach within 72 hours? | Yes. We will notify affected customers and the ICO within 72 hours of becoming aware of a personal data breach, in line with UK GDPR Art. 33/34 requirements. | Yes |
| Supply chain | Does the vendor maintain a sub-processor list? | Yes. Published at /trust. Includes Railway, Cloudflare R2, Anthropic, Resend, Stripe, PostHog. Customers are notified before a new sub-processor is added. | Yes |
| Supply chain | Has the vendor conducted security assessments of its sub-processors? | Partial. We rely on sub-processors' own published certifications (e.g. Cloudflare SOC 2, Stripe PCI DSS) rather than conducting independent assessments. | Partial |
| AI | Is customer data used to train AI models? | No. Customer data is not used to train Anthropic's models. Anthropic's API terms prohibit training on customer API calls by default. CoverProof does not opt in to any model-improvement programme. | Yes |
| AI | What customer data is sent to the AI provider? | Only the individual's functional role description as submitted by the firm. FCA Individual Reference Numbers (IRNs), names, email addresses, and other personal data are not sent to the Claude API. | Yes |
The following items are honestly marked “Not yet” above. We flag them here to make due diligence straightforward:
If any of these gaps are blockers for your procurement process, please email hello@coverproof.co.uk — we are happy to discuss compensating controls or your specific requirements.