Privacy Policy & DPA


We are committed to protecting and respecting privacy. This Privacy Policy should be read in conjunction with our Terms and Conditions and applies to your use of our Service and Site. The same definitions apply.

This Privacy Policy has two sections. Part A relates to your own personal data submitted to us in the course of our business, including your use of our Site and Services, which we decide how to process (i.e. where we are the Data Controller). Part B (Data Processing Addendum or “DPA”) relates to personal data relating to others that you submit to us or we collect to process on your behalf (i.e. where we are your Data Processor).

Part A: Privacy of Your Own Personal Data (coveragebook.com as Data Controller)

Introduction

Personal data is information that allows someone to identify or contact you e.g. your name, address, telephone number, email address, as well as any other information about you that is associated or linked to such information (‘your Information’). This Privacy Policy sets out the basis on which we may collect, use, process and store your Information that we collect or that you provide to us by any direct or indirect means. Our Site contains privacy panels and information which determine how we will collect and process your Information. Please read the relevant sections of our Site when you submit any Information to us. This Privacy Policy explains our practices regarding your Information and how we will treat it. By submitting any of your Information to us through either our Site or Services or otherwise, you are agreeing to the terms of this Privacy Policy and you expressly consent to the collection, use and disclosure of your Information in accordance with this Privacy Policy and you represent and warrant that you have all rights necessary to submit your Information. Please do not submit to us any personal data relating to you or any other data subject unless you have the right to do so.

Help

If you need any help or assistance in relation to the use of our Site, please contact support@coveragebook.com and we will do our best to get back to you promptly.

Information We May Collect from You

We may collect and process the following Information about you:

  • Information that you provide or input when you subscribe and use the Services, when you fill out forms on our Site and otherwise by corresponding with us or interacting with us via or in connection with our Site or Services.
  • Contact details that you provide to us.
  • Any documents, content, communications and electronic files that you upload or import to or transmit through our Site.
  • Information that you permit us to access and import from third party websites or storage locations.
  • If you contact us or we contact you, by email, telephone, web forms or otherwise, we may keep a record of that correspondence.
  • We may also ask you to complete surveys that we use for research purposes, although you do not have to respond to them.
  • Details of your visits to our Site including, but not limited to, traffic data, location data, weblogs, and other communication data, and the resources that you access.
  • When you access our Site from a computer, mobile phone, or other device, we may collect information from that device about your browser type, location, and IP address etc.
  • Searches that you perform via the Site and Services (therefore, be aware of this if you include any personally identifiable information in your searches).

IP Addresses, Cookies and Analytics

Our servers may collect your Information including data about your computer or device, including where available your IP address, operating system and browser type, to assist us in the provision of the Site and Services, for system administration and to report aggregate anonymised information to our associates and Third Party API Providers.

For the same reason, we may obtain your Information about Site usage by using a cookie file which is stored on the hard drive of your computer. Cookies contain information that is transferred to your computer’s hard drive. They help us to improve our Site and to deliver a better and more personalised service. They enable us:

  • To make our Site and Services more useful to you.
  • To estimate our audience size and usage patterns.
  • To store your Information about preferences, and so allow us to customise and develop our Site and Services.
  • To speed up your searches and usage of the Site and Services.
  • To recognise you when you return to our Site.
  • You may refuse to accept cookies by activating the setting on your browser which allows you to refuse the setting of cookies. However, if you select this setting you may be unable to access certain parts of our Site and Services. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you start using our Site.
  • We may also collect or allow third parties to collect information about how you use and interact with our Site and Services. For example, we may use Google Analytics or similar services.

How We Use Your Information

We use your Information in the following ways:

  • As reasonably required in order to provide our Site and Services to you and to carry out our obligations arising from our Site and Services.
  • To help identify you as a user on our systems.
  • For customer services purposes.
  • To help us develop the Site and Services and to make them more useful to you.
  • To allow you to participate in interactive features of our Site and Services.
  • To provide you with news and information about our Services, third party sites and other information that we think may be relevant to you.
  • To assist Third Party API Providers to monitor end user usage of their third party services provided via the Services.
  • To ensure that content from our Site and Services is presented in the most effective manner for you and for your computer.
  • Where directed to by you through our Site, to export your Information in order to update or delete your Information and/or add to or amend your Information held on a third party website or to carry out any other similar function.
  • To notify you about changes to our Services.
  • As required in order to facilitate your use of any new Services, applications or uses for any of your Information via our Site.

Legal Basis of Processing

We shall only be entitled to process your Information as above to the extent that at least one of the following applies:

  • You have given consent to the processing of your Information for one or more specific purposes;
  • Processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contract;
  • Processing is necessary for compliance with a legal obligation to which we are subject;
  • Processing is necessary in order to protect your vital interests or those of another natural person;
  • Processing is necessary for the performance of a task carried out in the public interest of in the exercise of official authority vested in the controller;
  • Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests of your fundamental rights and freedoms which require protection of personal data. Our legitimate interests may include:
    • The proper administration of our Site and Services;
    • The performance of our contractual obligations;
    • Monitoring and improving our Site and Services;
    • Taking steps at your request;
    • Communicating with users of our Site and Services;
    • The protection and assertion of legal rights;
    • The protection of our business against risks.

Disclosure of Your Information

We may disclose your Information subject to the same restrictions as contained in this Privacy Policy to any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 736 of the UK Companies Act 1985. We may also disclose your Information to third parties:

  • When we subcontract the running of our Site or any part of it to a third party (including but not limited to Third Party API Providers) or where the Site interacts with a third party service provider, provided that all subcontractors are bound by reasonable privacy policies.
  • In the event that we sell or buy any business or assets, in which case we may disclose your Information in confidence to the prospective seller or buyer of such business or assets.
  • If we or substantially all of our assets are transferred to or acquired by a third party, in which case all of your Information will be one of the transferred assets on the equivalent terms and conditions as herein.
  • If we are under a duty to disclose or share your Information in order to comply with any legal obligation, or in order to enforce or apply our terms and conditions other agreements; or to protect the rights, property, or safety of us, our customers, or others. This includes exchanging Information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

Retention of Your Information

We will endeavour not keep your Information for longer than necessary in order to facilitate your use of our Site and Services. If you wish to delete your content or your account, we will delete the content we hold in relation to you on request, except that some prior content may remain in backup or cached copies for a reasonable time (but we will not make it available again to third parties). In addition, content that you have submitted to our Third Party API Providers may still be in use and so there may be some ongoing use of your Information. We may also retain certain information to prevent identity theft, legal disputes and misconduct, even if deletion has been requested.

Third Party Providers

All of your Information that you provide to us is stored on our servers, which may be hosted by third parties. Any payment transactions (if any) will be encrypted and may be processed by third party payment providers. In addition, as a condition of providing certain third party services to you, we may need to provide your Information to our Third Party API Providers to enable them to monitor the usage by you of their services, which use may be subject to the privacy policies of our Third Party API Providers.

Third Party Websites

When you click on a link to a third party website, you will leave our Site and a third party may collect your Information from that site subject to their own privacy policy. We have no control over such third party sites and privacy policies. This Privacy Policy only applies to your Information collected by us via this Site.

Where We Store and Process Your Information

Your Information that we collect from you may be transferred to, and stored at, a destination outside the UK or European Economic Area (“EEA”). It may also be processed by third parties and staff operating outside the UK or EEA who work for us or for one of our suppliers as necessary for operating the Site and Services. If any processing of your Information is to take place outside of the UK or EEA in a third country or international organisation which does not ensure an adequate level of data protection, we may only transfer your Information if appropriate safeguards have been implemented and on the condition that enforceable data subject rights and effective legal remedies for data subjects are available. The safeguards may be by way of EU Model Contract Clauses, binding corporate rules, approved code of conduct or approved certification mechanism. If you require any further information in this regard, please contact support@coveragebook.com.

Anonymous Data

We may create anonymous records from your Information by excluding all data from which you may be identified or contacted. We may use such anonymised data for our reasonable business purposes (including but not limited to research and develop our Site and Services and our business).

Your Rights

You have a number of rights as a data subject as summarised below:

Access

You have the right to obtain confirmation as to whether or not personal data concerning you are being processed and, where that is the case, to access your Information and details of how we process it, as long as this does not adversely affect the rights and freedoms of others. You may request a copy of Information undergoing processing, subject to evidence of your identity (normally a certified copy of your passport plus an original copy of a utility bill showing your current address). The first copy shall be provided without charge, but reasonable administration fees shall be charged for additional or subsequent copies.

Rectification

We will rectify any errors in the Information we hold on request.

Erasure

You may erase your Information from our systems in the following situations:

  • The Information is no longer necessary in relation to the purpose for which it was collected;
  • You withdraw your consent on which the processing is based and where there is no other legal ground for the processing;
  • You object to the processing and there are no overriding legitimate grounds for the processing;
  • The Information has been unlawfully processed;
  • The Information has to be erased for compliance with a legal obligation to which we are subject.

Right to Restriction of Processing

You have the right to restrict our processing on specified grounds.

Notification

Where you have asked us to rectify, erase or restrict processing of your information, we shall communicate the same to each recipient to whom your Information has been disclosed, unless this proves impossible or involves disproportionate effort, in which case we shall let you know.

Data Portability

You have the right in specific circumstances where processing is based on consent to receive your Information in a structured, commonly used and machine-readable format and have the right to transmit the Information to another controller without hindrance, provided that our processing is carried out by automated means.

Right to Object

In certain circumstances you have the right to object to our processing of your Information, including in relation to profiling, direct marketing or scientific or historical research purposes.

Automated Individual Decision Making

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you unless this is necessary for our contract, is authorised under applicable law or is based on your explicit consent.

You can exercise these right by contacting us at and/or by following our online account procedures. We shall respond to your requests without undue delay and in any event within one month unless we need to extend such period by up to two further months in specific circumstances. Please note that if you delete or restrict your account or required Information, this may prevent you from making full use of our Services.

Security

Where we have given you (or where you have chosen) a password which enables you to access certain parts of our Site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone, including people who work for us.

The transmission of your Information via the internet is not completely secure. Although we will do our best to protect your Information, we cannot guarantee the security of your Information transmitted to or from our Site; any transmission is at your own risk. Once we have received your Information, we will use strict procedures and security features to try to prevent unauthorised access.

Your California privacy rights

Pursuant to Section 1798.83 of the California Civil Code, residents of California have the right to request from a business with whom the California resident has an established business relationship what types of personal information, if any, the business shares with third parties for direct marketing purposes by such third parties and the identities of the third parties with whom the business has shared such information in the immediately preceding calendar year. We do not currently share your Information with third parties for direct marketing purposes by such parties. A number of states are currently considering enacting laws similar to the California law above. If you are a resident of a state that enacts such a law, please contact us with any questions, requests or comments by email to support@coveragebook.com.

Children’s privacy

Our Site and Services are not intended for use by children, and we do not knowingly collect any personal data from children under 13. For purposes of the Children’s Online Privacy Protection Act (COPPA) in the US, if we learn that we have collected the personal data of any such individual, we will take steps to delete the data as soon as possible.

Changes to Our Privacy Policy

Any changes we may make to our Privacy Policy in the future will be posted on this page and, where we consider appropriate, we may notify you by e-mail in advance of their application. They shall become binding on you on publication on our Site. Any continued use of our Site and/or Services shall constitute your deemed acceptance of such changes.

Contact

Questions, comments and requests regarding this Privacy Policy are welcomed and should be addressed to support@coveragebook.com.


Part B: Data Processing Addendum (“DPA”) (coveragebook.com as your Data Processor)

Processing by Us

You hereby instruct us to process Subscriber Personal Data (defined below) as reasonably necessary for the provision of the Site and Services and in compliance with our Terms and Conditions, which incorporate this DPA.

Processing of Subscriber Personal Data

Where processing of personal data relating to others controlled by you (“Subscriber Personal Data”) is to be carried out on your behalf pursuant to the terms and functionality applicable to your Coveragebook.com subscription, appropriate technical and organisational measures shall be implemented by us in such a manner that processing will meet the requirements of all laws, regulations and other legal or self-regulatory requirements in any jurisdiction application to the processing of Subscriber Personal Data including without limitation to the extent applicable the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR and the UK Data Protection Act 2018 and the California Consumer Privacy Act (“CCPA”), all as may be amended or superseded and other applicable data protection laws and regulations in the UK and EU (together, “Data Protection Laws”) and ensure the protection of the rights of the data subject.

Compulsory Processor Terms Pursuant to Article 28(3) GDPR

Details of the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects are set out below.

In respect of any processing of Subscriber Personal Data we shall:

  • process Subscriber Personal Data only on your documented instructions (including electronic instructions), including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by applicable law to which we are subject; in such a case, we shall inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
  • ensure that persons authorised to process Subscriber Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • take all measures required pursuant to Article 32 GDPR (Security of processing), to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons;
  • respect the conditions referred to herein for engaging another processor;
  • taking into account the nature of the processing, assist you by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR. This shall include promptly notifying you if we receive a request to exercise any data subject rights under Data Protection Laws within 14 days of receiving such request and thereafter assisting you as reasonably necessary to comply with such request promptly. We shall not respond to such requests directly to any data subject except on your documented instructions or as required by applicable laws to which we are subject;
  • assist you in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR (Security of processing; Notification of a personal data breach to the supervisory authority; Communication of a personal data breach to the data subject; Data protection impact assessment; and Prior consultation) taking into account the nature of processing and the information available to us. This shall include notifying you without delay and, where feasible, within one Business Day, after having become aware of any Personal Data Breach, being a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Subscriber Personal Data transmitted, stored or otherwise processed hereunder;
  • at your choice, delete or return all Subscriber Personal Data after the end of the provision of services relating to processing, and delete existing copies unless Data Protection Laws require storage of the personal data;
  • make available to you all information necessary to demonstrate compliance with the obligations laid down in these terms and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you.
  • inform you if, in its opinion, an instruction infringes Data Protection Laws.

Restriction on Subprocessing

We shall not engage a subprocessor to process Subscriber Personal Data (“Subprocessor”) without your prior specific or general written authorisation, which may be given in electronic form as per the process below. In the case of general written authorisation, we shall inform you of any intended changes concerning the addition or replacement of other processors, thereby giving you the opportunity to object to such changes. Details of this process are set out below.

Subprocessors

You authorise us, on your behalf, to engage third party Subprocessors. We will require Subprocessors to agree in writing to comply with materially equivalent data protection obligations as those contained in this DPA. Except as set forth in this DPA, we will be liable for the acts and omissions of our Subprocessors to the same extent we would be liable if we were performing the services of each Subprocessor directly. You are providing us with a general authorisation to engage Subprocessors.

New Subprocessors

With respect to each new Subprocessor we wish to engage, we shall:

  • before the Subprocessor first processes Subscriber Personal Data, carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Subscriber Personal Data required by Data Protection Laws;
  • ensure that the arrangement between us and the Subprocessor is governed by a contract that complies with this DPA;
  • if that arrangement involves a transfer of Subscriber Personal Data to a third country, a territory or one or more specified sectors within a third country or international organisation outside the UK, the EEA or Switzerland that does not benefit from a formal adequacy decision by the European Commission (pursuant to Article 45 GDPR), ensure that such transfer is in compliance with the procedure stated below (Cross Border Transfers);
  • provide to you for review on request details of all Subprocessors, including our contracts with them (which may be redacted to remove confidential commercial information not relevant to the requirements of this Privacy Policy) as you may request from time to time.

Approval Process

We shall publish on the Site the appointment of any new Subprocessors to be appointed, including details of the type of processing to be undertaken by the Subprocessor. If, within 14 days of publication, you notify us in writing of any objections (on reasonable grounds) to the proposed appointment, we shall not disclose any Subscriber Personal Data to that proposed Subprocessor and/or (as applicable) you shall not access any element of our Site or Services affected by this issue until reasonable steps have been taken to address the objections raised by you. If no such objections are raised, you shall be deemed to have consented to the appointment of the Subprocessor.

Cross Border Transfers

We process Subscriber Personal Data anywhere we or our Subprocessors maintain facilities. For any transfers of Subscriber Personal Data from the EEA, Switzerland or the UK to a country which is not an Approved Jurisdiction (as defined below), such transfers and processing shall be governed by a valid mechanism for the lawful transfer of Subscriber Personal Data recognised under applicable Data Protection Laws, by way of a written contract that provides for, in substance materially equivalent data protection obligations as those under this DPA such as (a) for transfers of Subscriber Personal Data protected by EU GDPR, such transfers shall be subject to EU SCCs, including Appendix 2, and (b) with respect to transfers of Subscriber Personal Data protected by UK GDPR, the EU SCCs as amended by the Standard Data Protection Clauses issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 ‘International Data Transfer Addendum to the EU Commission Standard Contractual Clauses Version B1.0’, in force 21 March 2022 (the “UK Addendum”) (collectively with the EU SCCs, the “SCCs”), including Appendix 2. “Approved Jurisdiction” means a jurisdiction that has either been approved as having adequate legal protections for data by the European Commission or the UK Information Commissioner’s Office (as applicable), or where data transfers contemplated by this DPA are not otherwise restricted under Data Protection Laws.

Charges and Costs Mitigation

We shall be entitled to charge you for the reasonable and verified costs of our specific assistance and cooperation provided pursuant to this Privacy Policy except to the extent that such measures have been necessitated by a breach by us or our Subprocessors. Our charges shall be on a time and materials basis according to our prevailing Rate Card and invoiced according to our standard payment terms.

In the event that we are able to demonstrate that we and/or any Subprocessor adheres to an approved code of conduct or approved certification mechanism as referred to in Article 40 GDPR, you accept that we may rely on the same to demonstrate its compliance with this Privacy Policy, so as to mitigate or avoid incurring unnecessary administration and costs, unless otherwise required by Data Protection Laws or as may be mutually agreed by the parties.


Appendix 1: Details of Processing of Subscriber Personal Data

The processing/transfer (as applicable) of Subscriber Personal Data shall be as follows:

Parties: (1) Coveragebook Limited and (2) the Subscriber.

Categories of Data Subjects: All users of our Site and Services, mobile applications and other features, services and technology provided by us which may include:

  • Site users
  • PR and advertising agencies
  • Brand owners/your clients

Categories of Personal Data: All personal data processed in the normal use, management and development of our Site and Services including:

  • Names
  • Addresses
  • Email addresses
  • Contact details
  • Passwords
  • Profile information provided by users
  • Usage data
  • Preferences/personalisation details
  • Evidence of opt-ins/contact permissions and other privacy consents/unsubscribe requests

Sensitive Data: No sensitive data to be processed/transferred

Frequency of the processing/transfer: Continuous

Nature of Processing: To provide the Services.

Purpose of Processing, Data Transfer and Further Processing: To provide the Services.

Duration of Processing/Retention of Data: For the term of the contract between us and you or until such time as we no longer process Subscriber Personal Data on your behalf.

Subprocessor Transfers: As set out in the Cross Border Transfers section of the DPA.

Competent Supervisory Authority: UK Information Commissioner to the extent applicable or otherwise the competent supervisory authority of an EU Member State as determined under applicable EU SCCs.


Appendix 2:

Part A: EU SCCs

For data transfers from the EEA/Switzerland that are subject to the EU SCCs, the EU SCCs will be deemed entered into (and incorporated into this DPA by reference) and completed as follows:

EU SCC Term Amendment/Selected Option
Module Module 2: Applies where you are the Controller and we are a Processor.
Module 3: Where you are a Processor and we are your Subprocessor.
Data exporter The Subscriber
Data importer Coveragebook Limited
Clause 7 (Docking Clause) Option is not included.
Clause 9 (Use of Sub-Processors) Option 2 shall apply. As set forth in Appendix 4.
Clause 11 (Redress) Option is not included.
Clause 13 (Supervision) The supervisory authority with responsibility for ensuring compliance by the data exporter is:
  • where the data exporter is established within an EU member state, the supervisory authority of that EU member state OR
  • where the data exporter is not established in the EU but is subject to EU GDPR pursuant to Article 3(2) EU GDPR and has appointed a representative, the supervisory authority of the EU member state where the representative is established OR
  • where the data exporter is not established in the EU but is subject to EU GDPR pursuant to Article 3(2) EU GDPR, but has not appointed a representative in an EU member state, the supervisory authority of the EU member state where the relevant data subjects are located.
Clause 17 (Governing Law) Ireland
Clause 18 (Choice of Forum and Jurisdiction) Ireland
Annex I.A (List of Parties) Set out in Appendix 1
Annex I.B (Description of the Transfer) Set out in Appendix 1
Annex II (Technical and Organisational Measures) Set out in Appendix 3

Part B: UK Addendum

For data transfers from the UK that are subject to the UK Addendum, the provisions of the EU SCCs as amended by the UK Addendum will be deemed entered into (and incorporated into this DPA by reference, which shall include Part 2 Mandatory Clauses therein) and completed as follows:

Part 1: Tables

Table 1: Parties
Start Date The date on which the Subscriber starts to use the Services to transfer Subscriber Personal Data to UK Third Countries.
The Parties Exporter Importer
Parties’ details Full legal name: The entity identified as the ‘Subscriber’
Trading name (if different): If different, the trading name for the Subscriber associated with its CoverageBook account or as otherwise agreed.
Main address: The address for the Subscriber associated with its CoverageBook Account.
Full legal name: Coveragebook Limited
Trading name: Coveragebook
Main address: The Carriage House, Mill Street, Maidstone, Kent, United Kingdom, ME15 6YE
Key contact As specified in Subscriber Account. As specified in Subscriber Account.
Signature (if required for the purposes of Section 2) By using the Services to transfer UK Subscriber Personal Data to UK Third Countries, the Exporter will be deemed to have signed this Addendum. By transferring UK Subscriber Personal Data to UK Third Countries on Subscriber’s instructions, the Importer will be deemed to have signed this Addendum.
Table 2: Selected SCCs, Modules and Selected Clauses

The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:

Date: 4 June 2021

Reference (if any): Module 2: Controller-to-Processor and Module 3: Processor to Subprocessor

Table 3: Appendix Information

Appendix Information means the information which must be provided for the selected and corresponding modules as set out in the Appendix of the EU SCC above.

Table 4: Ending this Addendum when the Approved Addendum Changes

Both the importer and exporter shall have the right to end this Addendum as set out in Section 19.

Part 2: Mandatory Clauses

Mandatory Clauses of the UK Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.


Appendix 3: Technical and Organisational Measures

This Appendix 3 describes the technical and organisational measures implemented by the data importer(s) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Measures of pseudonymisation and encryption of personal data

CoverageBook provides browser only access and all our data in transit is encrypted via https over the internet. All data at rest is encrypted using RSA.

We employ industry leading cloud storage and application management providers like AWS and Heroku to securely store and process data. Please refer to our sub-processors list in Appendix 4.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

CoverageBook has a security policy in place to notify, investigate and react to any security threats. We have a rota with 24/7 alerts set up to notify relevant staff in the event of an emergency.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

All data is securely backed up by our application hosting providers and we have the ability to rollback to a previous version of our database, and fully restore our databases in the event of an emergency. See our Sub Processors list in Appendix 4 for more information on our providers.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

CoverageBook regularly performs security systems and process testing and we use external security providers to monitor and respond to any potential security threats (see Appendix 4)

We do not own or maintain our own data servers or other physical infrastructure. We use trusted industry leading providers to manage our application data and who have the appropriate security certifications (including, but not limited to, SOC Type II). Please see our Sub Processors list in Appendix 4 for more information on our cloud and database providers.

CoverageBook uses third party security scanning tools to constantly monitor, identify and notify us of any potential vulnerabilities, where we will remedy and review as required in a timely manner.

We periodically use external third party penetration testers.

Measures for user identification and authorisation

All staff at CoverageBook are required to use 2fa (activated by default) for the systems and applications we use to administer and support CoverageBook customers and their data. We use a password management vault which generates and promotes the use of strong passwords. We carry out periodic checks/reviews of access, with the ability to immediately revoke access where necessary.

Access is role based. Only team members who need to access systems that store customer or sensitive application data are permitted access, and at the level required to perform their role.

Measures for the protection of data during transmission

CoverageBook provides browser only access and all our data in transit is encrypted via https over the internet. All data at rest is encrypted using RSA.

We employ industry leading cloud storage and application management providers like AWS and Heroku to securely store and process data. Please refer to our sub-processors list in Appendix 4.

Measures for the protection of data during storage

Please see above (measures for protecting data during transmission)

Measures for ensuring physical security of locations at which personal data are processed

The CoverageBook team works both remotely and at our office in Brighton (UK). We don’t own or maintain any physical data storage like servers. Data is securely stored with our application hosting providers who manage the security and physical integrity of their premises (see Appendix 4 for more information on our providers).

Measures for ensuring events logging

Our security screening systems log and notify us of any potential issues which we both regularly review, and act on any notifications in a timely manner. We also carry out and store application performance data and logs for our own internal reviews, monitoring and improvement work.

Measures for ensuring system configuration, including default configuration

CoverageBook adopts a rigorous review, QA testing and approval process for any changes or updates that we release to both our own internal updates and any necessary updates from our providers. We also carry out regular firmware and version updates in accordance with our supplier’s own guidelines to ensure all the services we use are up to date and using the latest versions where applicable and relevant.

Measures for internal IT and IT security governance and management

Our internal IT security processes ensure that our customers' data is kept secure. Access is restricted on a role and need only basis (and can be revoked immediately if required). We use secure password vaults to manage access to our systems through the use of secure passwords, and mandatory 2fa access to all of the systems we use at CoverageBook that contain personal data.

Issued equipment is encrypted and can be remote wiped immediately if required.

We do not store personal data locally or within our premises (or in hard copies). This is managed for us by our cloud platform and application management providers (see our Sub Processors list in Appendix 4).

Measures for certification/assurance of processes and products

We use trusted industry leading providers to manage our application data and who have the appropriate security certifications (including, but not limited to, SOC Type II). Please see our Sub Processors list in Appendix 4 for more information on our cloud and database providers.

Measures for ensuring data minimisation

Data collection is limited to the purposes of processing (or the data that the Customer chooses to provide to us).

Access is role based. Only team members who need to access systems that store customer or sensitive application data are permitted access, and at the level required to perform their role.

We will, on termination of a customer’s account, delete their data from our systems (in accordance with our terms of service, privacy policy and DPA).

Data subjects can access and request deletion of their personal data and can submit requests in writing to us, for which we will acknowledge and process requests within a reasonable period (and in accordance with GDPR).

Measures for ensuring data quality

Data subjects can exercise their right to amend and update their personal data with us in accordance with our privacy policy.

Measures for ensuring limited data retention

Data collection is limited to the purposes of processing (or any data that the Customer chooses to provide to us).

Access is role based. Only team members who need to access systems that store customer or sensitive application data are permitted access, and at the level required to perform their role.

We will, on termination of a customer’s account, delete their data from our systems (in accordance with our terms of service, privacy policy and DPA).

Data subjects can access and request deletion of their personal data and can submit requests in writing to us, for which we will acknowledge and process requests within a reasonable period (and in accordance with GDPR).

We may be required to retain some data such as billing information for tax compliance and accounting purposes, please refer to our privacy policy for more information.

Measures for ensuring accountability

CoverageBook has an appointed Data Protection Officer.

Access to data is restricted based on role and reason for access (eg customer support purposes).

We follow a compliance by design approach.

Measures for allowing data portability and ensuring erasure

We will, on termination of a customer’s account, delete their data from our systems (in accordance with our terms of service, privacy policy and DPA).

Data subjects can access and request deletion of their personal data and can submit requests in writing to us, for which we will acknowledge and process requests within a reasonable period (and in accordance with GDPR).

We may be required to retain some data such as billing information for tax compliance and accounting purposes, please refer to our privacy policy for more information.

For transfers to (sub-) processors, the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.

Prior to engaging new third-party service providers or vendors who will have access to personal data, we conduct an assessment of their published data security policies.

We will restrict the onward subprocessor’s access to personal data only to what is strictly necessary to provide the Services, and will prohibit the subprocessor from processing the data for any other purpose.

Coveragebook imposes contractual data protection obligations, including appropriate technical and organisational measures to protect personal data, on any subprocessor it appoints that require such subprocessor to protect personal data to the standard required by law.

We remain liable and accountable for any breach of this DPA that is caused by an act or omission of its subprocessors.


Appendix 4: List of Subprocessors

Applicable to both Modules 2 and 3 of the SCCs. The following Subprocessors have been authorised to process Subscriber Personal Data.

Name Purpose Location Privacy policy/DPA
AWS (Amazon Web Services) Application Management USA AWS DPA
UK GDPR Addendum
Standard Clauses
Basecamp Internal comms and project management USA Basecamp DPA
ChartMogul Business Analytics Germany ChartMogul Privacy
ChurnKey Failed payment recovery USA Copy of DPA available on request (email support@coveragebook.com
Clearbit Marketing data collection API USA Copy of DPA available on request (email support@coveragebook.com)
Cloudflare Network performance and security USA Cloudflare - DPA
Convertkit Email marketing USA ConvertKit - DPA
Crunchy Bridge Cloud hosting platform and application management USA Crunchy Bridge - DPA
G2 User Reviews Digital product reviews USA G2 privacy G2 DPA
Google G-Suite Coveragebook’s email provider and documentation USA Google DPA
Heroku Cloud hosting platform and application management USA Salesforce DPA
Intercom.IO Customer Support platform USA Intercom DPA
Mezmo Application logging USA Mezmo DPA
Postmark Transactional email service USA Postmark DPA
Segment Customer data platform USA Segment DPA
Stripe Payment Processing USA Stripe DPA
Xero Accounting Software New Zealand Xero GDPR
Zapier Workflow Automation Service USA Zapier DPA

The following additional Subprocessors provide optional functions, which Subscribers can choose to use, such as customer feedback surveys, reviewing our Services, or booking video calls with us.

Name Purpose Location Privacy Policy/DPA
Atlassian (Status Page) Status update page on current downtime (user subscription optional) Australia (global HQ) Atlassian DPA
Calendly Online calendar booking for customers to meet with our team USA Calendly DPA
Infinite Loop Virtual voicemail service for billing queries Republic of Ireland Infinite Loop Privacy
Typeform Customer survey tool Spain Typeform Legal Documentation
Webinar Jam Webinar hosting service USA WebinarJam DPA
Wootric (InMoment) Customer Survey tool USA Copy of DPA available on request (email support@coveragebook.com)
Zoom Video meetings USA Zoom US DPA
Standard clauses