Built Secure.
Governed Responsibly.
We build identity security software. Our own house has to be in order first. Here is exactly how we govern our systems, protect your data, and operate with the transparency that security buyers deserve.
Tamper-evident audit and evidence language
This is the public distinction we are comfortable making today: detectably chained and append-only is not the same thing as WORM-immutable, and we say that plainly.
What we mean by tamper-evident
Evidence integrity is maintained through multiple complementary mechanisms:
- HMAC-SHA256 chained audit records (per-deployment key) — each entry hashes the previous, designed to reveal undetected alteration.
- Append-only PostgreSQL audit store — no API surface permits update or deletion. This is not WORM-immutable storage; blob-backed immutability is planned.
- SHA-256 content hashes on reports with optional HMAC signature for integrity verification.
- RFC 6962 Merkle trees with epoch chaining for provenance verification across evidence packs.
- 7-year minimum retention enforced by policy; cannot be overridden below that floor.
- Formal evidentiary verification depends on the export path and verification workflow used — append-only storage alone is not standalone non-repudiation.
What is signed and how
- Build artefactsEV Code Signing via DigiCert HSM (RSA-4096). Signs Windows PE binaries, NuGet packages, Docker images (Notation/COSE), and capability manifests. Private key never leaves the HSM.
- Licence tokensRS256-signed JWTs with offline key verification in production and staging. HMAC-SHA256 in development only; HMAC keys are explicitly rejected in production.
- Audit chainHMAC-SHA256 tamper-evident chain with per-deployment key. Append-only PostgreSQL storage. Not WORM-immutable; blob-backed immutability is on the roadmap.
- Merkle provenanceRFC 6962 SHA-256 Merkle trees with epoch chaining for evidence provenance verification.
The public differentiation is precision, not hype: HMAC-SHA256 chained audit records, append-only storage, report hashes, and Merkle provenance where stated. Formal evidentiary weight still depends on the export path and verification workflow in scope.
Security Governance
Certifications obtained or in progress. We only claim certification where an external body has actually granted it.
NCSC-backed scheme covering firewalls, secure configuration, access control, malware protection, and patch management. Externally verified.
Information Security Management System implementation underway, covering risk management, access control, vulnerability management, incident response, supplier assurance, and business continuity.
Independent technical verification of CE controls via external audit. Planned following ISO 27001 ISMS completion.
Security Framework Alignment
IdentityFirst's security architecture and internal governance practices are designed in alignment with these widely recognised frameworks. Alignment means our policies and architecture reasonably reflect each framework's principles — it does not imply external certification.
Identify, Protect, Detect, Respond, Recover — applied across platform architecture and internal security operations.
Prioritised control baseline covering asset inventory, access control, audit logging, and vulnerability management.
Verify explicitly, use least privilege, assume breach — principles reflected in platform design and IdentityFirst's own operational access model.
Secure development lifecycle practices embedded throughout platform engineering, including threat modelling and dependency management.
OWASP Top 10 risks addressed in platform development and code review: injection prevention, authentication controls, input validation throughout.
Identity Security Standards
As an identity security platform, IdentityFirst is designed in alignment with the standards that govern digital identity assurance and authentication. These inform both platform architecture and how IdentityFirst helps customers meet their own obligations.
Identity assurance levels, authenticator types, and federation requirements inform IdentityFirst's risk assessment methodology and finding classification.
FIDO2/WebAuthn phishing-resistant authentication principles referenced in MFA coverage assessment and privileged account security recommendations.
Regulatory Alignment
IdentityFirst operates in accordance with applicable UK and EU regulations. References below describe regulatory alignment, not external certification unless specifically stated.
Data protection and privacy principles embedded throughout product design and operations. ICO registered · ZC031428. Privacy by design. MRI assessments operate within a read-only boundary.
Security governance aligned with NIS2 cybersecurity risk management principles. IdentityFirst is designed to help customers evidence NIS2 identity governance and access control obligations.
Relevant to FCA-regulated customers. IdentityFirst supports DORA ICT risk management by surfacing identity risk, privilege exposure, and access control gaps.
Security governance informed by CAF principles, particularly identity and access management objectives relevant to UK public sector and regulated industries.
AI Governance
IdentityFirst develops AI-assisted capabilities for qualified later-tier workflows. Governance of those capabilities is aligned with the following frameworks to ensure appropriate transparency, human oversight, and security.
AI governance aligned with EU AI Act risk classification and prohibited use principles. Human oversight is a design requirement, not an option.
Govern, Map, Measure, Manage — structured AI risk lifecycle applied to AI-assisted analysis and recommendation features where those later-tier capabilities are in scope.
Prompt injection, training data exposure, and insecure output handling are addressed in the design and security testing of AI-assisted features under development and private beta.
Operational Governance
Operational risk management and resilience practices aligned with internationally recognised principles.
Risk identification, assessment, treatment, and monitoring practices applied across internal operations and platform risk governance.
Business continuity and operational resilience principles inform incident response planning, recovery objectives, and service continuity commitments.
Cross-Framework Identity Governance Evidence
Most security tools align with one framework. IdentityFirst provides identity governance evidence across multiple regulatory frameworks from the same MRI assessment path, using the connectors that are in scope for that engagement.
A single IdentityFirstMRI™ assessment can surface the privileged access, stale account, delegation, and MFA coverage evidence that buyers often need across ISO 27001, NIS2, DORA, CIS Controls, NIST CSF, and Zero Trust. The exact output depends on the connectors and deployment scope agreed.
Data Protection Practices
Architecture-level commitments carried into the current MRI-led product boundary.
Data minimisation and purpose limitation built into every MRI assessment connector and report output.
MRI assessments, demos, and standard POCs operate in discovery mode only. Governed writes, where licensed in higher tiers, require explicit human approval.
Customer-hosted deployments keep data inside customer infrastructure. IdentityFirst-hosted deployments follow the contracted region and deployment model.
Registered with the Information Commissioner's Office. Reference: ZC031428.
The Read-Only Guarantee
During any MRI assessment, demo, or standard POC, IdentityFirst never writes to your systems. The MRI path operates in discovery mode only. Governed writes, where licensed and explicitly in scope for higher tiers, require named human approval. You see the findings first. You decide what to act on.