Skip to main content
Security by Design

Trust & Security

We build security software. That means holding ourselves to the highest standards.

Certifications & Registrations

Independent verification of our security and compliance posture.

  • Certified

    Cyber Essentials Certified

    UK government-backed certification covering five key technical controls. Annual renewal.

  • Registered

    ICO Registered

    Reference ZC031428. UK GDPR compliant data processor.

  • Certified

    ISC2 Certified in Cybersecurity

    Founder-level certification from ISC2, the world's leading cybersecurity membership organisation.

  • In Progress

    SOC 2 Type II

    Independent audit in progress, Q1 2026. Results available to prospects under NDA.

The Read-Only Guarantee

Our most important promise. Zero writes. Zero surprises.

  • Discovery mode only

    All connectors operate in read-only discovery mode. We never write to your systems during assessment or monitoring.

  • Writes require explicit human approval

    Provisioning, deprovisioning, and account changes require a named human approver. No autonomous writes.

  • Blast radius modelled first

    Before any containment action, blast radius is modelled across your identity graph.

  • Every action journaled with rollback capability

    All write actions are recorded in a tamper-evident journal. Each can be rolled back independently.

Verify this claim programmatically:

GET /api/capabilities/read-only-guarantee

Returns a signed capabilities manifest confirming the read-only posture of your deployment.

Data Security

How we protect identity data throughout its lifecycle.

  • No Persistent Identity Store

    No persistent identity store by default. Assessment data held for engagement duration, then deleted.

  • Data Stays In Your Deployment

    All identity data stays within your deployment boundary. Nothing sent to IdentityFirst™ servers.

  • Tamper-Evident Audit Log

    HMAC-SHA256 hash chain per tenant. Every audit event is signed and verifiable.

  • TLS 1.3 In Transit

    TLS 1.3 enforced for all data in transit. Older protocol versions are disabled.

  • AES-256 At Rest

    AES-256 encryption for all persisted data where applicable.

  • Minimal Data Collection

    We collect only what is necessary for identity security assessment.

Vulnerability Disclosure

We take security reports seriously and respond promptly.

Responsible Disclosure

Found a vulnerability? Please report it responsibly.

  • Email: mark@identityfirst.net
  • Response within 2 business days
  • No legal action against good-faith researchers

No bug bounty programme currently in operation.

Security Questionnaire

Need to complete a security questionnaire for procurement?

Pre-filled responses for SIG Lite, CAIQ, and VSA available under NDA.

Request Questionnaire Pack