Skip to main content
Public website
Public website surface Marketing and explanation content. This is not the canonical authenticated runtime.
Canonical runtime: app.identityfirst.net
Plain-English trust

Trust & Security

Before you ask us to look at your environment, you should know exactly how we behave. We keep the public story simple: what we can read, what we do not change, and what is live now.

See product status Ask a question
Static public statement

This page is a buyer-safe public policy summary. Runtime-backed trust endpoints and live status indicators depend on the deployment you are evaluating.

The short version

What boards, MSPs and procurement teams usually need to know first.

Read-only by default

Our assessment flow is designed to observe and report first. We do not need to change customer systems to show value.

Product status is explicit

We separate what is live now from what is still being developed, so buyers are not asked to guess. MRI is public GA; Core is controlled rollout; Enhanced and AISF are private beta.

Data handling is constrained

We collect the minimum needed for the engagement and keep buyer-facing data handling clear rather than buried in legal text.

Roadmap transparency

We separate shipped, in progress, planned, and researching so buyers can see what is current public truth versus what is still moving.

Dated public status

The roadmap page is dated April 22, 2026 and exists to show delivered trust surfaces separately from programme work that is still underway.

Only items marked shipped should be treated as current public capability or current website truth.

Why this matters

Enterprise buyers should not have to infer whether a statement is already live, still in flight, or only under evaluation.

Open roadmap transparency page

Certifications & registrations

Independent checks and formal registrations that support the trust story.

  • Certified

    Cyber Essentials Certified

    UK government-backed certification covering five baseline controls. Renewed annually.

  • Registered

    ICO Registered

    Reference ZC031428. UK GDPR obligations are handled as part of the service model.

  • Certified

    ISC2 Certified in Cybersecurity

    Founder-level certification from ISC2, reinforcing the security discipline behind the public story.

  • In progress

    ISO/IEC 27001 ISMS

    Information Security Management System work is underway, covering risk, access, incident response and business continuity.

  • In progress

    Cyber Essentials Plus

    Independent technical verification of the baseline controls is underway following Cyber Essentials certification.

The Read-Only Guarantee

MRI and assessment-led engagements are read-only. Governed write paths, where contractually in scope, require named human approval.

  • Discovery mode only

    MRI and assessment connectors operate in read-only discovery mode. We do not write to your systems as part of standard assessment delivery.

  • Writes require explicit human approval

    Provisioning, deprovisioning, and account changes sit outside MRI. Where higher-tier governed workflows are in scope, they require a named human approver. No autonomous writes or default hands-off changes.

  • Blast radius modelled first

    Where action is requested, we look at the likely impact first so the customer knows what could be affected.

  • Governed write-capable workflows are journaled

    MRI stays read-only. Where higher-tier governed workflows are licensed and in scope, those actions are recorded in the tamper-evident journal with operator identity and approval context.

Need a buyer-safe explanation?

Use the product status page for a simple summary of what is live now and where the read-only boundary sits.

Open product status

Need deployment-level confirmation?

Static public statement

Review this public policy statement directly and, where a deployment exposes runtime-backed trust endpoints, inspect the corresponding capability manifest:

GET /api/readonly-guarantee.php

This endpoint is only meaningful when a deployment is configured to expose it. Treat this page as the canonical public policy statement unless a live trust endpoint is explicitly available in scope.

Data Security

How we handle data without making buyers read three pages of legal text.

  • No Persistent Raw Identity Store

    No persistent raw identity store by default. Retention depends on deployment model, written scope, and the DPA.

  • Deployment-Dependent Data Boundary

    Customer-hosted deployments keep data inside customer infrastructure. IdentityFirst-hosted SaaS keeps data in the contracted region. We do not send identity data to third-party telemetry services.

  • Tamper-Evident Audit Log

    HMAC-SHA256 hash chaining is used per tenant. Append-only records are designed to reveal alteration; stronger verification depends on the export path in scope.

  • TLS 1.2+ In Transit

    Modern transport encryption is enforced for data moving between browser, service and connectors, with legacy protocol versions disabled.

  • AES-256 At Rest

    Persisted data is encrypted at rest where storage is used.

  • Minimal Data Collection

    We collect only what is needed to answer the identity question in front of the customer.

Vulnerability Disclosure

If you find an issue, we want to hear about it quickly and professionally.

Responsible Disclosure

Found a vulnerability? Tell us directly and we will investigate it in good faith.

No bug bounty programme currently in operation.

Security Questionnaire

Need buyer-ready answers for procurement or due diligence?

We can provide a concise questionnaire pack so you do not have to piece the story together yourself.

Request the questionnaire pack