Trust & Security
IdentityFirst is built with security at its core — from EV code signing to tamper-evident audit trails. Here is the evidence.
Certifications
Compliance & certifications
We only claim a certification when it has been independently verified. Status is updated on every change.
ISMS established. Gap assessment complete. External audit scheduled for 2026.
Third-party auditor engaged. Controls mapped and evidence collection underway.
NCSC Cyber Essentials Plus certification covering all platform infrastructure.
ICO registered ZC031428. DPA available. Full data subject rights implemented.
Security Architecture
Built on verifiable security primitives
Every security control in IdentityFirst is architectural, not configurational. There are no bypass flags, no debug switches, and no unsigned activation paths.
EV Code Signing
All platform binaries are signed with an Extended Validation certificate held in a DigiCert HSM. Every capability manifest is cryptographically verified before activation. A module that cannot be verified against the EV-signed descriptor cannot load — the platform fails closed, not open.
Architecture detailImmutable Audit Trail
Every action is logged to a tamper-evident HMAC-chained audit store with 7-year retention, suitable for tribunal-defensible evidence. Records are append-only — no API surface permits deletion. Null actor values are rejected at the service layer, so every entry has a verified identity attached.
Architecture detailZero Trust Architecture
No standing privileges. JIT elevation requires multi-party approval. All writes are human-in-the-loop gated at Core tier and above, with full approval evidence stored in the immutable audit substrate. Per-tenant API keys ensure no cross-tenant data access is architecturally possible.
Architecture detailData Residency
Your data stays in your region
EU customers are hosted in AWS eu-west-2 (London) by default. US customers in us-east-1 (N. Virginia). On-premises and air-gapped deployment options give you full infrastructure sovereignty.
SaaS deployment
- UK / EU customers: AWS eu-west-2 (London). Data never leaves the UK.
- US customers: AWS us-east-1 (N. Virginia). Data never crosses the Atlantic.
- Data residency region is selected at contract and locked in the DPA. It cannot be changed without a contract amendment and written customer consent.
- All sub-processors are co-located within the selected AWS region. No data is transferred to third parties in other regions.
On-premises & air-gapped
- IdentityFirst can be deployed entirely within your own data centre. You control the infrastructure; we never host your data.
- Air-gapped deployments are supported for classified and high-security environments. Licence validation uses offline EV-signed manifests — no outbound connectivity is required.
- Suitable for MoD suppliers, Central Government, Police and emergency services deployments under OFFICIAL-SENSITIVE and above.
- Contact security@identityfirst.net to discuss air-gapped deployment requirements.
For full data residency, transfer mechanism, and sub-processor details see Data Protection and Sub-Processors.
Platform Status
Platform security posture
Live operational metrics from the platform API endpoint
/v1/platform/trust-summary.
Operational All services normal • EV code-signing manifest valid • Immutable audit substrate active • Data residency controls enforced •
Documentation
Compliance documentation
Everything procurement teams, DPOs and security leads need to evaluate IdentityFirst.
Platform architecture, EV-signed capability manifests, cryptographic manifest verification, immutable audit substrate, data residency options, responsible disclosure.
View detailsSOC 2 Type II (in preparation), ISO 27001 roadmap, Cyber Essentials certified, GDPR compliant. Controls summary table and DPA download.
View detailsICO registered (ZC031428), 30-day DSAR SLA, 7-year audit retention, right to erasure, sub-processor list, full data subject rights supported.
View detailsSLA targets by deployment mode (SaaS 99.9%, On-Premises 99.5%), incident history, and maintenance window policy.
View detailsFull list of third-party processors with data categories, locations and 30-day change notification commitment.
View listGDPR Article 28-compliant DPA. Download the template or request e-signature via DocuSign.
View & downloadResponsible Disclosure
Responsible disclosure
We take security research seriously. If you find a vulnerability in IdentityFirst, we want to know — and we commit to a transparent, good-faith response.
Include: affected component, reproduction steps, and your assessment of potential impact. PGP encryption available on request.
Medium and Low findings receive an initial response within 7 days. We request a 90-day coordinated disclosure window before public disclosure.
We do not take legal action against researchers acting in good faith. We acknowledge your contribution in release notes unless you prefer anonymity.
Includes scope, methodology expectations, and safe harbour statement.
Contact
Security contacts
General security questions, penetration test evidence, vendor security questionnaires.
GDPR enquiries, DSARs and data subject rights. ICO registered ZC031428.
Critical: 24h • High: 72h • Medium: 7 days response SLA.
Company Details
Company registration details
Registered in England & Wales
Morpeth, Northumberland, NE65 8JJ, UK
Content is reviewed quarterly. Sub-processor list updated on every change.