Skip to main content
Compliance & Certifications

Evidence-first compliance

We will only claim a certification when it has been independently verified. This page reflects the current status of every framework we are working towards — with no embellishment.

Download DPA Request Security Pack

Status

Compliance status matrix

Last reviewed:

Framework Status Scope Evidence / notes
Cyber Essentials Certified IdentityFirst Ltd corporate infrastructure Boundary firewalls, secure configuration, access control, malware protection, patch management.
GDPR (UK & EU) Compliant SaaS platform and all data processing activities ICO registered ZC031428. DPA available. Full data subject rights implemented. See GDPR detail page.
UK DSAR 30-Day SLA All data subjects whose data we process Fulfilled via API endpoint /api/tenants/{id}/dsar-request or by contacting dpo@identityfirst.net.
SOC 2 Type II In Preparation SaaS platform: Security (CC), Availability (A), Confidentiality (C) Trust Services Criteria Third-party auditor engaged. Controls mapped and evidence collection underway. Report expected 2026. Available to prospective customers under NDA.
ISO 27001:2022 Roadmap IdentityFirst Ltd ISMS scope (full platform + operations) ISMS established. Gap assessment complete. External certification audit planned H1 2027. Statement of Applicability available under NDA.

SOC 2

SOC 2 Type II — controls summary

IdentityFirst maps its platform controls to the AICPA Trust Services Criteria. The table below shows the 49 canonical controls from the IdentityFirst control library and their SOC 2 mapping status. Formal certification is in preparation (2026).

CC — Common Criteria (Security)

  • CC6: Logical & physical access controls — per-tenant API key isolation, JWT Bearer authentication, RBAC enforced at middleware layer.
  • CC7: System operations — automated SAST, dependency scanning (Trivy), secret scanning (Gitleaks) on every commit.
  • CC8: Change management — all changes require PR review; platform-engineers code ownership enforced via CODEOWNERS.
  • CC9: Risk mitigation — SSRF guards on all outbound webhook connections; atomic rate limiting; fail-closed design throughout.

A — Availability

  • Kubernetes HPA autoscaling: 2–10 replicas with CPU-based scaling.
  • Pod Disruption Budget (minAvailable=1) ensures no zero-downtime deployment risk.
  • Multi-region database replication available for SaaS customers requiring higher availability SLAs.
  • SLA targets: 99.9% monthly uptime for SaaS tier. See Uptime & SLA page.

C — Confidentiality

  • TLS 1.3 enforced for all data in transit. TLS 1.2 and below are disabled.
  • AES-256 encryption at rest for PostgreSQL, Redis and blob storage.
  • Sensitive data redaction middleware strips PII from log output before persistence.
  • AI telemetry is SHA-256 anonymised at the process boundary; raw tenant identifiers never leave the platform.
SOC 2 bridge letter & controls mapping

While our SOC 2 Type II audit is in progress, we can provide a controls mapping document and a bridge letter from our auditor on request, under NDA. This is suitable for enterprise procurement and vendor risk assessment.

Request under NDA

ISO 27001

ISO 27001:2022 — roadmap

Current position and timeline

  • ISMS (Information Security Management System) established, documented, and operating.
  • Gap assessment completed against ISO 27001:2022 Annex A controls.
  • Statement of Applicability (SoA) drafted and available to prospective customers under NDA.
  • External certification audit by an accredited certification body is planned for H1 2027.
  • All critical and high findings from the gap assessment are tracked to remediation. No open critical gaps remain in the ISMS scope.
Statement of Applicability

Our ISO 27001 Statement of Applicability is available to prospective enterprise customers as part of vendor due diligence. An NDA is required prior to sharing.

Request SoA under NDA

GDPR

GDPR compliance

UK GDPR & EU GDPR

  • IdentityFirst Ltd is registered with the Information Commissioner’s Office (ICO) under registration number ZC031428.
  • We act as data processor for our customers and data controller for our own business operations.
  • All data processing activities have a documented legal basis under UK GDPR Art. 6.
  • A full GDPR compliance record including Records of Processing Activities (RoPA) is maintained and available to our DPO.

Data Processing Agreement

  • A GDPR Article 28-compliant DPA governs all data processing performed by IdentityFirst on behalf of customers.
  • The DPA covers: processing scope, data subject categories, sub-processor obligations, security measures, breach notification (48h), and data subject rights assistance.
  • DPA template available for download or DocuSign e-signature. See section below.
  • Custom DPA terms available for enterprise customers. Contact legal@identityfirst.net.
ICO Registration
ZC031428

Verify at ico.org.uk

Data Protection Officer
dpo@identityfirst.net

GDPR enquiries, DSARs, data subject rights.

GDPR detail
Full GDPR & privacy disclosure

Data categories, retention periods, sub-processors, right to erasure.

DPA

Data Processing Addendum

DPA Template (PDF)

Full GDPR Article 28 DPA including processing scope, data subject categories, security measures, sub-processor schedule, standard contractual clauses and breach notification obligations.

Request PDF Request DocuSign

For the full DPA term summary see /trust-centre/dpa. For GDPR data subject rights and DSAR process see /trust-centre/gdpr.