Your data. Handled lawfully.
IdentityFirst is ICO-registered (ZC031428) and built to meet the UK GDPR and EU GDPR. This page explains what data we process, why, and how you exercise your rights.
Processing
Data we process
We process only what is necessary to deliver the IdentityFirst service. We are a data processor for our customers and a data controller for our own business operations.
Identity records
- Employee and contractor account metadata: usernames, display names, email addresses, account status.
- Access entitlements: group memberships, role assignments, privilege levels.
- Service accounts: names, associated systems, privilege classification.
- Sourced from customer-authorised connectors (AD, Entra ID, AWS IAM, Okta, etc.).
Audit logs
- Platform activity: operator identities, timestamps, actions taken, policy decisions.
- Capability activation events: capability ID, tier, signature verification result.
- Approval decisions: operator identity, decision, evidence references.
- HMAC-chained; cannot be altered or deleted once written.
Usage metrics
- Per-tenant usage counters: identity records processed, assessment runs, events received.
- Used for billing, capacity planning and licence metering.
- Telemetry data is anonymised by SHA-256 tenant hash before any aggregation; raw tenant identifiers never leave the process.
- Analytics are consent-gated and privacy-first.
| Data category | Legal basis (UK GDPR Art. 6) | Purpose |
|---|---|---|
| Identity records | Art. 6(1)(b) — Contract performance | Delivering the identity security assessment and monitoring service. |
| Audit logs | Art. 6(1)(c) — Legal obligation | 7-year retention for regulatory and tribunal purposes. |
| Usage metrics | Art. 6(1)(f) — Legitimate interest | Licence metering, billing, service reliability. |
| Contact / account data | Art. 6(1)(b) — Contract performance | Account management, support, product updates. |
Retention
Data retention periods
| Data type | Retention period | Basis |
|---|---|---|
| Identity records (assessment data) | Duration of contract + 30 days | Deleted within 30 days of contract end or on written request. |
| Audit logs | 7 years minimum | Legal obligation. HMAC-protected; cannot be altered once written. |
| Usage metrics | 13 months rolling | Billing verification and legitimate interest. |
| Support correspondence | 3 years | Customer service continuity and dispute resolution. |
| Financial records | 7 years | HMRC / Companies Act legal obligation. |
Rights
Your data subject rights
We support all UK GDPR data subject rights. Requests are responded to within the statutory timeframes.
| Right | What it means | Response time |
|---|---|---|
| Access (DSAR) | Receive a copy of all personal data we hold about you in a structured format. | 30 calendar days |
| Erasure | Deletion of personal data where there is no overriding legal ground for retention. Note: audit logs cannot be erased during the legal retention period. | 5 business days |
| Rectification | Correction of inaccurate personal data held. | 10 business days |
| Portability | Receive your data in a structured, machine-readable JSON format for transfer to another controller. | 30 calendar days |
| Restriction | Restrict processing of your data while a dispute is resolved. | 5 business days to acknowledge |
| Objection | Object to processing based on legitimate interest. We will cease processing unless we can demonstrate compelling grounds. | 30 calendar days |
How to exercise your rights
- Email our DPO at dpo@identityfirst.net.
- Or use the API endpoint
/api/tenants/{id}/dsar-request(requires tenant authentication). - We may need to verify your identity before processing requests. This will not delay the clock beyond what is strictly necessary.
- If you are unsatisfied with our response, you have the right to complain to the ICO at ico.org.uk.
International transfers
- Data is processed in the customer-selected cloud region (AWS, Azure or GCP) at contract time.
- UK and EU customers may elect a UK or EU region; data remains in the selected region by default.
- Where transfers outside the UK or EU are required, Standard Contractual Clauses (SCCs) are used.
- No data is transferred to jurisdictions without an adequacy decision unless SCCs are in place.
Data Protection Officer
Contact our DPO
GDPR enquiries, DSARs, data subject rights requests, DPA negotiation.
Morpeth, Northumberland, NE65 8JJ, UK.
Company No. 16387720.
Registered with the Information Commissioner’s Office under the Data Protection Act 2018.
Our GDPR Article 28-compliant DPA covers processing scope, data subject rights, sub-processors, security measures and breach notification. Download the template or request e-signature.