Your data, handled lawfully
IdentityFirst is ICO-registered (ZC031428) and built to meet UK GDPR and EU GDPR. This page explains what personal data we process, why, how long we keep it, and how you exercise your rights.
Data Processing
What personal data we process and why
We process only what is necessary to deliver the IdentityFirst service. We are a data processor for our customers and a data controller for our own business operations.
Identity records (as data processor)
- Employee and contractor account metadata: usernames, display names, email addresses, account status and last logon time.
- Access entitlements: group memberships, role assignments, privilege classifications (Tier-0, Tier-1, Tier-2).
- Service accounts: names, associated systems, privilege level.
- Sourced exclusively from customer-authorised connectors (AD, Entra ID, AWS IAM, Okta, etc.).
Audit and activity logs (as data processor)
- Platform activity: authenticated operator identities, timestamps, actions taken, policy decisions.
- Capability activation: capability ID, tier, EV signature verification result, module hash.
- Approval decisions: operator identity, decision outcome, evidence reference.
- HMAC-chained; records cannot be altered or deleted once written.
Usage and billing data (as data controller)
- Per-tenant usage counters: identity records processed, assessment runs completed, events received.
- Used for licence metering, billing, and capacity planning.
- AI telemetry is SHA-256 anonymised at the process boundary; raw tenant identifiers never leave the platform.
- Analytics are consent-gated and privacy-first.
Account and contact data (as data controller)
- Name and business email address of customer contacts, administrators, and support users.
- Company name, billing address, and payment reference (payment card data is not stored — Stripe handles payment processing).
- Support correspondence and customer service records.
| Data category | Legal basis (UK GDPR Art. 6) | Purpose |
|---|---|---|
| Identity records | Art. 6(1)(b) — Contract performance | Delivering the identity security assessment and monitoring service contracted by the customer. |
| Audit logs | Art. 6(1)(c) — Legal obligation | 7-year minimum retention for regulatory, governance, and tribunal evidence purposes. |
| Usage metrics | Art. 6(1)(f) — Legitimate interest | Licence metering, billing verification, and service reliability planning. |
| Account & contact data | Art. 6(1)(b) — Contract performance | Account management, support, and product updates. |
Retention
Data retention periods
| Data category | Retention period | Basis and notes |
|---|---|---|
| Identity records (assessment data) | Contract duration + 30 days | Deleted within 30 days of contract end or on written request. Earlier deletion available on request. |
| Immutable audit logs | 7 years minimum | Legal obligation (Art. 6(1)(c)). HMAC-protected chain cannot be altered once written. Cannot be deleted during the retention period — see Right to Erasure below. |
| Usage and billing metrics | 13 months rolling | Billing verification, dispute resolution, legitimate interest. |
| Support correspondence | 3 years | Customer service continuity and dispute resolution. |
| Financial and invoice records | 7 years | HMRC / Companies Act 2006 legal obligation. |
| Account and contact data | Duration of relationship + 2 years | Retained for 2 years after contract end to support any post-contract queries or disputes. |
DSAR
Data Subject Access Request (DSAR) process
We respond to all DSARs within 30 calendar days as required by UK GDPR Art. 12.
How to submit a DSAR
- Email our DPO at dpo@identityfirst.net with the subject line “DSAR Request”.
- Alternatively, authenticated tenants may submit via the API endpoint
POST /api/tenants/{id}/dsar-request. The response is a structured JSON export of all personal data held for that tenant. - Include: your full name, email address, and a description of the data you are requesting access to. We may ask for proof of identity if we cannot verify your request from the information provided.
- Identity verification will not delay the 30-day clock unnecessarily.
What you receive
- A structured copy of all personal data we hold about you, in JSON format.
- A description of the purposes for which each category of data is processed.
- The retention period applicable to each data category.
- Information on any third parties (sub-processors) to whom your data has been disclosed.
- A reference to our ICO registration (ZC031428) and your right to complain to the ICO.
Erasure
Right to erasure
What can be deleted
- Identity records (assessment data): deleted within 5 business days of a valid erasure request.
- Account and contact data: deleted within 5 business days, subject to any ongoing contractual relationship.
- Usage and billing metrics: anonymised within 5 business days; raw records deleted at the end of the 13-month rolling period.
- Support correspondence: deleted within 5 business days unless required for ongoing dispute resolution.
What cannot be deleted
- Immutable audit logs cannot be erased during the 7-year legal retention period. The legal basis for their retention is Art. 6(1)(c) (legal obligation) — this overrides the right to erasure under Art. 17(3)(b).
- The audit log structure is HMAC-chained; selective deletion would break the chain integrity and is technically not possible without invalidating the entire log. This design is intentional and governance-defensible.
- Financial records cannot be deleted during the 7-year HMRC retention period.
- Where erasure cannot be fulfilled in full, we will provide a written explanation specifying which data is retained, the legal basis, and when it will be deleted.
Use subject line “Right to Erasure Request”. Response within 5 business days.
If you are unsatisfied with our response you have the right to complain to the ICO at ico.org.uk.
Rights
All data subject rights
| Right | Description | Response time |
|---|---|---|
| Access (DSAR) | Receive a structured copy of all personal data held about you, including processing purposes, retention periods, and third-party disclosures. | 30 calendar days |
| Erasure (“right to be forgotten”) | Deletion of personal data where no overriding legal ground for retention exists. Audit logs and financial records are exempt during their statutory retention periods. | 5 business days |
| Rectification | Correction of inaccurate personal data. We will also notify any sub-processor to whom the inaccurate data was disclosed. | 10 business days |
| Portability | Receive your data in structured, machine-readable JSON format for transfer to another controller. | 30 calendar days |
| Restriction | Restrict processing of your data while a dispute is resolved. Data is flagged and processing is paused within 5 business days of acknowledgement. | 5 business days to acknowledge |
| Objection | Object to processing based on legitimate interest. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests. | 30 calendar days |
Sub-Processors
Sub-processor disclosure
How we use sub-processors
- We only engage sub-processors that have signed GDPR Article 28 Data Processing Agreements with us.
- Sub-processors are reviewed for security posture, data protection practices, and applicable certifications before onboarding.
- We notify customers at least 30 days before adding or changing any sub-processor.
- Customers who have executed a DPA have the right to object to a new sub-processor within the 30-day notice window.
The complete list of our sub-processors, including their purpose, data categories, and geographic location is available on a dedicated page. Updated quarterly and on every change.
DPA
Data Processing Addendum (DPA)
GDPR Article 28 requires a written agreement between you (the data controller) and IdentityFirst (the data processor). Without a signed DPA, you cannot lawfully use IdentityFirst to process personal data.
Full DPA including: processing scope and nature, data subject categories, duration, security measures, sub-processor schedule, breach notification obligations (48h), and standard contractual clauses for international transfers.
For the full DPA term summary and DocuSign e-signature flow, see /trust-centre/dpa.
DPO
Data Protection Officer
GDPR enquiries, DSARs, data subject rights, sub-processor objections, DPA negotiation.
Morpeth, Northumberland, NE65 8JJ, UK.
Company No. 16387720.
Registered with the Information Commissioner’s Office under the Data Protection Act 2018.