Do we need to be an ACSP?

No. TrustRegister orchestrates the identity verification process and integrates with your chosen ACSP or IDV provider, as well as GOV.UK One Login. We handle the workflow, evidence collection, and retention.

What data do you store?

We store verification metadata, evidence packs, and audit logs. We do NOT store biometric data, copies of identity documents, or personal information beyond what's needed for compliance tracking.

How long do you keep evidence?

Evidence packs are retained for 7 years as required by Companies House regulations. After this period, data is securely deleted unless you have specific legal requirements for longer retention.

Are you affiliated with Companies House?

No. TrustRegister is an independent software provider. We orchestrate compliance with Companies House identity verification requirements but are not affiliated with or endorsed by Companies House.

Data Processing Agreement

Name: TrustRegister Identity Verification Platform
Brand: TrustRegister

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer") and TrustRegister Limited ("TrustRegister") and governs the processing of personal data under the General Data Protection Regulation (GDPR) and applicable UK data protection laws.

2. Definitions

Customer Data: Personal data that Customer submits, uploads, or processes through the Service
Verification Data: Personal data collected during identity verification processes
Evidence Packs: Cryptographically signed documents containing verification outcomes and audit trails
Sub-processor: Third-party service providers engaged by TrustRegister to assist in providing the Service

3. Data Controller Roles

Customer as Controller

Customer acts as data controller for:

Company and officer data imported to the Service
Invitation and communication data
User account and access management data
Decisions regarding verification requirements

TrustRegister as Processor

TrustRegister acts as data processor for Customer Data, processing it solely to provide the Service as instructed by Customer.

Joint Controllers

Customer and TrustRegister act as joint controllers for:

Evidence pack generation and content
7-year retention of verification evidence
Audit trail maintenance and integrity

4. Processing Details

Categories of Data

• Company registration details
• Director and PSC information
• Contact information
• Verification status and outcomes
• Communication logs
• System audit trails

Data Subjects

• Company directors
• Persons with significant control (PSCs)
• Customer employees and users
• Authorized representatives
• Identity verification participants

Processing Purposes

Facilitating Companies House identity verification compliance
Orchestrating verification workflows and communications
Generating and maintaining audit-grade evidence
Providing compliance reporting and status tracking
Ensuring 7-year evidence retention requirements

5. Legal Basis

Primary Legal Bases

Legitimate Interest: Compliance with Companies House regulations
Legal Obligation: Identity verification requirements under company law
Contract: Provision of verification orchestration services

6. Security Measures

Technical Safeguards

End-to-end encryption (TLS 1.3 in transit, AES-256 at rest)
Multi-factor authentication for all user accounts
Role-based access controls with principle of least privilege
Regular security assessments and penetration testing
Automated backup and disaster recovery procedures
Network segregation and monitoring

Organizational Measures

Staff security training and background checks
Incident response and breach notification procedures
Regular security policy reviews and updates
Third-party security assessments and certifications
Data minimization and retention policies

7. Data Subject Rights

TrustRegister will assist Customer in responding to data subject requests, including:

Access Requests

Provide data subject access to their personal data within the Service

Rectification

Correct inaccurate or incomplete personal data when technically feasible

Erasure

Delete personal data where legally required and technically possible

Portability

Export data in structured, machine-readable formats where applicable

Important Note on Evidence Packs

Evidence packs cannot be modified or deleted during the 7-year retention period due to regulatory requirements and cryptographic signing. This ensures audit integrity and compliance with Companies House obligations.

8. Data Transfers

UK/EU Processing

All personal data is processed and stored exclusively within the UK and EU. No data transfers to third countries occur without adequate safeguards.

Sub-processors

Current sub-processors are listed in our Sub-processor Register. We provide 30 days notice before engaging new sub-processors.

9. Data Retention

Retention Periods

Evidence Packs: 7 years (regulatory requirement)
Audit Logs: 7 years (compliance requirement)
Customer Data: Duration of service + 30 days
Communication Logs: 3 years (business need)
System Logs: 12 months (operational requirement)

10. Incident Management

Breach Notification

TrustRegister will notify Customer of any personal data breach within 24 hours of becoming aware, providing:

Description of the breach and data involved
Likely consequences and potential impact
Measures taken or proposed to address the breach
Contact details for further information

11. Audits and Compliance

Customer may conduct audits of TrustRegister's data protection practices:

Annual audit rights with 30 days advance notice
Access to relevant policies, procedures, and certifications
Third-party audit reports available upon request
Reasonable cooperation with regulatory investigations

12. Termination

Upon termination of services:

Customer Data will be returned or deleted within 30 days
Evidence Packs will be retained for the full 7-year period
Customer may request certified deletion confirmation
Sub-processor arrangements will be terminated where appropriate

Contact Information

Data Protection Officer:

dpo@trustregister.co.uk

+44 (0)20 1234 5678

Legal & Compliance:

legal@trustregister.co.uk

TrustRegister Limited

123 Compliance Street, London SW1A 0AA