Do we need to be an ACSP?

No. TrustRegister orchestrates the identity verification process and integrates with your chosen ACSP or IDV provider, as well as GOV.UK One Login. We handle the workflow, evidence collection, and retention.

What data do you store?

We store verification metadata, evidence packs, and audit logs. We do NOT store biometric data, copies of identity documents, or personal information beyond what's needed for compliance tracking.

How long do you keep evidence?

Evidence packs are retained for 7 years as required by Companies House regulations. After this period, data is securely deleted unless you have specific legal requirements for longer retention.

Are you affiliated with Companies House?

No. TrustRegister is an independent software provider. We orchestrate compliance with Companies House identity verification requirements but are not affiliated with or endorsed by Companies House.

Enterprise-grade security & compliance

Name: TrustRegister Identity Verification Platform
Brand: TrustRegister

Your data and your clients' data deserves the highest level of protection. We've built security and compliance into every aspect of TrustRegister.

Explore Security Security Overview (PDF)

Security architecture

End-to-End Encryption

All data encrypted in transit (TLS 1.3) and at rest (AES-256). Keys managed with HSM.

TLS 1.3 for all connections
AES-256 encryption at rest
Hardware Security Modules (HSM)
Key rotation every 90 days

UK/EU Data Hosting

Data hosted exclusively in UK and EU data centers with ISO 27001 certification.

Primary: London (AWS eu-west-2)
Secondary: Frankfurt (AWS eu-central-1)
ISO 27001 certified facilities
SOC 2 Type II compliance

Access Controls

Role-based access with multi-factor authentication and audit logging.

Role-based permissions (RBAC)
Multi-factor authentication (MFA)
Single sign-on (SSO) support
Complete access audit trails

Monitoring & Logging

24/7 security monitoring with comprehensive audit trails and alerting.

Real-time threat monitoring
Comprehensive audit logging
Automated security alerts
Incident response procedures

Data Integrity

Cryptographic hashing and immutable logs ensure evidence cannot be tampered with.

SHA-256 cryptographic hashing
Immutable evidence logs
Blockchain-style integrity checks
Tamper-evident evidence packs

Compliance Framework

Built for regulatory compliance with comprehensive documentation and controls.

GDPR compliance by design
Data Processing Agreements (DPA)
Right to be forgotten support
Regular compliance audits

Secure data flow

Data Ingestion

Client data imported via encrypted API or secure file upload

Processing

Data processed in secure, isolated environments with audit logging

Verification

Secure routing to verification providers with minimal data exposure

Evidence Creation

Cryptographically signed evidence packs generated and stored

Retention

Secure 7-year retention with automated deletion and audit trails

Compliance & certifications

Cyber Essentials Plus

UK government cybersecurity certification

Target: Q2 2025

In Progress

ISO 27001

International information security management

Target: Q3 2025

In Progress

SOC 2 Type II

Service organization controls audit

Target: Q4 2025

Planned

GDPR Compliance

General Data Protection Regulation

Target: Current

Complete

Infrastructure & hosting

AWS Infrastructure

Hosted on Amazon Web Services with 99.99% uptime SLA and automatic failover

Data Residency

All data stored in UK/EU data centers with no cross-border transfers

Backup & Recovery

Daily encrypted backups with 4-hour Recovery Time Objective (RTO)

Data protection & privacy

What we collect

• Company and officer names (from Companies House)
• Email addresses and phone numbers for invitations
• Verification status and completion timestamps
• Audit logs and evidence metadata

What we DON'T collect

• Biometric data or identity documents
• Personal details beyond verification needs
• Financial or sensitive personal information
• Data unrelated to identity verification

Data Controller vs Processor: For verification invitations, you remain the data controller and we act as a processor. For evidence retention, we act as joint controllers to ensure compliance with Companies House requirements.

Questions about our security?

Our security team is happy to answer any questions about our security posture, compliance, or data protection practices.

Contact Security Team Download Security Overview