PASSID Ltd ("PASSID", "we", "us") provides credential verification infrastructure for financial institutions. Registered in England & Wales. Our data protection contact is security@passid.io.
PASSID is designed to minimise personal data handling. We process:
We rely on contract performance for processing necessary to deliver verification services; legitimate interests for security monitoring and fraud prevention; and consent for marketing communications (opt-in only).
By default, PASSID verifier responses are designed around verified claims (e.g. "income_above_£2000") rather than raw transaction feeds. Proof metadata and credential signatures help institutions check claim integrity without receiving underlying statements.
Credential metadata is retained for 7 years for audit purposes (AML / FCA requirement). Verification event logs are retained for 5 years. Raw source financial data is deleted within 60 seconds of credential issuance. Contact data is retained while the institution account is active, plus 3 years.
Under GDPR and UK GDPR, you have the right to access, rectify, erase, restrict, and port your personal data. You also have the right to object to processing and to withdraw consent. Submit requests to security@passid.io. We respond within 30 days.
Data is processed in the UK and EU. For transfers outside these regions, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and UK ICO.
AES-256 at rest. TLS 1.3 in transit. Annual SOC 2-aligned controls audit. Penetration testing twice yearly. Access controls with least-privilege enforcement. Incident response plan tested quarterly.
See our Cookies Policy for details on the cookies we use on this website.
For any privacy question or data subject request, contact security@passid.io or write to PASSID Ltd, 20 Farringdon Road, London EC1M 3HE.