PASSID Ltd ("PASSID", "we", "us") provides credential verification infrastructure for financial institutions. Registered in England & Wales. Our data protection contact is security@passid.io.
PASSID is designed to minimise personal data handling. We process:
We rely on contract performance for processing necessary to deliver verification services; legitimate interests for security monitoring and fraud prevention; and consent for marketing communications (opt-in only).
By default, PASSID transmits verified claims (e.g. "income_above_£2000") rather than raw data. Groth16 ZKPs allow mathematical proof of financial thresholds without revealing the underlying transactions. This is a core architectural commitment, not a feature flag.
Credential metadata is retained for 7 years for audit purposes (AML / FCA requirement). Verification event logs are retained for 5 years. Raw open banking data is deleted within 60 seconds of credential issuance. Contact data is retained while the institution account is active, plus 3 years.
Under GDPR and UK GDPR, you have the right to access, rectify, erase, restrict, and port your personal data. You also have the right to object to processing and to withdraw consent. Submit requests to security@passid.io. We respond within 30 days.
Data is processed in the UK and EU. For transfers outside these regions, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and UK ICO.
AES-256 at rest. TLS 1.3 in transit. Annual SOC 2 Type II audit. Penetration testing twice yearly. Access controls with least-privilege enforcement. Incident response plan tested quarterly.
See our Cookies Policy for details on the cookies we use on this website.
For any privacy question or data subject request, contact security@passid.io or write to PASSID Ltd, 20 Farringdon Road, London EC1M 3HE.