TDS Risk
Products
Trust Score — £0.35/check Mobile KYC — £0.45/check
Use cases
Consumer Lending Lead buying Insurance Lead Generation Account Creation Online Gambling Betting Affiliate Networks Payments Fintech
Developers
Getting Started Reason Codes Postman Collection Changelog System Status
Company
Pricing About Us Enterprise Contact Case Studies ROI Calculator Security & Compliance FAQ Trust Centre Sign up free →
Security & Compliance

Built compliant.
Not patched compliant.

GDPR compliance, carrier approval, role separation, and cryptographic audit trails aren't features we added — they're the architecture. Every check is compliant by design, not by policy document.

ICO Registered
Reg. ZB300553
🏢
Companies House
Co. No. 13855926
📱
Carrier Pre-Approved
All 4 UK networks
Does not affect credit files. TDS Risk checks are carrier-derived signal checks only. They do not constitute a credit search, leave no footprint on any credit file, and are used solely for fraud prevention and identity verification.
Audit Record — every checkSigned & frozen
Timestamp2026-03-17T14:22:01Z
LeadReferencemy-ref-001
RequestIdTDSR-4421-abc123
PolicyVersionv1.0
MaterialChangeNone
LegalBasislegitimate_interest
DeclaredUseCaselead_validation
DataControllerYour Business Ltd
ProcessorThe Data Supermarket Ltd
LastPolicyScan2026-03-17T13:58:09Z
NextPolicyScan2026-03-18T13:58:09Z
PolicyHashSHA-256 · 7fd0e2a9…
OutputFrozenYes
Re-executionNo
RiskRecallAvailable
SignatureSHA-256 · 8252bc1c…
GDPR role separation

Three parties. Three distinct roles. Clean separation.

One of the most common compliance failures in identity verification is unclear role attribution. TDS Risk makes this explicit on every single check — and preserves it permanently in the audit record.

Data Controller
Your Business
You determine the purpose and legal basis for processing. TDS Risk generates your GDPR-compliant privacy policy wording and consent statement automatically — scoped to your declared use case.
You declare the legal basis per API key
You declare the use case per API key
Your privacy policy URL is scanned daily
Your compliance wording is generated for you
Data Processor
TDS Risk
We process data strictly on your behalf, within the scope of your declared use case and legal basis. Every check is linked to the exact policy version in force at the time of processing.
Processes only within declared scope
Produces signed audit record per check
Daily policy compliance monitoring
DPA available on request
Signal Providers
Mobile Networks
Vodafone, EE, O2, and Three are signal providers only. They are not data controllers or processors in this context. Signal provision operates within TDS Risk's pre-approved carrier intermediary framework.
Pre-approved intermediary framework
All 4 UK carriers covered
No separate carrier agreements needed
Role recorded in every audit trail
GDPR Article 6

Supported legal bases

When you create an API key, you declare your legal basis for processing. TDS Risk validates that the declared basis is appropriate for your use case and generates compliant consent wording accordingly.

Art. 6(1)(f)
Legitimate Interest
Most common for fraud prevention. Fraud screening is a recognised legitimate interest under UK GDPR.
Most used
Art. 6(1)(b)
Contract Performance
Where identity verification is necessary to perform a contract with the data subject.
KYC journeys
Art. 6(1)(c)
Legal Obligation
Where processing is required to comply with a legal obligation — e.g. AML, KYC regulatory requirements.
Art. 6(1)(a)
Consent
Where explicit consent has been obtained. TDS Risk generates the compliant consent statement for your use case.
Automated compliance flow

Policy enforcement — how it works

01
You declare legal basis & use case
At API key creation. Validated automatically — TDS Risk checks that the declared basis is appropriate for the declared use case.
02
Compliance wording generated
GDPR-compliant privacy policy clause and consent statement generated for your specific use case. Copy and paste into your privacy policy.
03
Policy URL submitted & verified
Paste your privacy policy URL. TDS Risk scans and verifies that the required disclosures are present. API key is activated on pass.
04
Daily automated scanning
Your policy URL is scanned every 24 hours. If required disclosures are removed or materially changed, re-verification is triggered. Access suspended if not resolved.
05
Every check linked to policy version
Each check is permanently linked to the exact policy version in force at the time of processing. Immutable. Cannot be retroactively modified.
Security

How your data is protected

🔐
Encryption in transit
All API communications use TLS 1.2 or higher. No plain HTTP connections are accepted. API keys are transmitted via header, never in query strings.
TLS 1.2+ · HTTPS enforced · HSTS enabled
🔑
API key authentication
Each customer receives a unique sub-client ID. Keys are scoped to declared use case and legal basis at creation. Keys can be revoked instantly from the dashboard.
pf-subClientId header · Scoped permissions
🔏
Cryptographic audit signatures
Every audit record is SHA-256 signed at the time of check creation. Signatures are immutable — any tampering is detectable. Permanent reference links are provided per check.
SHA-256 · Immutable · Permanent reference
🏗️
Infrastructure isolation
Carrier signal queries are isolated per customer request. No cross-customer data sharing. Each request is independently processed and audited.
Request isolation · No cross-customer exposure
⏱️
Data minimisation
Only the data necessary to perform the requested check is processed. Phone numbers and identity data are not stored beyond what is required for the audit record.
UK GDPR Article 5(1)(c) compliant
🔄
Rate limiting & abuse prevention
API rate limits are enforced per key. Unusual query patterns trigger automated review. Abuse or misuse of carrier signals is actively monitored and access can be suspended immediately.
Per-key rate limits · Automated monitoring
Regulatory readiness

Audit-ready for regulators

Regulator / FrameworkWhat TDS Risk providesReady?
ICO (UK GDPR)Immutable audit trail per check, role separation documentation, legal basis recorded, policy version linked. DPA available on request.
FCASigned audit records with declared use case, legal basis, and policy version. Risk recall available. Supports Consumer Duty evidence requirements.
FOS (Financial Ombudsman)Every check produces a permanent, downloadable audit snapshot. Request ID, timestamp, output frozen at check time — fully reviewable by FOS if required.
AML / KYC frameworksMobile KYC returns carrier-verified identity match scores. Supports enhanced due diligence workflows. Legal basis recording supports AML compliance documentation.
UK GDPR Article 5Data minimisation enforced. Purpose limitation enforced at API key level. Storage limitation applied. Accuracy maintained via live carrier queries.
UK GDPR Article 30Processing records maintained. Role separation documented. Legal bases recorded. Available for ICO inspection on request.
Data Processing Agreement

A Data Processing Agreement (DPA) is available for all TDS Risk customers. The DPA covers the terms under which The Data Supermarket Ltd processes personal data on behalf of the customer as a Data Processor under UK GDPR Article 28.

For most customers, the standard DPA covers all requirements. Enterprise customers with specific requirements can request a reviewed version.

Request DPA →
Registration details
Company
The Data Supermarket Ltd
Registered in England & Wales
Company No. 13855926
ICO Registration
Information Commissioner's Office
Registration No. ZB300553
Carrier Status
Pre-approved intermediary
Vodafone · EE · O2 · Three
Believed to be the only company in the UK with this status

Questions about security or compliance?

We're happy to answer procurement questionnaires, provide documentation, or discuss specific compliance requirements with your legal or infosec team.

Contact us Request DPA