TDS Risk
Products
Trust Score — £0.35/check Mobile KYC — £0.45/check
Use cases
Consumer Lending Lead buying Insurance Lead Generation Account Creation Online Gambling Betting Affiliate Networks Payments Fintech
Developers
Getting Started Reason Codes Rule Studio Postman Collection Changelog System Status
Company
Pricing About Us Enterprise Contact Case Studies ROI Calculator Security & Compliance FAQ Trust Centre Sign up free →
Trust Centre

Every control, every policy,
every incident — public.

Procurement, InfoSec, and legal don't need to file a request. This page is live. If something changes, it changes here first — not in a PDF six weeks later.

Download documents Report a vulnerability Updated in real time · last refresh: now
SYSTEM
Operational
All 4 UK carriers live
UPTIME · 90d
99.98%
vs 99.9% SLA target
P95 LATENCY
1.35s
vs <2s target
OPEN INCIDENTS
0
last incident: 41 days ago
What's here

Everything a procurement team asks for.

Jump to the section you need. Nothing gated, nothing behind an NDA.

🛡

Certifications & registrations

ICO, FCA, UK GDPR, and the regulator posture we operate under.

View →
🔐

Security controls

Access, data handling, transport, storage, availability, and governance.

View →
🌐

Sub-processors

Every third party that touches your data, with purpose and region.

View →

Incident history

Every production incident in the last 12 months. Resolution times included.

View →
📄

Documents & policies

DPA template, security questionnaire, pen-test summary, retention policy.

View →

Vulnerability disclosure

How to report a security issue and what to expect in response.

View →
Certifications & registrations

Regulatory posture.

We operate under UK GDPR. Registered with the ICO. Aligned with FCA Consumer Duty. What you see is what we file.

🏛

ICO Registration

ZB300553
Active

UK GDPR

Full alignment
Compliant
📋

FCA Consumer Duty

Ready · signed audit
Aligned
🔒

ISO 27001

Audit in progress
Q3 2026
Security controls

The full control set.

Nothing you'll read here is aspirational. Every control listed is live in production.

Access & identity

2FA enforced on all console logins
Role-based access per workspace
Scoped API keys per use case
Optional IP whitelisting per key
Sandbox / production isolation

Data handling

All processing within the UK
No transfers outside UK jurisdiction
Configurable retention policies
Verifiable deletion on request
No data sold, ever

Transport & storage

TLS 1.2+ on every endpoint
AES-256 at rest
Secrets in managed KMS
No PII in URLs or query strings
Secrets never logged server-side

Audit & traceability

Unique ID on every request
Full payload retained and queryable
Cryptographically signed snapshots
Immutable check history
Export on demand

Availability

24/7 monitoring and alerting
Public status & incident history
Rate-limit headers on every response
Graceful degradation on upstream load
Retry-safe handling (shipping Q2 2026)

Governance

Named DPO and InfoSec lead
Quarterly internal security review
Annual external pen test
Change management log
Vendor risk assessment process
Sub-processors

Every vendor that touches your data.

Complete list. Purpose, region, and when they started processing. We email DPO contacts 30 days before adding a new sub-processor.

Sub-processor
Purpose
Region
Since
AWS (eu-west-2)
Primary hosting, compute, storage
UK (London)
2022-11
Cloudflare
DDoS protection, edge TLS termination
Global · UK edge
2022-11
Vodafone Group
Carrier data provider (approved intermediary)
UK
2023-02
EE / BT Group
Carrier data provider (approved intermediary)
UK
2023-03
Virgin Media O2
Carrier data provider (approved intermediary)
UK
2023-04
Three UK
Carrier data provider (approved intermediary)
UK
2023-06
Prove Identity Ltd
Carrier data provider (approved intermediary)
UK
2023-06
PayPal
Payment processing (no card data stored by TDS)
UK / EU
2023-01
Postmark
Transactional email (receipts, API alerts)
US · EU fallback
2023-01
Incident history

Every production incident, last 12 months.

We publish every incident, not just the breaches. If the API was degraded for 4 minutes, it's here.

incident_log · rolling_12m NO OPEN INCIDENTS
2026-03-08
Elevated p95 latency — EE carrier
EE upstream added ~600ms to affected requests. No data loss. Resolved after carrier rerouting.
18 min to detect
42 min resolve
DEGRADED
2026-01-24
Dashboard sign-in failing for SSO users
IdP config drift after scheduled maintenance. API traffic unaffected. Standard users unaffected.
7 min to detect
23 min resolve
DEGRADED
2025-11-12
Scheduled maintenance — sandbox only
Pre-announced sandbox upgrade. Production API unaffected. Completed inside announced window.
planned
45 min window
MAINTENANCE
2025-09-03
Intermittent webhook delivery delay
Queue backpressure from a single tenant's webhook endpoint. Affected tenant only. Synchronous API unaffected.
11 min to detect
34 min resolve
RESOLVED
No P1 incidents in the last 12 months. Zero unauthorised access. Zero data loss. Zero breaches reportable to the ICO.
Documents & policies

Download what you need.

No sales gate. Procurement can grab everything they need without creating an account.

📄
Data Processing Agreement (DPA)
Standard UK GDPR-compliant template
PDF · v2.4
🛡
Security Questionnaire (SIG-Lite)
Completed, ready for InfoSec review
XLSX · Q1 '26
🔍
Pen-test summary
Annual external security assessment
PDF · 2025
📋
Data retention & deletion policy
How long we keep data, when we delete it
PDF · v1.8
Privacy Policy
What we collect, why, and your rights
HTML
📜
Terms of Service
Commercial terms and acceptable use
HTML
🏛
ICO Certificate
Registration ZB300553 confirmation
PDF
Vulnerability disclosure

Found something?

We take security reports seriously. Email security@tdsrisk.com with details. We acknowledge within one UK business day and keep you informed through triage, remediation, and disclosure.

Report a vulnerability Read disclosure policy