SureCert Platform Privacy Notice

1. Scope of this Privacy Notice

Organisations (customers)

The organisation that uses the SureCert platform to request checks (the Organisation) is the data controller. The Organisation decides:

why checks are carried out;
which checks are required; and
how the results are used.

SureCert

SureCert acts as a data processor, processing personal data on behalf of the Organisation to provide and operate the platform.

SureCert does not determine the lawful basis for checks and does not decide whether a check is appropriate for a particular individual.

2. Who we are

The SureCert platform is operated by:

Legal entity: CDS New Ventures t/a SureCert

Registered address: Northern Ireland Science Park, Queen’s Road, Belfast, BT3 9DT, Northern Ireland

Support contact: support@surecert.com

Data Protection Officer: dpo@surecert.com

3. Roles and responsibilities

Organisations (customers)

The organisation that uses the SureCert platform to request background checks and verifications (the Organisation) is the data controller for personal data processed in connection with those checks.

The Organisation determines:

why checks are carried out;
which checks are requested; and
how check results are used.

SureCert

In most cases, SureCert acts as a data processor, processing personal data on behalf of the Organisation to provide and operate the platform and related Services.

In limited circumstances, SureCert may act as an independent data controller where it processes certain technical characteristics of documents or submissions for its own internal purposes, such as:

improving the efficiency, security, or cost-effectiveness of the Services; or
optimising routing of checks to appropriate providers.

This limited processing:

does not involve identifying individuals;
does not involve making decisions about individuals; and
does not affect the outcome of checks relating to a Client.

SureCert does not determine whether checks are lawful or appropriate for a particular individual.

4. Personal data we process

4.1 Platform Users (Organisation representatives)

We process the following data about Users who access the platform on behalf of an Organisation:

name;
work email address;
organisation name;
job title (if provided);
account status and training or vetting information.

We also generate limited technical data such as login timestamps and IP addresses in system logs for security and operational purposes.

4.2 Clients (invited individuals)

Clients are individuals invited by an Organisation to participate in checks.

Base profile information

name;
date of birth;
email address;
current address.

Check-specific information (varies by check)

Depending on the checks requested, this may include:

identity documents (such as passports or driving licences);
facial images or selfies submitted for identity verification;
address history;
identity verification results;
right-to-work results;
KYC outcomes;
criminal record information (via third-party providers);
adverse financial data;
sanctions and watchlist data;
DVLA-related data;
corporate or organisational affiliation information (for organisation-level checks).

5. Special category and sensitive data

Some checks involve special category or sensitive personal data, including:

criminal offence data; and
identity documents containing photographs.

Identity documents and facial images may be processed to complete identity verification checks and to allow Organisations to review the results of those checks.

In addition, SureCert may process technical characteristics of identity documents or images (for example, document type or format) for internal service optimisation purposes, such as improving check routing or platform efficiency.

This processing:

is not used to identify individuals;
is not used for biometric identification or authentication by SureCert;
is not used to make decisions about Clients; and
is subject to restricted access and appropriate security measures.

Criminal record information is processed and stored as part of check results in accordance with the Organisation’s requirements and applicable law.

6. How and why we process personal data

SureCert processes personal data through the platform for the following purposes to:

operate, maintain, and provide the platform and requested checks;
enable identity verification, background screening, and related workflows;
manage platform access, security, logging, and audit functions;
provide customer support and respond to incidents or enquiries;
comply with legal and regulatory obligations;
investigate misuse, fraud, or security incidents;
improve the efficiency, security, and cost-effectiveness of the Services, including analysing technical characteristics of documents submitted through the platform for service optimisation purposes.

SureCert does not use personal data to make automated decisions about individuals and does not determine outcomes independently of the underlying check data.

The Organisation determines the lawful basis for the checks themselves and how results are used (for example, employment screening or legal compliance).

7. Legal bases for processing

SureCert relies on the following legal bases under UK GDPR:

Performance of a contract – to provide the platform and Services to the Organisation;
Legitimate interests – to ensure platform security, integrity, and proper operation.

Where consent or another legal basis is required for a specific check, this is the responsibility of the Organisation to obtain and manage.

We share personal data only as necessary to deliver the Services.

8.1 Screening and verification suppliers

This includes providers such as:

Experian
First Advantage
Mitek

Some suppliers may further engage regulated sub-providers (for example, UK criminal record authorities) in accordance with applicable law.

8.2 Infrastructure and service providers

Personal data is stored and processed using secure infrastructure, including:

cloud hosting services located in the United Kingdom;
email and operational tooling;
logging and monitoring systems.

SureCert’s infrastructure providers do not access or use personal data for their own purposes.

9. International data transfers

Personal data processed through the SureCert platform is stored and processed in the United Kingdom.

Where a supplier processes data outside the UK, appropriate safeguards are used in accordance with UK data protection law, including reliance on supplier contractual protections.

10. Data retention

SureCert applies different retention periods depending on the type of data:

Base Client profile information (such as name, date of birth, and email) may be retained on the platform to allow ongoing access to historical records.
Check-specific input data (such as identity documents, selfies, and address history) is retained for a limited period (typically around 180 days) and then removed.
Check results and outcomes may be retained for longer periods to allow Organisations and Clients to evidence that checks were carried out and when.

Account-level data may be reviewed and removed following extended periods of inactivity. Retention practices may vary depending on legal, regulatory, or contractual requirements.

11. Data subject rights

Clients and Users have rights under UK data protection law, including rights of access, correction, and restriction.

Because the Organisation is the data controller:

Clients should contact the Organisation that invited them in the first instance regarding any rights requests or concerns.
SureCert will assist Organisations in responding to rights requests where required.

SureCert does not independently assess whether checks are lawful or appropriate.

12. Security

We implement appropriate technical and organisational measures, including:

role-based access controls;
encryption of data in transit and at rest;
monitoring and incident response procedures.

13. Changes to this Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in the platform or legal requirements. The current version will always be available via the platform or our website.

14. Contact us

If you have questions about this Privacy Notice or how personal data is processed on the platform, please contact:

Support: support@surecert.com
Data Protection Officer: dpo@surecert.com

SureCert Platform Privacy Notice

1. Scope of this Privacy Notice

Organisations (customers)

SureCert

2. Who we are

3. Roles and responsibilities

Organisations (customers)

SureCert

4. Personal data we process

4.1 Platform Users (Organisation representatives)

4.2 Clients (invited individuals)

Base profile information

Check-specific information (varies by check)

5. Special category and sensitive data

6. How and why we process personal data

7. Legal bases for processing

8. Data sharing and recipients

8.1 Screening and verification suppliers

8.2 Infrastructure and service providers

9. International data transfers

10. Data retention

11. Data subject rights

12. Security

13. Changes to this Privacy Notice

14. Contact us

End of Platform Privacy Notice