Platform Compliance Pack

IAM-VETTED LTD is registered with the Information Commissioner’s Office (ICO) as a data controller under registration number ZC128431. The Company determines the purposes and means of processing personal data collected through the platform. It does not act as a data processor on behalf of any third party.

Employers who unlock and access worker profiles act as independent controllers of any personal data they subsequently use. The Company’s Terms of Service impose obligations on employers with respect to data use, retention, and disclosure.

The platform is characterised as a structured data aggregation and display service. It is not a background checking bureau, a verification authority, or an employment agency. It does not make hiring decisions, recommendations, or endorsements.

• Identity data: full name, date of birth, phone number, email address, home address
• Credential data: DVLA share code, Home Office right to work reference, DBS certificate number, insurance policy details (provider, policy number, expiry), MOT expiry date
• Platform data: profile information (vehicle type, licence categories, years of experience, availability, carriers worked with), login activity, audit log entries, IP address
• Financial data: credit purchase history, pack size, payment status (no card data is stored; card processing is handled exclusively by Stripe)

• Contract (Article 6(1)(b) UK GDPR): processing necessary to perform the platform service contract with workers and employers
• Legitimate interests (Article 6(1)(f) UK GDPR): platform security, fraud detection, AI-assisted risk flagging, and operational integrity. Legitimate interests assessments (LIAs) have been conducted and are retained separately
• Legal obligation (Article 6(1)(c) UK GDPR): financial record retention, ICO notification obligations, and response to lawful authority requests

The following retention periods apply:

A full Record of Processing Activities is maintained separately from this document and is available to the ICO on request. The RoPA covers all processing activities conducted by the Company, including those involving third-party service providers.

A DPIA has been conducted covering the credential aggregation risks inherent in the platform’s core function and the discrete processing activities assessed below. The DPIA separately assesses the proportionality and safeguards associated with behavioural monitoring, fraud signal analysis, authentication telemetry, and audit-log anomaly detection. Mitigation measures are documented within the DPIA and reflected in the platform’s technical and organisational safeguards.

1. Authentication processing.

Phone-number verification via SMS one-time-passcode (Twilio Verify) is assessed as a dedicated processing surface, including data flow to the OTP provider, retention rationale for verified phone numbers, and the rate-limiting and audit-log defences against brute-force or impersonation attempts.

2. AI processing.

The DPIA enumerates the specific user-facing AI surfaces in scope (verify guidance, worker dashboard insight and expiry alert, employer dashboard insight and worker summary, AI-assisted search, and AI support chat) along with the operational AI surfaces (fraud signal analysis, admin audit anomaly detection). The assessment confirms data minimisation in AI processing (full credential reference values, government-issued identifiers, biometric data, uploaded documents, and raw identity verification artefacts are not transmitted) and the contractual prohibition on AI providers using submitted data for model training.

3. Audit logging & anomaly detection.

The platform’s server-side audit-log system is assessed as a standalone behavioural-monitoring activity, including the proportionality of capture (significant authentication, account, verification, administrative, and access events), access restrictions (row-level security, role-based access, administrator segregation), and the safeguards on AI-assisted anomaly detection (investigatory only, human review required for any account-impacting action).

4. International transfers.

The DPIA covers the international transfer routes for the platform’s processors, including Twilio (US, with SCCs/IDTA and authentication-only OTP payloads), Anthropic (US, metadata-only payloads with credential reference values excluded), Resend (transactional email), and other US-hosted operational services. Vendor-specific transfer mechanisms are documented at /compliance/transfer-assessment.

5. Article 22 analysis.

No current AI use produces automated decisions with legal or significant effect on workers or employers. Fraud-signal AI is investigatory only. All account-impacting actions require human review and confirmation. The assessment confirms that no Article 22 UK GDPR trigger arises from the platform’s current processing activities.

The platform does not conduct, facilitate, or certify verification checks. This principle is embedded in all public-facing documents, terms, and product copy.

The following terms are prohibited from appearing in platform copy, marketing materials, or communications:

• "Verified" (as a claim made by iam-vetted about a worker)
• "Vetted" (as an outcome delivered by iam-vetted)
• "Approved"
• "Certified"
• "Confirmed"
• "Background checked"
• "Guaranteed"
• "Endorsed"

The permitted framing at all times is: the platform aggregates and displays worker-submitted information. It does not verify, approve, or decide.

Employers are contractually required to independently verify all worker-submitted credentials before making employment decisions. The platform provides direct links to official GOV.UK verification services (DVLA, Home Office, DBS) for this purpose.

Employer Terms of Service include explicit acknowledgement that iam-vetted does not verify information and that employers bear sole responsibility for their hiring decisions.

The platform expressly disclaims any warranty as to the accuracy, completeness, or currency of worker-submitted information. No representation is made that any information displayed on the platform has been verified by the Company or any third party acting on its behalf.

The platform does not score workers, suggest candidates to employers, or algorithmically determine which worker profiles are presented to which employers. iam-vetted does not arrange employment or act as an intermediary in hiring decisions. Search results reflect objective filtering criteria applied by employers (region, vehicle type, availability, etc.). No weighting or prioritisation is applied to worker profiles in search results beyond the filters selected.

The platform uses AI (Anthropic Claude) in the following limited capacities:

User-facing assistive features

• Worker dashboard insight: dynamic AI-generated observations relevant to a worker's current state, including profile activity, expiry pressure, demand signals, and completion suggestions. The AI selects the most informative angle each render
• Worker dashboard expiry alert: AI-generated reminders surfacing upcoming credential expiry with suggested next steps
• Worker verify guidance: context-aware help text on the worker verify page explaining how to complete each credential reference type
• Employer dashboard insight: dynamic AI-generated observations relevant to an employer's current state, including credit balance, recent activity, and demand context. The AI selects the most informative angle each render
• Employer worker summary: structured AI-generated overview of an unlocked worker's submitted information
• AI-assisted search: interpretation of natural language search queries from employers into structured filter parameters
• iam-vetted AI support chat: conversational AI assistance available to paid users via the platform support function

Operational and security features

• Fraud signal analysis: pattern identification in worker-submitted data that may indicate inconsistencies or data integrity concerns. Outputs are investigatory indicators only and do not independently determine account status, platform eligibility, employability, or trustworthiness.
• Admin audit anomaly detection: identification of anomalous login or usage patterns in audit logs for security monitoring

AI processing on the platform does not produce automated decisions that have a legal or similarly significant effect on workers or employers. AI outputs are indicators only. They are reviewed by a human administrator before any action is taken on a user account.

No worker profile is suspended, restricted, or removed solely on the basis of an AI-generated risk score. All such actions require human review and confirmation.

AI outputs are not used to rank workers, prioritise search visibility, suppress profiles, or determine employment suitability.

Workers whose profiles are flagged or temporarily restricted are notified and given the opportunity to update their information or request a manual review. This right to request human review is documented in the Worker Privacy Notice and is available at all times through the platform’s in-app support function.

Full credential reference values (e.g. share codes, DBS numbers, policy numbers), government-issued identifiers, biometric data, uploaded documents, and raw identity verification artefacts are not transmitted to AI providers. AI processing operates on metadata, patterns, and non-sensitive platform signals only.

AI providers are contractually prohibited from using API-submitted platform data for model training where such restrictions are available under the applicable enterprise/API terms.

• Primary complaints channel: complaints@iam-vetted.com
• General enquiries: hello@iam-vetted.com
• In-app support: available to logged-in workers and employers via the platform dashboard

All complaints received via any channel are acknowledged within 30 days of receipt. The Company aims to resolve complaints as quickly as possible and will keep the complainant informed of progress where resolution requires additional time.

iam-vetted does not use social media channels as a primary complaints channel. However, concerns raised via the Company’s social media accounts (LinkedIn, X, Facebook) are treated as valid complaints and are redirected to complaints@iam-vetted.com for formal handling under the same acknowledgement and resolution obligations that apply to direct complaints.

Social media accounts are monitored on a weekly basis for complaints, concerns, or regulatory references.

Where a complainant is not satisfied with the Company’s response, they have the right to escalate to the ICO (ico.org.uk, 0303 123 1113). This right is communicated in all complaints acknowledgement communications and in the platform’s Privacy Notices and Data Rights page.

• Role-based access control (RBAC): workers, employers, and administrators operate in strictly separated access zones
• Least privilege principle: each role can access only the data and functionality required for its purpose
• Secure authentication: all accounts are authenticated via Supabase Auth; session tokens are short-lived and HTTP-only
• Admin access: protected by a separate authentication layer with a dedicated session cookie; not accessible via standard user login flows

• Encryption in transit: all data transmitted via TLS 1.2 or higher
• Encryption at rest: all data stored in Supabase is encrypted at rest
• Database-level row security policies restrict data access at the query level
• No full credential values (e.g. share codes, DBS numbers) are transmitted to AI providers

• Platform audit log records all significant user actions (login, profile unlock, verification submission, account deletion)
• AI-assisted anomaly detection reviews audit logs for suspicious patterns
• Security incidents are managed under an incident response procedure
• Personal data breaches are assessed against the ICO notification threshold (72-hour obligation) and reported where required

Phone verification (Twilio SMS one-time-passcode) is protected by a server-side rate-limit on verification attempts, with audit-log coverage of each step (issue, success, failure, rate-limit). Brute-force submission patterns are surfaced via the audit-log anomaly detection.

Phone verification is implemented using Twilio Verify SMS one-time-passcode (OTP) infrastructure.

Verification is used:

• During onboarding
• During account recovery
• During sensitive account changes
• To reduce impersonation, automated abuse, and fraudulent account creation

Verification events are logged in the platform audit-log system, including issuance, success, failure, and rate-limit events.

Brute-force detection and anomaly monitoring are applied to verification flows.

Phone numbers are retained while accounts remain active in order to maintain authentication continuity, account recovery capability, anti-fraud protections, and evidential integrity.

The platform maintains a server-side audit-log system recording significant authentication, account, verification, administrative, and access events.

Audit logging is used for:

• Platform security
• Fraud prevention
• Abuse detection
• Evidential preservation
• Incident investigation
• Unauthorised access detection

Access to audit-log data is restricted via row-level security controls, role-based access restrictions, and administrator segregation.

Public access to audit-log infrastructure is denied by default.

AI-assisted anomaly detection may review audit-log metadata for suspicious behavioural patterns. Such outputs are investigatory only and do not independently determine account restrictions or enforcement outcomes.

All third-party vendors who process personal data on behalf of the Company are subject to Data Processing Agreements (DPAs). A vendor register is maintained separately from this document. Vendors are assessed at onboarding and reviewed periodically.

The Company applies the ICO’s three-step test to all international data transfers:

• Is there a transfer?: assessed for each vendor and processing activity
• Is there a lawful transfer mechanism in place?
• Do the circumstances of the transfer undermine the protection provided?

• International Data Transfer Agreement (IDTA): for transfers to vendors without an adequacy decision
• UK Addendum to the EU Standard Contractual Clauses: applied where EU SCCs are in use by the vendor
• UK Extension to the EU-US Data Privacy Framework: applied where the vendor is certified under the EU-US Data Privacy Framework

Where transfer mechanisms alone are considered insufficient, the following supplementary measures are applied:

• Encryption of data in transit and at rest
• Access controls limiting vendor access to the minimum data necessary
• Data minimisation: credential reference values are not shared with non-EEA/UK vendors
• Contractual restrictions on onward transfer and sub-processing

Both the Worker Terms of Service and the Employer Terms of Service clearly define the platform as an information aggregation service only. The terms expressly disclaim any verification, approval, or certification function.

Employer Terms of Service require employers to:

• Independently verify all worker-provided information using official sources before making hiring decisions
• Use worker data only for the purpose of assessing suitability for work
• Not share, sell, or redistribute worker data
• Comply with all applicable employment and data protection law

The platform’s Terms of Service include a limitation of liability clause reflecting the Company’s role as an information aggregation service. The Company is not liable for losses arising from employer reliance on worker-submitted information that has not been independently verified.

The platform uses only strictly necessary cookies required for authentication and session management. No advertising, tracking, or third-party analytics cookies are used. Cookie usage is disclosed in the platform’s Privacy Notices.

The platform’s Terms of Service include an acceptable use policy that prohibits:

• Submission of fraudulent, fabricated, or inaccurate credential information
• Use of the platform to unlawfully discriminate against workers
• Scraping, harvesting, or systematic extraction of worker data
• Any use of the platform that contravenes applicable law

Violations may result in account suspension, account closure, and referral to relevant authorities where appropriate.