This page is a public summary of how Driver Codes protects customer and driver data. A fuller Security and Technical Measures Pack is available to enterprise customers and procurement teams on request, under non-disclosure.

At a glance

How we secure your data

Where your data lives

All core production services for the Customer Portal and driver-check records run in the United Kingdom, in Amazon Web Services' London region (eu-west-2). Core check records are not intentionally transferred outside the UK as part of normal production hosting.

Some ancillary service providers used for support, push notifications, payments, email, error monitoring or observability may process limited personal data outside the UK. Those providers, locations and transfer mechanisms are listed in our Sub-processor List.

Who can access your data

Access to production systems and data is granted on a least-privilege basis: people only get access to what their role needs.

• Every Driver Codes user has a unique account; we don't use shared logins.
• Multi-factor authentication is mandatory for all Driver Codes administrative access, for all administrator accounts on the business customer portal (app.driver.codes), and for all privileged operations affecting production data.
• Access rights are reviewed regularly and removed promptly when staff or roles change.

Encryption

Data is encrypted in transit with TLS (1.2 or higher, modern cipher suites only) and at rest with AES-256. Backups are encrypted. Encryption keys are managed through AWS Key Management Service. Application secrets are stored in managed secrets services, never in source code.

Monitoring and incident response

We operate continuous 24x7 automated security monitoring and alerting on production infrastructure and applications, covering authentication events, administrative actions, material platform actions and access to sensitive resources. Security logs are retained for at least 12 months.

We have a documented incident response process. If a confirmed Personal Data Breach affects customer data, we will notify the affected customer within 48 hours of confirmation. Where required, we report to the Information Commission within 72 hours of becoming aware, in line with Article 33 UK GDPR.

Resilience and backups

Production data is backed up daily, encrypted, with point-in-time recovery. Backup restoration is tested on a defined cycle.

Our recovery objectives:

• Recovery Time Objective (RTO): 8 business hours
• Recovery Point Objective (RPO): 24 hours

Backups are held within the AWS London region; we do not currently maintain cross-region replication.

Vulnerability management and patching

We run automated vulnerability scanning across our infrastructure and software dependencies. We track security advisories and patch confirmed critical vulnerabilities within 5 days of an advisory becoming available.

Reporting a security issue

If you've found something that looks like a security problem, email security@driver.codes. We will acknowledge legitimate reports promptly and triage on a risk basis.

Certifications

We are Cyber Essentials certified and are working towards Cyber Essentials Plus certification.

We are not currently ISO 27001 certified. We operate to a control framework aligned with the ISO 27001 control families and we keep formal certification under review as the service grows.

Sub-processors and supply chain

We engage third-party providers for hosting, email delivery, push notifications, error monitoring, support tooling and similar. Each sub-processor is bound by a written contract requiring data protection obligations no less protective than those we accept in our own customer agreements.

A current list is published at app.driver.codes/documents/subprocessors. Customers receive at least 30 days' notice of changes.

Data lifecycle

We retain personal data only as long as we need it for the purpose for which we collected it. Specific retention periods are set out in our Driver Checks Privacy Notice and the Consumer App Privacy Notice. When a customer account is closed, our published terms set out export windows and the route to a deletion certificate.

Your part in keeping data secure

Security is shared. To support the controls above, we expect customers and users to:

• use strong, unique passwords and enable multi-factor authentication on all accounts;
• review active administrator accounts regularly, particularly after staff changes;
• treat exports, downloads and screenshots as sensitive material in your own environment;
• restrict access to driver record information to people with a legitimate business need;
• tell us promptly at security@driver.codes if you suspect a credential compromise or unauthorised access.

Need more detail?

Self-serve customers can use this summary alongside our published privacy notices, sub-processor list and terms.

Enterprise prospects, procurement teams and security reviewers — we can provide a fuller Security and Technical Measures Pack under non-disclosure on request. Contact hello@driver.codes.

For data protection enquiries: privacy@driver.codes.

For security enquiries: security@driver.codes.

Note on regulator naming: at the version date of this document, the Information Commissioner's Office (ICO) remains the operative legal name of the UK data protection regulator. References in this document to the "Information Commission" anticipate the regulator's reconstitution under Part 6 of the Data (Use and Access) Act 2025. Our registration (ZA788385) is held with the regulator and will transfer to the Information Commission by operation of law on commencement of sections 118 and 119 of that Act.