About Us
The Data Transfer Initiative, an independent non-profit promoting data portability and related data rights, operates the Data Trust Registry for the public benefit to encourage safety and trust when services exchange personal data at user request.
When exercising the Right to Data Portability, users reasonably expect the companies sharing their data to keep it safe, and to be honest and transparent regarding their intentions. But sadly not all organisations match up to these expectations, and it is difficult for users or other organisations to distinguish between good and bad actors.
This is where the Data Trust Registry comes in. In line with our published Trust Model and transparent process documentation, we review each company and service that wishes to participate in data portability before adding them to the registry. We also review registry entries yearly to ensure high standards are maintained, and we review complaints about trust violations year-round.
Although end users wishing to move their personal data safely may find providers in the Registry, the primary direct use of the Registry is for companies to learn whether other companies can be trusted with user data, then to verify identity and connect securely with trusted participants.
The Registry is currently operating as a pilot, and working closely in partnership with Meta as a starting point. We will be announcing further collaborations with other large platforms in due course, as the Registry will become the primary entry point for multiple major data portability APIs.
The goal of our Data Trust Registry is to build confidence in the data portability ecosystem by streamlining access to transfer tools while sifting out bad actors. We intend for it to deliver benefits to all participants, large and small.
If you are interested in joining our Registry, we encourage you to start by reading our Policy documents and Submission Guide, as well as getting in touch if you have any questions not answered below.
Send us an email at support@dtinit.org
Frequently Asked Questions (FAQ)
Our team firmly believes in empowering consumers by supporting simpler, faster, and more secure transfers of their application data. If you share this vision, you are in the right place.
We have built the Data Trust Registry as a home for organisations in the technology sector that wish to participate in user-led transfers of data, often referred to as data portability. This includes organisations that support data exports, organisations that intend to become a trusted data transfer destination, and anyone looking to operate infrastructure in the middle.
Whether you have one user, or one billion, your organisation can apply to the Registry.
If you wish to be a data recipient, listing in our Registry will deliver several benefits to your organisation. Most immediately, it is an important step in order to gain access to a growing pool of data portability tools supported by large platforms, including Meta’s Export Your Information tool. Being listed on our Registry will also provide a strong public signal to your users and business customers that you can be trusted to take your responsibilities towards privacy and security seriously.
Data senders also belong in the Registry, as data senders must also be trusted to send appropriate, legal content. Registry entries can hold connection information, reducing configuration overhead for services managing secure connections and identity.
Participating in the pilot of our Registry will also help us to build the vibrant data transfer ecosystem your organisation can thrive in. We need your feedback to help us get there!
We are working closely with Meta to begin with in the pilot, with Meta now requiring our Trust Registry approval before organisations can proceed with an application to access its Export Your Information (EYI) tool.
We are also progressing work with another two large platforms with personal data APIs, to make those APIs accessible to companies with a trust level conferred by the Data Trust Registry. We will make further announcements on those platforms and associated data portability APIs in due course. You may wish to visit the Data Transfer Initiative’s website to get a sense of the kind of companies that we work closely with.
Get in touch if you have any questions about whether your organisation is a good fit for the Registry.
Trust Level 1 requires provision of the identity and incorporation information of the organization running the service, and information about a Data Protection Officer should they have appointed one. It also requires the service to have a privacy policy and other conditions that explain to the user how their data is used, and for the service operators to attest to data security practices. Approval at Trust Level 1 is a pre-requisite for getting Trust Level 2.
Trust Level 2 requires, in addition, provision of an outside audit report of data security practices, and deeper validation that the organisation is up front and transparent with its users about how they will use their data once received. In most cases the Level 2 approval will involve an interview with the reviewer.
For a complete application for a routine service, we endeavour to complete the review process in no more than 30 days. However, note that the Registry is currently in a limited pilot and turnaround times may vary depending on the volume of applications. Approval times will also be longer in circumstances where further information is needed or initial applications are incomplete.
We will keep applicants updated if review times are taking longer than expected.
Getting approved by the Data Trust Registry does not immediately allow access in most cases.
- Some data service APIs may require separate application for a service-specific API key.
- Some platforms may require separate application for a platform-generated OAuth Client ID and a pre-approved list of OAuth scopes.
- Some data sources may require Trust Level 2 in addition to Trust Level 1.
We are working towards streamlining the process of getting Trust Registry approval then bootstrapping towards automatic connection to data sources, and welcome contributions to making this work better.
In the case of Meta’s Export Your Information (EYI) tool, you will need to provide the URL for your Trust Registry entry before you can proceed with an application to access that tool. A Trust Level 1 approval will be sufficient to access certain data scopes such as photos, videos and posts, whereas Trust Level 2 will be needed to access more comprehensive and sensitive data archives.
The primary difference is that Trust Level 2 is needed for accessing more sensitive user data, whereas the lower Trust Level 1 is sufficient for a third party that only wishes to access much less sensitive data, such as data that a user has put into the public domain. This tiered approach is consistent across many of the major platforms as they manage access to APIs.
With Trust Level 2 unlocking access to more sensitive data, this requires a more thorough consideration of an applicant’s approach to security and consent.
While we are in a pilot, platforms requiring registration for their portability tools may still ask you for some of the same information to build confidence in our operation of the Registry. We expect this duplication to be reduced significantly once the pilot has concluded.
The Data Trust Registry is not limited to a single data transfer protocol, API or software model. Instead, it can be used to advertise multiple approaches and move towards greater interoperability. Not all services will be able to interoperate, and when services in the registry don't have data models in common, they may not connect (for example, we don't expect photo album services to be able to connect to and request data from music streaming services). The Trust Registry operators and DTI will be engaged to recommend specific protocols and standards for effecting data transfers, but the registry will not be limited to the recommended standards.