Submission Guide
The Data Trust Registry is currently in a pilot program, accepting limited applications from services invited to the pilot program. If you represent a service not specifically invited to the pilot program, you may still apply (we will use that expression of intent either to add the service to the pilot program or to drive our build-out of the registry to meet additional needs for which there is high demand).
The Data Trust Registry is informed and driven by the Data Tranfer Initiative's work on Trust Policy. The Threat Model defines which threats to user safety and privacy cannot be handled by transport security and consent models, and the gaps in the threat model led to five Trust Criteria in DTI's Trust Model, a principled guide to which trust-related requirements, applied to data transfer ecosystem participants, legitimately protect users' interests.
The application process is intended to allow the applying service to attest to how it protects users' data and privacy, and quickly be approved at Trust Level 1 if there are no blockers. Services approved at Trust Level 1 then are listed in the registry and may gain access to other registry participants' APIs. The listing in the registry's HTML pages and its API allows other companies in the ecosystem to dynamically trust a data transfer participant or quickly pass through API key requests and terms-of-service checks on their side.
Some personal data APIs require Trust Level 2, which involves not just attesting to data and privacy protections, but also providing documentation of how those protections have been reviewed by outside experts. An applicant's information provided for Trust Level 2 is kept confidential by the Data Trust Registry. See our Terms of Use and Privacy Policy).
The first step to Trust Level 2 is in any case registering a service and applying for Trust Level 1. For a detailed walkthrough of the application process, see our Application Guide.
Trust Level 1 Requirements
To apply for Trust Level 1, a service must have:
- A registered company or legal entity
- A home page that describes the service
- A privacy policy that covers the basics of what the service provides, as well as how personal data is collected, used, shared with third parties, protected, and retained or deleted
- A way for users to report security issues
This information will enable us to review your application against the following three questions:
- Is the applicant a legitimate and registered legal entity?
- Is the applicant’s privacy policy fit for purpose?
- Is the applicant’s description of its service and data use transparent and consistent?
Approval at Trust Level 1 requires a positive assessment against each of these requirements.
Trust Level 2 Requirements
To apply for Trust Level 2, applicants must first get approved for Trust Level 1 by meeting the three essential requirements set out above.
Once approved at Trust Level 1, Registry Staff will invite applicants to confirm whether they would like to proceed to a Trust Level 2 application. The Trust Level 2 application will involve a combination of a recorded interview, along with submission of an audit report from an independent external data security expert. During our pilot, we are accepting a SOC/2 report or equivalent.
Contact Registry staff if you have questions about alternative data security review options.
At Trust Level 2, the information provided during the interview and in these additional submissions will enable us to assess you against the following two additional questions:
- Does the applicant have robust data security practices in place?
- Does the applicant collect valid consent from its users?
Approval at Trust Level 2 requires a positive assessment against both of these essential requirements, in addition to those at Trust Level 1.
Documentation
Right to Data Portability
User Data Portability Threat Model
Trust Model - basis for evaluation
Glossary & Terms for Trust Model