Data Protection Compliance Framework

1. Data protection governance

Orfid maintains a multi-layer governance model to ensure lawful and ethical processing of data, including:

• designated Data Protection Lead with operational responsibility;
• compliance oversight embedded within ISIS automated governance;
• comprehensive audit logging via THOTH;
• Data Protection Impact Assessments (DPIAs) for high-risk processing;
• mandatory records of processing activities.

Data protection and compliance queries may be directed to support@orfid.co.uk.

2. Lawful bases for processing

Orfid processes personal and special-category data under the following lawful bases:

• Contractual necessity — delivery of platform services to registered users;
• Legal obligation — compliance with court orders, regulator instructions, and statutory duties;
• Legitimate interests — platform security, fraud prevention, and journalistic integrity;
• Public-interest journalism exemption — protection of freedom of expression;
• Consent — non-essential analytics and optional user features.

3. Special category data

Orfid may receive special category data (including health, political, or criminal information) within reports or evidence submissions. Processing occurs only where:

• the data is intentionally provided for journalistic purposes;
• publication is necessary in the public interest;
• processing is authorised under Schedule 1, Part 5 of the Data Protection Act 2018.

Access to such data is strictly controlled and fully logged via THOTH.

4. Automated compliance processing

ISIS and NUT deploy automated systems to identify and mitigate legal risks, including:

• defamation, privacy, and harassment risks;
• contempt of court and anonymity restrictions;
• identity exposure and prohibited content;
• data protection compliance conflicts;
• content provenance anomalies.

Automated controls may restrict or delay publication. Manual review is available where required by law or context.

5. Data security standards

• salted SHA-256 password hashing;
• two-factor authentication via ANUBIS;
• trusted device verification and fingerprinting;
• TLS 1.3 encryption in transit and encrypted storage at rest;
• role-based access controls by tier;
• regular security testing and monitoring;
• immutable audit logging via THOTH.

Infrastructure adheres to recognised ISO 27001 and SOC 2 security standards.

6. Regulator access and audit trails

Regulators may be granted limited read-only “Ghost Tier” access for oversight. All access is:

• fully logged;
• cryptographically timestamped;
• restricted to authorised personnel;
• retained under THOTH governance schedules.

Regulators are never permitted to modify platform data.

7. Incident response and breach handling

• system isolation and containment;
• forensic analysis via GEB and THOTH;
• immediate mitigation actions;
• ICO notification within 72 hours where required;
• user notification where rights or freedoms are at risk.

8. Law-enforcement requests

• valid court orders or statutory authority;
• lawful override of journalistic privilege;
• proportionate and specific scope;
• preservation of source protection where applicable.

All disclosures are logged within THOTH.

9. User rights

Users may exercise UK GDPR rights subject to journalistic exemptions, including:

• access;
• rectification;
• erasure where lawful;
• restriction;
• data portability;
• objection where applicable.

Requests may be submitted to support@orfid.co.uk.

10. Record-keeping and documentation

• processing categories;
• DPIAs and risk assessments;
• audit trails;
• retention schedules;
• automation and compliance versioning.

11. Retention and deletion

• statutory obligations;
• active investigations;
• regulatory requirements;
• THOTH-managed governance rules.

Secure deletion processes apply once data is no longer required.