About Us

The Data Transfer Initiative, an independent non-profit promoting data portability and related data rights, operates the Data Trust Registry for the public benefit to encourage safety and trust when services exchange personal data at user request.

The Right to Data Portability includes an expectation that the companies involved in sharing or moving data at a user's request do so while protecting privacy, and while following their own promises. The expectation for protection ought to be even stronger for sensitive personal data. Thus, the Data Trust Registry reviews each company and application that wishes to participate in data portability before adding them to the registry. The Registry also reviews registry entries yearly and reviews complaints about trust violations year-round.

Users wishing to move their personal data safely may find providers in the Registry, although the primary direct use of the Registry is for companies to decide whether another company is a trusted participant, and how to verify that participant's identity securely.

Companies wishing to be added to the Registry should read our Policy documents and Submission Guide to begin with.

Send us an email at support@dtinit.org

Trust Policy

Submission Guide

Privacy

Frequently Asked Questions (FAQ)

What does a service need to provide to the registry to be verified?

Trust Level 1 requires the service to have a privacy policy and other conditions that explain to the user how their data is used, and for the service operators to attest to data security practices. It also requires the identity and incorporation information of the organization running the service, and information about a Data Protection Officer. This is a pre-requisite for getting Trust Level 2 for a service.

Trust Level 2 requires, in addition, review of an outside audit of data security practices, and deeper verification of the scope and consistency of privacy policies and other policies that affect user data and privacy.

How long does it take to be verified?

A complete application for a routine service ought to take less than a month to process or approve. However, note that the Registry is currently in a limited pilot and will not process all applications right away, while we develop our processes, site and APIs.

Once approved, which data sources will my service have access to?

Getting approved by the Data Trust Registry does not immediately allow access in most cases.

Some data service APIs may require separate application for a service-specific API key.
Some platforms may require separate application for a platform-generated OAuth Client ID and a pre-approved list of OAuth scopes.
Some data sources may require Trust Level 2 in addition to Trust Level 1.

We are working towards streamlining the process of getting Trust Registry approval then bootstrapping towards automatic connection to data sources, and welcome contributions to making this work better.

Does registry verification guarantee approval for data transfers?

Bluntly, no - just because a service has been verified by the Trust Registry and included in it, does not mean that every other service participating in the same vertical will be able to exchange data.

How is the data transfer executed (protocol, API)?

The Data Trust Registry is not limited to a single data transfer protocol, API or software model. Instead, it can be used to advertise multiple approaches and move towards greater interoperability. The Trust Registry operators and DTI will be engaged to recommend specific protocols and standards for effecting data transfers, but the registry will not be limited to the recommended standards.