menuMistho

Complaints & Incident Procedure

Last updated: 30th October 2025.

At Mistho, we are committed to providing high-quality, secure services and handling all complaints, incidents, and identity-related issues fairly, transparently, and promptly.

This policy fulfils our obligations under the UK Digital Identity and Attributes Trust Framework (DIATF Gamma v0.4, Rule 12.5) and relevant data protection legislation.

How to Contact Us

You can reach Mistho at any time using the contact details below:

Complaints: complaints@mistho.io
Incidents or Security Issues: incidents@mistho.io
Postal address:
Mistho Services Limited
27 Old Gloucester Street
London, WC1N 3AX
United Kingdom

For general information on data processing, please refer to our Privacy Policy and Terms & Conditions.

Complaints Procedure

How to Make a Complaint

You can submit a complaint at any time by emailing complaints@mistho.io or by writing to us at the postal address above.

Please include:

  • Your full name and contact details
  • A clear description of your complaint
  • Any relevant supporting information

What Happens Next:

      Acknowledgement – We will confirm receipt of your complaint within 24 hours.
      Investigation – Your complaint will be reviewed by the relevant Mistho team.
      • If your complaint relates to data privacy or data sharing, our Data Protection Officer (DPO) will be involved.
      Involvement of Relying Parties – If your complaint involves data collected or shared with a relying party (for example, an employer, payroll provider, or financial institution), we may need to involve them to investigate and resolve the matter.
      • This includes data subject access, correction, or deletion requests that relate to data shared externally.
      Resolution – We aim to provide a full response within 7 days.
      • If we require more time, we will inform you and provide an updated timeline.
      Escalation – If you are not satisfied with our response, you may escalate the matter to the Information Commissioner’s Office (ICO) or another relevant regulator.
  • Transparency: We will keep you informed throughout.
  • Fairness: All complaints are handled impartially.
  • Confidentiality: Only those necessary to the investigation will have access.
  • Continuous Improvement: We analyse complaints regularly to enhance our services.

Incident Reporting Procedure

Mistho treats any event that could impact the confidentiality, integrity, availability, or privacy of our systems or users as an incident.

How to Report an Incident

  • Email incidents@mistho.io as soon as possible.
  • Include details such as:
    • The date/time of the event
    • Description of what happened
    • Any data or users potentially affected
    • Your contact details

How We Respond

Our Incident Response Team (per our internal Incident Response Plan) will:

      Acknowledge the report within 1 business day.
      Triage and classify the incident (Severity 1–4).
      Investigate and contain the issue to prevent further impact.
      Recover and remediate affected systems or processes.
      Notify affected users and regulators when required:
      • If a data breach occurs, we notify the ICO and/or OfDIA within 72 hours and affected users without undue delay.
      Close the incident after documentation, root-cause analysis, and lessons learned.

We follow NCSC and ISO27001 best practice for incident management.

Identity Repair and Fraud Response

Identity Repair

If you believe your identity has been misused or compromised through Mistho:

      Contact complaints@mistho.io using the subject line “Identity Repair”.
      We will acknowledge your request within 24 hours.
      We will coordinate with the relying party (the organisation requesting your verification), since they control the data once shared.
      We will share relevant logs or evidence to support the investigation and, if appropriate, help retract or flag erroneous verifications.
      We will provide guidance using the Action Fraud Identity Theft Victims’ Checklist (or the relevant local equivalent).
      We will document and close the case once resolution is achieved.

Fraud Reporting

If you suspect fraudulent activity (e.g. impersonation, account misuse, or attempted identity theft):

  • Report immediately to incidents@mistho.io.
  • Our ISMT will investigate per our Fraud Management Policy and Procedure.
  • Where criminal fraud is confirmed, we will:
    • Notify affected relying parties and users
    • Preserve evidence for at least 6 years
    • Cooperate with law enforcement under lawful basis

Fraud cases are logged in Mistho’s Fraud Case Register and reviewed quarterly as part of Trust Framework compliance.

Data Subject Access Requests (DSARs)

If you wish to:

  • Access the data we hold about you
  • Request correction or deletion
  • Object to processing or withdraw consent

You can contact privacy@mistho.io or complaints@mistho.io.

We will:

      Verify your identity.
      Respond within one month (or sooner where possible).
      Where data has been shared with a relying party, we will direct or coordinate your request with them to ensure full compliance with GDPR Article 19.

Verification Failures & Alternative Options

If you cannot complete data sharing successfully through Mistho:

  • The relying party may restart the process to allow another attempt.
  • If repeated attempts fail, the relying party will remain your main contact to discuss alternative verification methods, such as manual or in-person checks.

Review and Continuous Improvement

  • This procedure is reviewed annually or after any significant incident or regulatory update.
  • Updates are approved by Mistho’s Information Security Management Team (ISMT).
  • The policy forms part of our ISMS and Trust Framework control set under Section 12.5 (Responding to Incidents).

Contact summary: