Third-Party Contractors. Your Site. Your Liability.
self-employed contractors in the UK
of large businesses use contractors regularly
to verify with Certifyd
The reality of contractor verification in the UK.
Contractor identity verification with Certifyd ensures that every third-party worker accessing your site is who they claim to be. Certifyd uses bi-directional authentication — both the site manager and the contractor cryptographically prove their identity to each other in real time. The system verifies not just the contractor’s name, but their active employment or contract with the sending company, their authorisation for your specific site, and their current status. Every site access event creates a tamper-proof audit record.
The UK has approximately 4.4 million self-employed workers, and over half of large businesses use contractors regularly. Contractors access office buildings, data centres, construction sites, hospitals, and government facilities — often with the same level of physical access as permanent employees, but with far less identity verification.
The hiring business typically relies on the contracting company to vet its own people. But that vetting happens at the contracting company’s end, and the hiring business has no independent way to verify that the person who arrives is the person who was vetted. When a contractor sends a substitute, when a subcontractor arrives instead of the named individual, or when a contract changes hands mid-project, the identity chain breaks.
For businesses subject to ISO 27001, SOC 2, PCI DSS, or government security requirements, contractor identity verification is not optional. Certifyd provides device-bound, bi-directional authentication that creates tamper-proof access records for every contractor visit. This satisfies audit requirements and gives the hiring business cryptographic assurance that the person on their premises is who they claim to be and is authorised by the sending company.
This is broken.
Here's why.
Contractors are vetted by their own company, not by the business whose site they’re accessing.
Substitutions and subcontracting mean the person who arrives may not be the person who was approved.
Visitor sign-in systems capture a name and time — they don’t verify identity or company affiliation.
Security standards (ISO 27001, PCI DSS) require identity verification evidence that visitor logs don’t provide.
Simple verification.
Every time.
Contracting company registers as an Organisation on Certifyd and adds each contractor as a member
Each contractor registers their device, creating a cryptographic identity bound to their phone
At each site visit, the contractor verifies through Certifyd — confirming identity, company membership, and site authorisation
A tamper-proof record is created: who accessed the site, when, and under whose organisational authority
Ready to see it in action?
Book a demo or tell us about your needs.
“A lot of companies are trying to do all the legwork themselves as hiring managers, because they don’t want the headcount on a HR person when they only recruit two or three people a year.”— People Manager, SME
Common questions.
Visitor management systems record that a person signed in. Certifyd verifies that the person is who they claim to be. A visitor sign-in captures a name and a time — anyone can write any name. Certifyd uses device-bound cryptographic authentication: the contractor proves their identity through their registered device, their active membership with the sending company is confirmed in real time, and a tamper-proof record is created. It’s the difference between a signature and a cryptographic proof.
Yes. ISO 27001 requires organisations to control access to information and facilities, including for third-party contractors. Certifyd provides verifiable, tamper-proof records of contractor identity and access events. These records satisfy the audit evidence requirements of Annex A controls related to physical security, access management, and supplier relationship security.
A contractor’s Certifyd identity is portable. They verify at each client site they access, with the system confirming their identity, company membership, and site-specific authorisation. Each visit creates a separate audit record. The contractor’s identity is consistent across all sites, but authorisation is site-specific — access to one site doesn’t grant access to another.
The contracting company revokes the individual’s membership or site-specific authorisation through Certifyd. The revocation takes effect instantly. The contractor can no longer verify at that site. Unlike physical access cards (which can be retained or copied), device-bound cryptographic access cannot be transferred. When it’s revoked, it’s gone.
Explore more use cases.
Related Solutions
Related Reading
External Resources
Verify every contractor before they access your site
Book a demo to see how Certifyd works for your team, or tell us about your verification needs and we'll get back to you within 24 hours.
Read: Audit Trails for Compliance