Governance and Oversight

This section covers:

  1. Background

  2. Why is oversight necessary

  3. How HATDeX is regulated

  4. Being a HAT Owner: your rights

  5. Being a HAT Merchant

  6. Being a HAT Issuer

  7. Compliance

  8. HATDeX Legal Agreements


HAT: About and Purpose

The HAT Microserver is a new, fully scalable and advanced technology that enables individuals to have full ownership rights to their data and content through their ownership of a dedicated database, wrapped with containerised microservices. The HAT Microserver is fully portable across devices, but is commonly hosted in the cloud. It is issued by a HAT Issuer and by way of its legal, economic, technology architecture and through decentralised databases, the Intellectual Property Rights of personal data within can be legally owned, controlled and processed by individuals without an Issuer having any ability to view the content of the database (“zero knowledge” solution). The HAT is fully open sourced but services in the HAT ecosystem are built by commercial as well as non-profit organisations.

While data rights are given to individuals through open sourced HAT Microservers, data mobility (the movement of data to and from HATs to/from certified HAT Merchant applications) is enabled by the HATDeX Technology Services, collectively known as the HATDeX platform. With the HATDeX platform, individuals can install “data plugs” to bring their data in from the Internet, exchange data with applications through “data debits” and install tools in their microservers to have private analytics and algorithms for insights into their data, their health, their history and their memories. The HATDeX platform also operate the on-demand, scalable legal contracts issued and logged between HAT owners and applications and execute the instructions of HAT owners and HAT merchants for data exchange under a set of governance rules set by HATDeX that is aligned to the trust framework of the HAT Community Foundation (HATCF).

Who is HAT Data Exchange Ltd

HAT Data Exchange Ltd (HATDeX) is a commercial enterprise based in the U.K. that built the HATDeX platform and it operates the global HATDeX platform under the governance of the HAT Community Foundation, a members’ organisation that sets the top-level requirements for the trust framework. HATDeX also maintains the baseline technology of open sourced HATs. HATDeX and HATCF work together to promote the adoption of HATs. HATDeX has a social purpose within its articles of incorporation - that of enabling individual ownership of data and ensuring economic power for HAT owners through data ownership.

Why is oversight necessary

The HAT ecosystem transcend national boundaries. An individual i.e. a HAT owner, is a member of the Internet. Only the individual can allow websites and applications to interact with his/her own HAT, including websites and applications belonging to governments and industry. The HAT owner has the freedom to reveal or not reveal any data held within the HAT. However, Issuers of HATs can put restrictions on HATs that they issue e.g. when they issue children’s HATs and the HATs of the deceased. Issuers therefore set rules for the HATs they issue. While merchants and issuers are reviewed, rated and certified by HATDeX, these rules may, on occasion, require discussion and oversight. Similarly, HAT Merchants may put constraints on the way the data they put into HATs can be used. These constraints may or may not be reasonable. HATDeX as the commercial entity that execute the data contracts according to what parties wish to contract on, do so without a value judgement of what should be allowed/disallowed or what should be constrained for most of the cases. For some marginal cases, HATDeX will refer on to HATCF for advice. HATCF therefore oversees the HAT ecosystem as its governing body. HATCF represent HAT owners, HAT Merchants and HAT Issuers to ensure that the rules everyone operate on are fair and transparent while preserving the freedoms and data rights of individual HAT owners.

How HATDeX is regulated

HATDeX, as a UK company, is regulated by the Information Commissioner’s Office UK under registration number ZA244725 as the lead data protection authority globally only for HATDeX Account data (email and HAT URL) used to create HAT Microservers.

Once the HATs are created, HATDeX is neither the data controller or data processor of HAT Microserver data. The individual HAT owner is the only entity that is able to control and process data within his/her HAT. This means that the HAT owner’s data rights are protected. However, whenever data from HATs move e.g. shared with HAT merchant applications, it is HATDeX platform service that executes the instructions from HAT owners and HAT merchants. This means that data mobility is the responsibility of HATDeX.

HATDeX is therefore regulated by the HATCF as a “HAT Platform Provider”, a certified technology provider for the provisioning, issuance and vending of HAT Microservers; for the recording and logging of all contracts and permissions between HAT owners, HAT Merchants and HAT Issuers; for the execution of data exchanges between HAT Microservers and HAT-enabled applications; for reviewing, rating and certifying HAT Merchants and Issuers and for general data conduct in the HAT ecosystem.

The HATCF regulates HATDeX  through the following legal frameworks:

A. Statutory rights through Guardian Share

HATCF hold one guardian share of HAT Data Exchange Ltd for the preservation of its social purpose, even while it seeks to provide returns to shareholders.

As guardian shareholder and regulator, HATCF is entitled to a small “tax” of HATDeX’s revenues.

As guardian shareholder, HATCF must be consulted only for an exit that may result in >70% ownership of the company being transferred to a single entity (with a voting lock where 70% owner has the same voting power as other 30%).

As guardian shareholder, HATCF has the right to block or add conditions for an exit that may result in >70% ownership only in order to preserve the purpose.

B. Contracts and Definitions

HATCF approve changes to the following contracts and definitions on the HATDeX platform.

1. HAT Terms of Service

The HAT Terms of Service, along with the HAT Privacy Policy, the HAT Acceptable Use Policy on the HATDeX Platform set out the Terms on which HATDeX offers individuals access to and use of the HATDeX Platform, services, products and applications. Major changes to these agreements must seek the foundation’s approval.  

2. End-User Licence Agreements (EULA) of HAT Dashboard App

The EULA regulated by the foundation is the HAT App EULA as the HAT app is an “owner application” service provided by HATDeX and is used to browse and view all data within the HAT and also contain special functionalities for the owner to operate the HAT.

HAT Application (HAT App) End-user License Agreement is made between HATDeX and the user of the HAT Dashboard Application (HAT App), and its terms govern the provision of the HAT app and its services. Major changes to this agreement must seek the foundation’s approval.

3. Definitions

Legal definition of HAT and HAT owners is approved by HATCF, together with the glossary of terms. These terms are incorporated into legal contracts and documents wherever necessary. Major changes to these definitions must seek the foundation’s approval.

HAT Microserver:  A "HAT Microserver" is a personal software device that can be used to collect, store and ultimately control an individual’s data (as a HAT "Owner"). It consists of a single dedicated database wrapped with pieces of software code (Microservices).

In using a HAT Microserver, HAT owners execute the pieces of software code. These are sets of permissions and executions (collectively known as "the instructions") that would enable them to use their microserver as a universal data profile to be used with applications and services that are HAT enabled.

Such HAT Microserver Instructions (HMIs):

  • permit the collection of data from multiple Internet sources into the HAT Microserver database (“GET” permission)

  • permit the processing and transformation of data within the HAT Microserver (“PROCESS” permission)

  • permit the transfer of the data from within the HAT Microserver (“GIVE” permission)

  • permit the viewing of the HAT Microserver data (“READ” permission).

  • permit data to be written into the HAT Microserver data (“WRITE” permission)

  • execute the Microserver code to create data debits

  • execute the Microserver code to manage applications

  • execute the Microserver code to manage data and files

HAT Owner: HAT owners are individuals that own the intellectual property rights of their database within the HAT Microserver and are represented as owner members of the HAT Community Foundation.

HAT Microserver Instructions (HMI): A set of instructions given by a HAT owner to his/her HAT at the request of a HAT-certified application (“the application”). This set of instructions is logged by HATDeX as an exchange between the HAT owner and the company that runs the application. The HATDeX platform logs the following information:

  • The HMI ID and version number

  • The date and time the HMI ID and version is confirmed

  • The Instructions (permissions and executions) carried out by the HAT owner including any data debits as well as the list of data attributes exchanged through API calls

  • The HATDeX rating declared by the application at the point of exchange

  • Statistic reporting to both parties on the exchange

HAT-enabled Application (“App”) is a third-party service that may or may not be part of HATDeX Services. HATDeX make various "apps" available on the HATDeX Platform. Such applications are licensed and not sold to individuals and the individual licence to use the application will be dependent on their acceptance of additional terms (including in some instances payment terms) contained in an End User Licence Agreement that they will need to accept before using the application. Apps provide HAT owners with a service using a designated namespace in their HAT Microservers as data storage, and also enable HAT owners to exchange other HAT data with the App. HAT owners enable Data Plugs and Apps to act on their HAT Microservers by way of instructions. All HAT-enabled  applications must be reviewed, rated and certified by HATDeX through the HATLAB sandbox.

Glossary of Terms: Other definitions can be found at:

C. Usage of trademarks

The use any of HAT, trademarks, service marks, logos, domain names, or other distinctive brand features cannot be used without the Foundation’s prior written consent. It is not permitted to remove, obscure, conceal, modify or otherwise alter any proprietary rights notices, signs, trademarks, service marks, trade names, logos or other marks of HAT. Any such signs, trademarks, service marks, trade names, logos or other marks of HAT, HAT's affiliates or any third party cannot be used in a way that is intended to, likely to or foreseeable to mislead others or cause confusion about the owner, license holder or authorised user, as the case may be, of such marks, names or logos.

D. Technology

The baseline technology of the open-source HAT Microserver is AGPL license and is available at The technology is maintained by HATDeX under the oversight of HATCF.

E. Certification as HAT Platform Provider

HATDeX is given 5 years as the exclusive “HAT Platform Provider” within the Foundation after which time the Foundation shall at its sole discretion appoint other operators able to provide alternative platforms (alternative technologies to the HATDeX Platform) for HAT.

F. Membership

HATDeX shall ensure that Certified HAT Issuers and HAT Merchants that create apps, tools, plugs or other services on the HATDeX platform are members of the Foundation.

G. Review and Ratings of HAT Merchant Applications and constraints imposed by HAT Issuers

HATDeX reviews, rates and approve HAT Merchant Applications based on the HATDeX Rating System, with special cases being referred on to the Foundation Ethics and Governance Board (see below).

H. Approval of new protocols

HATCF and HATDeX work together to continuous improve the governance and operation of the ecosystem and the platform. The Foundation will be referred to for approving any protocols on HATs before they enter into force IF the protocols are not in line with the ethos of the open sourced HAT technology and the ecosystem

I. Ethics and Governance Board

HATDeX, it’s Merchants, Issuers and network of organisations are subject to oversight by the Foundation against the Foundation’s Trust Framework, Code of Practice or other standards established from time to time at the Foundation’s sole discretion. Issues raised are discussed at the Ethics and Governance Board.

Being a HAT Owner: Your rights

All HAT Merchants and HAT Issuers providing services on the HATDeX platform must be certified by HATDeX, so as a HAT Owner, you should always check that any HAT Merchant or HAT Issuer is on the HATDeX platform partner register before using it. You can check the list of partners at

The Merchant website or application that accept HAT data should have this badge on their website:


Whenever a HAT owner puts in his credentials (password etc), he should see this icon:


Your rights to your data

As a HAT owner, you have the right to request data into the HAT as subject access request, wherever the laws permit. HATDeX platform data plugs enable you to exercise that right by enabling the data plug.

As a HAT owner, you have the right to transform your own data. HATDeX SHE (Smart HAT Engine) enable you to do so by uploading pre-trained tools created by data scientists.

As a HAT owner, you have the right to use your data for your own benefit. HATDeX enables you to do so through the HAT dashboard App.

AS a HAT owner, you have the right to exchange your data for services and other benefits. HATDeX enables you to do so through HMIs and data debit contracts with third party applications created by HAT Merchants

As a HAT owner, you have the right to deny access to your data. HATDeX enables you to do so through the cancellation of data debits on your HAT dashboard app.

You may find that some issuers of HAT may impose restrictions on the way HATs are used. If you are unhappy with the restriction placed upon you by an issuer, you have the right to port your HAT to other issuers (this functionality is available when there are 2 or more HAT issuers).

Be alert – before you use one of these services make sure you are confident that:

  • organisations you share your information with are who they say they are

  • you understand the service and the data they are requesting from you.

Right to Complain

You have a right to complain to your HAT Merchant or HAT Issuer if you have a problem with the service they are providing. They must respond to your your complaint within 15 days unless there are exceptional circumstances.

If you are not happy with the firm’s response, they reject your complaint or you do not hear from them, you have the right to take your complaint to the HAT Community Foundation

If your complaint is about something your HAT Merchant or HAT Issuer has done, for example if a HAT Merchant or HAT Issuer have used your data inappropriately, you should contact the HAT Merchant or HAT Issuer to make a complaint. You have the same right to take your complaint to us at or HAT Community Foundation

How to Complain

If you are unhappy with a product or service, you can complain.

To make the process easier, follow these three steps to making a complaint:

Step 1: Contact the firm directly

  • If you have a complaint, it is best to first ask the firm involved to put things right.

  • Contact the firm as soon as possible. It is usually best to write to them so you have a record of what you say.

  • The HAT Merchants and HAT Issuers we regulate must respond to your complaint in writing within 4 weeks, telling you whether the complaint has been successful or why they need more time to look into it.

  • Firms are also required to respond in writing just to let you know they have received your complaint. So be sure you have a final response or it has been 4 weeks since you complained before you contact the HAT Community Foundation.

 Step 2: Contact the HAT Community Foundation

If you are not happy with the firm’s response, they reject your complaint or you do not hear from them within 4 weeks, the HAT Community Foundation may be able to help you.

The HAT Community Foundation will ask the HAT Merchant or HAT Issuer to explain what it thinks happened and then decide whether to uphold your complaint.

It is important you contact the HAT Community Foundation within 6 months of receiving a final response from the firm, or it may not be able to deal with your complaint.

Step 3: Take the matter to court

If you do not want to accept a decision by the HAT Community Foundation, as a last resort you may be able to take your case to court.

You would usually start civil legal action in the county courts or High Court (in England, Wales and Northern Ireland), depending on the circumstances of the case. In Scotland, most small claims are started in the Sheriff Courts.

How to protect yourself

We want HAT owners to enjoy the full benefits of their HAT Microserver, however there are some important things you should be aware of. 

  • Be alert – It is the responsibility of HAT owners to protect against any unauthorised access to your HAT Microserver.

  • Keep your password or other access information secret. Your password and log-in details are personal to you and should not be given to anyone else or used to provide shared access.

  • Do not share -  Ensure that no-one else uses your HAT Microserver, and that you do use any account data or account of any other HAT Owner or person than yourself without permission of the HAT Owner or person holding the respective account.

  • Make sure to update regularly - Keep your data in the HAT Microserver database useful and accurate through available HAT tools, apps and plugs and updating the said tools, apps and plugs when necessary.

  • Maintain good internet security practices.

Being a HAT Merchant

What are HAT Merchants?

HAT Merchants are organisations that have created HAT-enabled applications, plugs and tools. HATDeX merchants may also write data into a HAT Microserver depending on the permission given by the HAT owner. Merchants may request data to

  1. give recommendations or to personalise their offering.

  2. Store their applications user profile and activities when they outsource their user accounts to the HAT

HAT Merchants that create applications that request data pay HATDeX for data transactions (API calls) whenever they read/write data from/to the HAT after receiving the necessary permissions and entering into a contract with HAT owners

HATDeX execute data exchange instructions as permitted by HAT owners based on the contracts.

Certification: what’s involved

HAT Merchant Applications that read or write data from/to HAT Microservers have to be certified by HATDeX platform. Here’s a summary of what you need to know:

Becoming a HAT Merchant

You’ll have to begin with a partner enrolment form at HATLAB Sandbox. You will then receive a welcome kit consisting of all documentation and signposts needed to build your application on the HAT. You may then create your application with the help of the HATLAB sandbox team.

When your application is ready to go live, the HATLAB sandbox team will prepare your application for the review, rating and certification by the foundation team. Assuming all goes well, your application would go live and be listed on the HAT Dashboard App and on HATStore. Depending on your understanding of the HAT, this process may take 1 week to 3 months depending on your familiarity with HATs. You will also have to pay a certification fee to the foundation and become a member.

Being a HAT Issuer

What are HAT issuers?

HAT issuers are organisations that use the HATDeX platform to issue HAT Microservers as a “personal data account” to their customers. They may do so directly through an email, or through a HAT Merchant Application. Issuers obtain a share of revenue from data transactions when the HATs they issue transact with HAT Merchants. These revenues are fully scalable while ensuring their end-users data rights are preserved. HAT Issuers require no technical knowledge, and yet benefit from the personal data economy through the advanced technology, economic and data governance of the HATDeX platform.

Issuers have the right to set restrictions on HMIs e.g. for children or deceased persons and set also set other governance rules for their HAT owners. New protocols and governance rules are approved by HATDeX but on occasion, they may require the approval of the HAT Community Foundation.

Who qualifies to become a HAT Issuer?

HAT Issuers are usually large B2C organisations within a particular sector that have a large customer base and want to benefit from the data they hold of their customers by enabling their own customers to re-use and re-share their data. HAT Issuers can also be a B2B organisation with a network they can leverage on to be merchants vending HATs issued by them.

Becoming a HAT Issuer

Please book a call with HATDeX.


All HAT Merchants and Issuers must comply, before submitting their application and on a continuing basis, with the requirements and standards of personal data exchange under HATDeX platform policy.

What being ready and willing means

We expect firms to take data conduct seriously on the HATDeX platform and plan how they will meet the standards of the platform policy and HATCF trust framework before they apply. When we consider the extent to which a firm has planned ahead we ask ourselves whether the applicant is:


The review team will consider what the applicant has done when preparing to submit their application. Positive indicators can include:

  • Understanding the HAT and legal, economic and technological aspects of the HATDeX platform

  • making enquiries on the HAT slack channel

  • seeking legal/compliance advice when necessary

  • Understanding what is good data conduct, ethical and privacy preserving when requesting for HAT data


The review team will consider the attitude of the applicant during the certification process. Positive indicators include:

  • being open and honest in all their dealings with HATDeX in terms of their requests for data from HAT owners

  • being proactive about getting information to us to assess the application’s intention

  • demonstrating initiative to understand their responsibility in handling personal data

  • timeliness and availability of staff to deal with queries about the application

Legal Agreements

HAT and HATDEX policies


Other Hubofallthings Websites managed by HATDeX

Changes to the HAT and HATDEX Policies require approval from the HAT Community Foundation

Glossary of terms in the HAT ecosystem