GB Group plc

GBG ID3global

Validates and verifies an individual's Age and Identity against the widest breadth of ID data sources and ID documents including financial information. Confirms an individual's identity details in real-time. Used across a wide range of Sectors including Central and Local Government, Financial Services and Retail to provide real-time identity assurance.

Features

• Transparency of granular results, allowing better informed decisions
• Improved and expedited end-customer experience
• Tailored scoring providing complete flexibility
• Fully electronic paper ID document not required
• Matching success typically return 10% to 15% more matches
• Management Information reporting and audits for compliance
• Direct business process integration
• Global data to facilitate cross border trade
• Bank Account Verification confirms a bank account to an individual
• Mobile data improves match rates for customers with low credit

Benefits

• Reduced operational costs
• Increased ability to combat and reduce fraud
• Anti-Impersonation, Affordability, Adverse Media, PEPs and Sanctions checks
• Enhanced customer experience
• Regulatory compliance
• In-built audit trail
• Ease of use
• More data to make better decisions
• One agreement, multiple users
• Scalability API can be pointed to multiple sites across organisation

£1,000 an instance a year

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Bid.Management@gbgplc.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

130268582988602

Contact

Geoff Bibby
01244 657333
Bid.Management@gbgplc.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: None
• System requirements:
  • Access to the internet
  • A recognised web browser
  • A DPA number from the ICO

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within four hours provided the request is raised to the Helpdesk
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Onsite support
• Support levels: 24x7 Helpdesk, named Account Manager and named Technical Account Manager.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Support provided, onsite, online and via documentation.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Data can be extracted at anytime whilst the contract is in place.
• End-of-contract process: Contract covers a charge for a set-up and charge for data. Charges are dependent on usage, agreed before the contract is issued.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: Website with controlled user access via password. Access is controlled by system administrator once granted by GBG.
• Accessibility standards: None or don’t know
• Description of accessibility: User can use service with a keyboard or a mouse or both or either.
• Accessibility testing: None.
• API: Yes
• What users can and can't do using the API: SOAP API. No limitations.
• API documentation: Yes
• API documentation formats: HTML
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Results and matching levels can be fully configured in line with specfic compliance requirements.

Scaling

• Independence of resources: The service has been load tested to ensure that this will not become an issue. Peak period for the service is driven by existing customer demand and is tested every six months.

Analytics

• Service usage metrics: Yes
• Metrics types: All data regarding usage and results is available online and to download.
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
• Other data at rest protection approach: FIPS-assured encryption, assured by independent validation of assertion
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Via API call, SFTP upload or by keying in to a secure website.
• Data export formats:
  • CSV
  • Other
• Other data export formats: Excel
• Data import formats:
  • CSV
  • Other
• Other data import formats: Excel

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection between networks: PSN assured service; PSN protected service; Assured by independent testing of implementation
• Data protection within supplier network: IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Service up-time is typically 99.9%.; SLAs are referenced in the terms and conditions.; For a priority 1 fault, where the Service is not operational or is inaccessible, we aim to clear 80% of faults within 4 hours of GBG’s acknowledgement of the fault.
• Approach to resilience: This is information is available upon request. In practical terms we run a process where we fall-over to a back-up data centre if the primary data centre goes off-line.
• Outage reporting: Email alerts to users and technical contacts.

Identity and authentication

• User authentication needed: Yes
• User authentication: Username or password
• Access restrictions in management interfaces and support channels: Access is based on user type. Only administrators can have access to management interfaces.
• Access restriction testing frequency: At least every 6 months
• Management access authentication: Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 07/05/2022
• What the ISO/IEC 27001 doesn’t cover: Nothing available to Clients.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Verizon
• PCI DSS accreditation date: 5/5/2022
• What the PCI DSS doesn’t cover: Nothing.
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: The GBG Information Security Policy combines the development, delivery, management and maintenance of secure infrastructure and applications, in support of all GBG Identity Management offerings, and specifically Identity Verification and Assurance within GBG ID3global. ; Within GBG, the Chief Information Security Officer (CISO) has overall accountability for Information Security and it is the responsibility of the CISO to make the appropriate provisions for establishing controls to ensure adherence to the GBG Information Security Management System. ; The CISO provides the Executive Management Team and GBG Shareholders with an Information Security review at the end of the financial year. ; The Company Secretary has overall accountability for risk and Data Protection. The Company Secretary chairs the quarterly Internal Controls Board, and is the main document signatory for GBG. ; The Company Secretary is also head of GBG’s Legal team, who are responsible for ensuring compliance to all relevant legislation.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: All changes to the service must be delivered under the governance of the GBG Change Management Process. No change will be approved without clear remediation or back-out plan, properly identified, documented, tested and approved. There are three levels of configuration and change management: Standard Change, Emergency Change and Reviewed Change. The latter is not a routine or standard change. If there is uncertainty as to whether or not further review is required, a review will be happen rather a decision made to press forward with a change and have it fail.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: The Vulnerability Management Process will involve assessing the extent to which the assets are vulnerable to the identified threat. Once the Vulnerability assessments have been conducted, the level of risk will then need to be determined. Risk’s with a risk rating which fall below the Risk Appetite for the business are ‘tolerated’. The Risk Appetite for GBG is Cautious. ; ; Risk’s that fall within the Risk Appetite will require the risk owner to create a treatment plan to reduce the level of risk. Treatment plans are proposed ideas or controls that can be implemented that would reduce the level of risk.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: This is ongoing process. The response is immediate.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: The process is defined as part of the Information Security policy.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  N/A
• Covid-19 recovery:

  Covid-19 recovery

  N/A
• Tackling economic inequality:

  Tackling economic inequality

  N/A
• Equal opportunity:

  Equal opportunity

  At GBG, we are committed to offering equal opportunities across our workforce. That’s why our employment, training, and career development policies and practices promote equality of opportunity.; Our be/yourself programme aims to support and promote inclusive and diverse culture at GBG. The initiative also looks at addressing imbalances in our business, industry and communities. ; We work to tackle the barriers to entry that many people, especially women, experience in the technology sector. Our approach to recruitment involves fair and transparent practices, with a focus on gender neutral job descriptions. We have also conducted a variety of training sessions to promote diversity and inclusion further throughout the Group. We are actively using partnerships to audit our approach to equal opportunities and offer alternative routes to recruitment. ; We engaged the Black Young Professions (BYP) network to help us deliver on this commitment and scale up action on increasing representation of Black and Minority Ethnic people within our team. ; We have also launched a partnership with Stonewall, to help us understand and support our LGBTQ+ team members and encourage a culture of belonging and acceptance. ; GBG is a gold sponsor of Women in Identity’s flagship research, the ID Code of Conduct. This work seeks to define a set of guiding principles that will drive greater diversity and inclusion in the design and development of digital identity solutions. ; Alongside our work on improving the accessibility of our products via the GBG Design System, we are committed to ensuring that our products and services are designed for, and can be used by, the broadest possible consumer base. Our solutions also enable inclusion for our financial services customers’ consumers as they use a wider set of data than traditional approaches, reducing discrimination against unbanked customers.
• Wellbeing:

  Wellbeing

  N/A

Pricing

• Price: £1,000 an instance a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Trial will deliver full access for up to a month.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Bid.Management@gbgplc.com. Tell them what format you need. It will help if you say what assistive technology you use.