Inverid Software B.V.

ReadID - Identity (document) verification including NFC, optical (OCR) and face matching/liveness

ReadID reads and verifies data in chips in ePassports and similar (ICAO 9303 compliant) identity documents using NFC technology. For non-chipped documents we can provide optical (OCR) services. Facial verification is optional.

ReadID is provided as client-only or as SaaS, with a mobile SDK or a white-label ready-to-use app.

Features

• Verification of (ICAO 9303) ePassport, ID/residence cards using NFC
• Orchestration with optical verification (OCR) solutions and facial verification/liveness
• Straight-through processing
• No manual input or OCR mistakes when using NFC
• High-resolution face image from the chip
• Digital signature verification and cloning detection at server side
• Powerful APIs/SDK available to build own app
• Alternatively: a ready-to-use white-label app
• Server-side (REST) APIs to get access to verification results
• Machine Readable Zone scanning/OCR optimised for smartphones

Benefits

• Verification of identity documents and optional face verification/liveness
• Orchestration with optical and facial verification can be added
• Server-side verification allows for self-service remote verification
• Secure to use, privacy-friendly
• Easy to use, by end users or own (branch) staff
• Dynamic animations help users by maximising conversion and satisfaction
• Full control over customer journey
• Fully automated, digital and scalable
• Chip data via ReadID server in XML, JSON and PDF
• High-resolution image in chip reduces look-a-like fraud

£0.10 to £1 a transaction a month

• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at readid@inverid.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

275785064788228

Contact

Maarten Wegdam
+31 53 4878178
readid@inverid.com

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
• Service constraints: NFC technology for chip reading is available on modern smartphones (iOS and Android) and some Android tablets.
• System requirements:
  • Android mobile phones/tablets with NFC (Android v5 and up)
  • IPhone's with NFC (from iOS 13.1, iPhone 7 and up)

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: The response time depends on the priority, see T&C for details.; The is 24x7 support for highest priority issues; for other issues, office hours apply.; ; Online ticketing system is available to customers only - not open to end users. WCAG support question below is therefore not applicable to online ticketing system.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: There are generic support channels (email, phone).; Support is included in the price. ; Additional professional services are available at a daily rate,; Each customer will get a primary technical contact during the implementation phase. On request, this can be continued after the implementation phase.; Extended support hours are possible at additional costs.; For P1 incidents there is 24x7 support.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: At the start there will be a kick off with the customer, in which the use-case will be explained and understood. Then we explain the technology and options regarding potential (happy/unhappy) flows, technical integration and business rules. Throughout the implementation phase a technical implementation lead will be available.; ; If the SDK is used, the customer (buyer) has full control over the functionality and UX of the app, and thus has to provide own user documentation.; ; For the white label app there is user documentation.; ; We can provide additional online and onsite user training if needed. ; ; Of course, we provide developer documentation to explain our APIs.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: The ReadID server API allows extracting of all identity document data.; ; The ReadID servers only cache the identity document information, i.e. , we do not provide long-term storage, since we do not want to have access to this very privacy sensitive information for a longer period. This data will also have been extracted during the contract.; ; Audit information can be extracted at the end of the contract at an additional cost.
• End-of-contract process: There are no additional costs.; ; Access to the API is removed. Customer (buyer) will have to stop using the SDK/libraries at the date the contract ends.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Chrome
  • Safari
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The solution to use NFC technology requires a smartphone. ; ReadID Ready, the ready-to-use white-label app, can be triggered from a desktop or mobile web-session through, for example, a QR code. A stand-alone desktop solution is not available nor planned as it does not meet the service's technical requirements. ; ; There is a desktop (browser) based management portal for the service, but this is only for the customer (administrator) to manage the service, not to use the service.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: If the Customer uses the ReadID SDK, the service interface will be defined by the Customer. For ReadID Ready, the ready-to-use app is provided by InnoValor to the end-user.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Regular usability end-user testing is conducted.
• API: Yes
• What users can and can't do using the API: There is a client-side API, i.e., to implement into a mobile app. This can call the Machine Readable Zone and Visual Inspection Zone scanning/capturing functionality and the NFC reading functionality.; ; There is server-side API, to get the results of the identity document VIZ capture, chip data and chip verification.; ; In case of orchestration with optical (OCR) and/or facial verification, additional results will be provided.
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
  • Other
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: ReadID can be considered a toolbox, where the customer (buyer) can determine how to use it and integrate this in the mobile app. For example, how to implement the UX and what security mechanisms to use.; ; The are two levels of client-side APIs: SDK Base (low-level) with full UX customisation options, and SDK UI (high-level) including UX screens and dynamic animations based on chip/antenna location in document and smartphone. In addition, there is a white-label ready-to-use app (ReadID Ready).

Scaling

• Independence of resources: ReadID is fully automated and can scale almost unlimited. ReadID does auto-scaling.; ; ReadID can be provided as a multi-tenant environment (shared resources) or as a single-tenant environment which is fully at the disposal of the customer.

Analytics

• Service usage metrics: Yes
• Metrics types: Metrics on ReadID's operations are supplied via an online management portal in which the customer (buyer) can see the following information such as the number of transactions executed per period of time (hour, day, month, year, etc.) and audit logs. ; ; In addition the customer (buyer) will have access to the specific Customer dashboard containing details such as processed documents, security features, countries and smartphones.
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Identity document data is exported via de provided API.; Alternatively, the management portal allows manual export (JSON, XML or PDF). Exported data can be signed.; ; Billing data is exported via the management portal, as CSV.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • JSON
  • XML
  • PDF
• Data import formats: Other
• Other data import formats: Not applicable

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: We offer a 99.5% availability in our default SLA.
• Approach to resilience: We use a combination of 1) several servers that are stateless and automatically restart if unhealthy, 2) redundant database and 3) several availability zones.
• Outage reporting: We monitor the service via different means, including automated end-to-end tests. If there is an outage, the customer is notified via email.; ; The customer has the option to access a customer dashboard; we are working on an API.

Identity and authentication

• User authentication needed: Yes
• User authentication: Other
• Other user authentication: How/if the end-users authenticate in the app is up to the customer ( buyer), if the SDK is used. For the ready-to-use app they need a token, e.g., provided as a QR code.; ; The apps/SDK need to use a password-like authentication mechanism (static or dynamic); this is hidden from the end-users.
• Access restrictions in management interfaces and support channels: For the management interface two-factor authentication is used. ; ; For the support channel one-factor authentication is used.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: TÜV AUSTRIA Deutschland GmbH
• ISO/IEC 27001 accreditation date: 20/02/2018
• What the ISO/IEC 27001 doesn’t cover: Not applicable
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • ISO27701 (Privacy Management)
  • Component certification eIDAS for QTSP
  • Component certification eIDAS eIDAS High
  • SOC II type 2

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Important roles for the security polices are a CISO and DPO.; ; Our ISO27001 ISMS and Security documentation details the information security policies and processes, including internal and external audits if they are properly followed. Details are available upon request.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: We use a state of the art source code repository system, including issue tracking. We combine this with processes such as manual code reviews and automated source code scans.
• Vulnerability management type: Undisclosed
• Vulnerability management approach: We have very strict processes for this, including monitoring public sources for known vulnerabilities and frequent patching.; ; Details are available to customers.
• Protective monitoring type: Undisclosed
• Protective monitoring approach: We use a combination of an intrusion detection system, centralized logging on different layers and a 24x7 team to respond to potential compromises.; ; Details are available to customers.
• Incident management type: Undisclosed
• Incident management approach: This is part of our ISO27001 certified ISMS, and includes a formalised data breach policy.; ; Details are available to customers.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  In the core replaces our services physical identity verification processes, removing the need for people to travel. We stimulate our own staff with different measures to commute using public transport and/or bikes. We are switching to ARM powered cloud infrastructure, substantially reducing power consumption.
• Covid-19 recovery:

  Covid-19 recovery

  We already embraced hybrid working before the pandemic and have promoted it, whilst creating safe opportunities to work at the office for this that need or like this.; Also, the ReadID technology as such enables secure remote identity verification, an important element of reducing contact in society
• Equal opportunity:

  Equal opportunity

  We encourage people from different countries and nationalities to work with us. We now have 11 nationalities in our 50+ workforce. We made substantial investments in creating an accessible office for disabled people. Our code of conduct, shared with suppliers, for example prohibits forced labour, ill-treatment of employees, and human trafficking.
• Wellbeing:

  Wellbeing

  InnoValor allows for flexible working hours and actively promotes social activities. Employees are contractually guaranteed to be free of conflicts of interests, allowing them to perform their company work objectively and effectively.

Pricing

• Price: £0.10 to £1 a transaction a month
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: A free ReadID demo app is available in the App and Play Store. ; ; Contact us for access to other iOS or Android apps.; ; Access to the APIs is not included in the free trial.
• Link to free trial: For Android this is: https://play.google.com/store/apps/details?id=nl.innovalor.nfciddocshowcase or For iOS this is: https://apps.apple.com/nl/app/readid-nfc/id1463949991

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at readid@inverid.com. Tell them what format you need. It will help if you say what assistive technology you use.