GB Group plc

GBG ID3global

Validates and verifies an individual's Age and Identity against the widest breadth of ID data sources and ID documents including financial information. Confirms an individual's identity details in real-time. Used across a wide range of Sectors including Central and Local Government, Financial Services and Retail to provide real-time identity assurance.

Features

• Transparency of granular results, allowing better informed decisions
• SuperBureau functionality checks agiant all three CRAs
• GBG Score creates unique confidence score for returned verification responses
• Fully electronic paper ID document not required
• Matching success typically return 10% to 15% more matches
• Management Information reporting and audits for compliance
• Direct business process integration
• Global data to facilitate cross border trade
• Bank Account Verification confirms a bank account to an individual
• Mobile data improves match rates for customers with low credit

Benefits

• Reduced operational costs
• Increased ability to combat and reduce fraud
• Anti-Impersonation, Affordability, Adverse Media, PEPs and Sanctions checks
• Enhanced customer experience
• Regulatory compliance
• In-built audit trail
• Ease of use
• More data to make better decisions
• One agreement, multiple users
• Scalability API can be pointed to multiple sites across organisation

£1,000 an instance a year

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Bid.Management@gbgplc.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

280663843205307

Contact

Rhys Davies
01244 657333
Bid.Management@gbgplc.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: None
• System requirements:
  • Access to the internet
  • A recognised web browser
  • A DPA number from the ICO

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within four hours provided the request is raised to the Helpdesk
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Onsite support
• Support levels: 24x7 Helpdesk, named Account Manager and named Technical Account Manager.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Support provided, onsite, online and via documentation.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Data can be extracted at anytime whilst the contract is in place.
• End-of-contract process: Contract covers a charge for a set-up and charge for data. Charges are dependent on usage, agreed before the contract is issued.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: Website with controlled user access via password. Access is controlled by system administrator once granted by GBG.
• Accessibility standards: None or don’t know
• Description of accessibility: User can use service with a keyboard or a mouse or both or either.
• Accessibility testing: None.
• API: Yes
• What users can and can't do using the API: SOAP and REST APIs. No limitations.
• API documentation: Yes
• API documentation formats: HTML
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Results and matching levels can be fully configured in line with specific compliance requirements.

Scaling

• Independence of resources: The service has been load tested to ensure that this will not become an issue. Peak period for the service is driven by existing customer demand and is tested every six months.

Analytics

• Service usage metrics: Yes
• Metrics types: All data regarding usage and results is available online and to download.
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
• Other data at rest protection approach: FIPS-assured encryption, assured by independent validation of assertion
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Via API call, SFTP upload or by keying in to a secure website.
• Data export formats:
  • CSV
  • Other
• Other data export formats: Excel
• Data import formats:
  • CSV
  • Other
• Other data import formats: Excel

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection between networks: PSN assured service; PSN protected service; Assured by independent testing of implementation
• Data protection within supplier network: IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Service up-time is typically 99.9%.; SLAs are referenced in the terms and conditions.; For a priority 1 fault, where the Service is not operational or is inaccessible, we aim to clear 80% of faults within 4 hours of GBG’s acknowledgement of the fault.
• Approach to resilience: This is information is available upon request. In practical terms we run a process where we failover to a back-up data centre if the primary data centre goes off-line.
• Outage reporting: Email alerts to users and technical contacts.

Identity and authentication

• User authentication needed: Yes
• User authentication: Username or password
• Access restrictions in management interfaces and support channels: Access is based on user type. Only administrators can have access to management interfaces.
• Access restriction testing frequency: At least every 6 months
• Management access authentication: Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 07/05/2022
• What the ISO/IEC 27001 doesn’t cover: Nothing available to Clients.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Verizon
• PCI DSS accreditation date: 9/6/2023
• What the PCI DSS doesn’t cover: Nothing.
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: The GBG Information Security Policy combines the development, delivery, management and maintenance of secure infrastructure and applications, in support of all GBG Identity Management offerings, and specifically Identity Verification and Assurance within GBG ID3global. ; Within GBG, the Chief Information Security Officer (CISO) has overall accountability for Information Security and it is the responsibility of the CISO to make the appropriate provisions for establishing controls to ensure adherence to the GBG Information Security Management System. ; The CISO provides the Senior Leadership Team and GBG Board with an Information Security review at the end of the financial year. ; The Chief Regulation Officer (CRO) has overall accountability for risk and Data Protection. The CRO chairs the quarterly Internal Controls Board, and is the main document signatory for GBG. ; The CRO is also head of GBG’s Legal team, who are responsible for ensuring compliance to all relevant legislation.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: All changes to the service must be delivered under the governance of the GBG Change Management Process. No change will be approved without clear remediation or back-out plan, properly identified, documented, tested and approved. There are three levels of configuration and change management: Standard Change, Emergency Change and Reviewed Change. The latter is not a routine or standard change. If there is uncertainty as to whether or not further review is required, a review will be happen rather a decision made to press forward with a change and have it fail.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: The Vulnerability Management Process will involve assessing the extent to which the assets are vulnerable to the identified threat. Once the Vulnerability assessments have been conducted, the level of risk will then need to be determined. Risk’s with a risk rating which fall below the Risk Appetite for the business are ‘tolerated’. The Risk Appetite for GBG is Cautious. ; ; Risk’s that fall within the Risk Appetite will require the risk owner to create a treatment plan to reduce the level of risk. Treatment plans are proposed ideas or controls that can be implemented that would reduce the level of risk.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: This is ongoing process. The response is immediate.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: The process is defined as part of the Information Security policy.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Equal opportunity

  Equal opportunity

  At GBG our Environmental, Social and Governance Strategy (ESG) – Environment, Everyone and Ethics – reinforces our commitment to embed a sustainable and ethical approach in everything we do. It represents what makes us unique and provides the framework to drive action on the most impactful and important areas.; As part of GBG’s participation on the G-Cloud14 Framework, we have a Social Value Action Plan that is updated annually, demonstrating our commitments to meeting PPN06/20. ; GBG commits to offering equal opportunities across our global workforce, achieved through our employment, training, and career development policies and practices, promoting equality of opportunity regardless of gender, sexual orientation, age, marital status, education, disability, race, religion or other beliefs including ethnic or national origin.; Everyone in our team has access to opportunities to learn, develop skills, grow their careers and progress. Through our training platform ‘be/developed’, we offer a broad range of power skills and job specific learning opportunities, updated regularly, promoting an inclusive and diverse culture. The platform is available to all GBG team members, including part-time and contractors, who are required to complete mandated training courses. We partner with different training providers globally to provide a mix of specialist and professional development for our team.; Influencing the behaviour of our staff and the communities we work in is imperative to GBG’s mission as an organisation. Examples include:; 1. Demonstrating our commitment to Equality and Diversity.; 2. Support LGBTQ+ team members, encouraging a culture of belonging and acceptance.; 3. Tackle barriers to entry that many people experience, especially women in the technology sector.; 4. GBG is a gold sponsor of Women in Identity’s flagship research, the ID Code of Conduct.; GBG’s ESG commitments can be found here: Environmental, Social and Governance | Investors | GBG (gbgplc.com)

Pricing

• Price: £1,000 an instance a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Trial will deliver full access for up to a month.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Bid.Management@gbgplc.com. Tell them what format you need. It will help if you say what assistive technology you use.