ProofID Ltd

Ping Identity

PingOne is a cloud-based identity as a service (IDaaS) framework for secure identity access management that uses an organization-based model to define tenant accounts and their related entities within the PingOne platform.

Using the PingOne console, configure and manage your PingOne organization.

Features

• Single sign-on capabilities for seamless access to multiple applications
• Multi-factor authentication options to enhance security
• User provisioning and de-provisioning for efficient management of user access
• Identity federation for integrating with external identity providers
• Verify User Identity
• Prevent Fraud
• Gain Visibility into all risks events and mitigation

Benefits

• Improved user experience with simplified access to applications
• Enhanced security with multi-factor authentication and access controls
• Increased productivity through streamlined user provisioning and management processes
• Reduced administrative burden with centralized identity management
• Confirm the person is who they say they are
• Use live face capture and governmentID authentication to detect spoofing
• Deep dive into risk with reports and dashboards

£50,000 a unit a year

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@proofid.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

281702190216213

Contact

Andy Rutter
0753 912 7901
sales@proofid.com

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
• Service constraints: N/A
• System requirements: N/A

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: “Business Hours” 8am-6pm local time, Monday to Friday, except local public holidays for non-severity 1 cases. For all severity 1 cases: 7 days a week at 24 hours a day coverage. Severity 1 - Response time one hour; Severity 2 - Response time two hours; Severity 3 - Response time eight hours; Severity 4 - Response time 12 hours.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: 1. Responsibilities.; 1.1 During the Subscription Term, Ping Identity shall, in accordance with Section 2 of this Policy:; ; (a) provide Customer access to all generally available updates, upgrades, enhancements, fixes, and new versions of the Software;; ; (b) respond to and Resolve all Errors;; ; (c) maintain Uptime Availability for the Service of 99.99%;; ; (d) provide unlimited telephone support to Customer during all Support Hours; and; ; (e) provide Customer with online access to a support portal . The Support Portal may include a case submission form, case status and history, security advisory history, license history, access to download licensed Products, knowledge base articles, and Documentation.; ; 1.2 During the Support Period, Customer shall:; ; (a) provide prompt notice of any Errors via the Support Portal (each, a "Support Request"). Customer shall include in each Support Request a description of the reported Error and the time Customer first observed the Error;; ; (b) cooperate and assist Ping Identity in Resolving the Support Request by taking any reasonably necessary actions that Ping Identity may request. ; ; for more information on support please click on the following link: https://www.pingidentity.com/en/legal/support-policy.html
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: ProofID provides professional services, during the initial phase of deployment. Comprehensive documentation is provided by Ping to cover all aspects of the Ping Stack functionality. All Ping documentation is provided online via the Ping web portal and includes technical white papers, implementation guidance and other documentation. Ping also includes a User Forum where clients can ask specific questions and get answers from our technical support staff and other clients. Ping offers instructor-led Administrator and Implementation training sessions that are tailored to each customer’s deployment.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: The necessary data can be extracted via API's
• End-of-contract process: Upon termination of the SaaS Agreement or expiration of the Subscription Term, Ping Identity shall immediately cease providing the SaaS Services and all usage rights granted under this SaaS Agreement shall terminate. The contract (SaaS subscription) includes access to the service and customer support for the service. All professional services are additional costs and this would include any transitional professional services required at the end of the contract.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: No
• User support accessibility: WCAG 2.1 AA or EN 301 549
• API: No
• Customisation available: No

Scaling

• Independence of resources: PingOne is designed to scale horizontally, meaning it can handle increased loads by adding more instances of its components rather than scaling up individual instances. This approach allows PingOne to accommodate growing numbers of users, applications, and transactions efficiently.

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Managed Services

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Data can be exported via PingOne API's
• Data export formats: Other
• Other data export formats: API
• Data import formats: Other
• Other data import formats: API

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

• Guaranteed availability: The SaaS Services will achieve System Availability of at least 99.9% during each calendar month of the Subscription Term. “System Availability” means the number of minutes in a month that the key components of the SaaS Services in a Customer production environment are operational as a percentage of the total number of minutes in such month, excluding downtime resulting from (a) scheduled maintenance, (b) events of Force Majeure, (c) malicious attacks on the system, (d) issues associated with the Customer’s computing devices, local area networks or internet service provider connections.
• Approach to resilience: This information will be made available on request.
• Outage reporting: Any service outages would be made avialble at the following link: https://status.pingidentity.com/ you can subscribe to the page and receive email updates.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
• Access restrictions in management interfaces and support channels: This can be configured as vendor documentation states.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: Between 1 month and 6 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Alcumus
• ISO/IEC 27001 accreditation date: 19/12/2022
• What the ISO/IEC 27001 doesn’t cover: N/A ProofID's ISO27001:2013 certification covers the entire business, staff, processes and assets in the provision of Identity and Access Management facilities at ProofID's Old Trafford office, remote staff and 3rd Party Hosted cloud provision in accordance with statement of applicability v13
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: ProofID operate a comprehensive Information Security Manual which is aligned and certified as ISO27001:2013 as part of our ISO certification. This certification covers all areas of the business and services provided to customers. ProofID have an information security committee which meets quarterly to review the organisations ISMS and associated policies, this committee is comprised of individuals from across the business and chaired by the Technical Director which is part of the ProofID board of directors. Information Security status, updates and events are reported as part of the regular management meetings and also covered as part of the board meetings (every 2 months). All line managers within the business are responsible for ensuring the adherence to the organisations information security policies within their area of the business and where relevant drafting and owning policies relevant to their business areas under the supervision of the Technical Director. Information Security is a key part of ProofID and is included in employees induction and are brief on the policies, event reporting etc. Breaching of the information security policies is covered as part of the organisations employment and disciplinary procedures.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: As part of ProofID's ISMS and ISO27001:2013 certification change and configuration management procedure is followed. All components of the service are covered through the procedure including servers, network links, applications, security components etc. When a change is required a change request is created detailing the assets impacted, change, backout plan, details of relevant testing, any security implications are flagged by the requestor. The change board then reviews the requested change to ensure sufficient details and also compliance with the organisations information security policies and associated risks, as required a risk assessment will be performed is a security risk is identified.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Vulnerabilities are assesses using the following criteria which drives the patching approach Is the vulnerability exploitable outside of the network? How complex must an attack be to exploit the vulnerability? Is authentication required to attack? Does the vulnerability expose confidential data? The Organization has established the following timeline requirements for reacting to notifications of relevant vulnerabilities: Remote, unauthenticated, non-complex attacks: < 1 day Remote, authenticated, non-complex attacks: 1 day Remote, complex attacks exposing confidential information: 1 day All others: 1 week Notifications are received through subscribing to the applications vulnerability notification systems (emails, RSS feeds etc)
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Potential compromises are identified through system monitoring and log file analysis looking for unusual patterns of activity and configuration changes Should a security breach (physical and systems) be identified or suspected which directly or indirectly involves customer data then the Information Security Manager is responsible for immediately notifying the relevant customer(s). Incidents involving high-value or business critical systems (as identified under section 8.1 of the Manual) are immediately reported to the Information Security Manager.
• Incident management type: Supplier-defined controls
• Incident management approach: All information security events and weaknesses are, immediately upon receipt, recorded by Support team in WebTrack, then assessed and categorized by the Information Security Manager (whom automatically receives confirmation by email of a new recorded incident/event or update). ProofID have a standard process of handling events, vulnerabilities, incidents and unknown events with associated process and priorities. Root cause analysis and corrective actions are recorded and where relevant feed back to the affected individuals, these are reviewed at the quarterly information security committee meetings.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Equal opportunity
  • Wellbeing

  Equal opportunity

  ProofID is committed to valuing diversity and seek to provide all staff with the opportunity for employment, career and personal development on the basis of ability, qualifications and suitability for the work as well as their potential to be developed into the job.; We believe people from different backgrounds can bring fresh ideas, thinking and approaches which make the way work is undertaken more effective and efficient.; The company will not tolerate direct or indirect discrimination against any person on grounds of age, disability, gender / gender reassignment, marriage / civil partnership, pregnancy / maternity, race, religion or belief, sex, or sexual orientation whether in the field of recruitment, terms of conditions of employment, career progression, training, transfer or dismissal.; It is also the responsibility of all staff in their daily actions, decisions and behaviour to promote these concepts, to comply with all relevant legislation and to ensure that thy do not discriminate against colleagues, customers, suppliers or any their person associated with the Company.

  Wellbeing

  ProofID has a wellbeing policy in place for members of staff.; The company recognises that a mental wellbeing impact for one person can be very different to another person and this policy has been developed with this in mind taking those individual needs and requirements into account. This case by case approach does mean that the company may respond differently to each unique set of circumstances.

Pricing

• Price: £50,000 a unit a year
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: To sign up for the 30 day trial, simply provide your business email address, verify it, and select the type of trial you want to experience. Within a matter of minutes, an account with an administrator's environment will be set up for you to evaluate.
• Link to free trial: https://www.pingidentity.com/en/try-ping.html

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@proofid.com. Tell them what format you need. It will help if you say what assistive technology you use.