TRANSUNION INTERNATIONAL UK LIMITED

TransUnion - Data Breach Solutions - TrueIdentity

Help minimise the risk following a data breach and build trust with data subjects using TrueIdentity from TransUnion, delivering Credit Report, Credit Alerts and Dark Web Monitoring to individuals whose personal data has been exposed. It helps monitor and detect signs of identity theft, as well as restore their identities.

Features

• IDVerification: Confirm consumer is who they are claiming to be
• Online Access: Mobile optimised access to TransUnion credit report
• Credit Alerts: Email notifications of key changes to credit file
• Credit Score: Access to the TransUnion credit score
• Dark Web Monitoring: for exposed personal data
• Credit Education: including, fraud victim assistance and identity protection
• Cifas: TransUnion can facilitate a proactive registration with Cifas
• Email Notification: TransUnion can facilitate the data breach notification
• Postal Notification: TransUnion can facilitate the notification via post
• Contact Centre: TransUnion can provide an emergency contact centre

Benefits

• Helps to protect businesses from potential wider reputational damage
• Reduce the likelihood of affected consumers suffering financial loss
• Used as a mitigating factor in Information Commissioner’s Office investigations
• Reduce the likelihood of successful compensation claims
• Reduce the number of consumers lost and help repair trust
• Reduce wider reputational damage
• Available in 24-hours immediately helping reducing the reputational damage
• Proactively available sitting within your incident response plan
• Use our contact centre to reduce the workload
• Allow us to facilitate the notification on your behalf

£2.85 to £16.25 a unit

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at mark.pestereff@transunion.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

289117823711762

Contact

Mark Pestereff
07773 212093
mark.pestereff@transunion.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: Please refer to the Service Definition
• System requirements: Web access requires internet browser

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We have a range of SLA's depending on the nature and criticality of the ticket; full details can be agreed as part of any contract.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Telephone and Email support available for consumer access queries and credit report disputes
• Support available to third parties: No

Onboarding and offboarding

• Getting started: You will have access to our team of experts who will be available to help with the roll out of service. Our dedicated team are available to provide initial and ongoing support as required. This team will deliver bespoke FAQs and notification support.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: N/A
• End-of-contract process: At point of contract ending or terminating, the service is closed down and access for registered users is prevented.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: User experience mobile optimised
• Service interface: No
• User support accessibility: None or don’t know
• API: No
• Customisation available: No

Scaling

• Independence of resources: Our platform is hosted in Microsoft Azure allowing us to easily scale out with the provision of additional nodes for the web and app tiers and scale up the database to meet capacity demands. High availability is supported by SQL AG for data and for the application we have load balanced servers that can scale out to meet demand and will fail over automatically to a DR site for resilience. We closely monitor the environment for visibility of potential bottlenecks in throughput to enable us to act proactively ahead of demand peaks and react quickly as required.

Analytics

• Service usage metrics: Yes
• Metrics types: Our standard report includes the following metrics. Additional reporting requirements can be considered upon request. ; ; 1. Number of Registrations ; 2. Number of Successful Registrations ; 3. Number of Registrations resulting in a 'thin file' ; 4. Number of Unsuccessful Registrations ; 5. Number of Activations ; 6. Number of Logins ; 7. Number of distinct logins ; 8. Number of first time logins
• Reporting types:
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Encryption of all physical media
  • Other
• Other data at rest protection approach: • Strong logical access control. Access is given based on least privilege and a need to know basis.; • Protective monitoring and event management using LogRhythm as a SIEM.; • Sourcefire & Palo Alto IDS.; • Checkpoint firewalls.; • Monthly vulnerability scanning programme of work.; • ISO27001 and PCI DSS compliant.
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: N/A
• Data export formats: Other
• Data import formats: Other

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • Other
• Other protection between networks: Web Application Firewall, IP Safe Listing, SSH key Pairs (for automation), complex password policy, Threat Detection Service team
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Other
• Other protection within supplier network: Data Loss Prevention, Privelleged Access Management, Data Encryption at Rest, SIEM Alerts and Monitoring, Anti-Virus and EDR, Firewalls and VPN's

Availability and resilience

• Guaranteed availability: Our standard availability is 98.5%. We would be happy to discuss any specific availability requirements as appropriate.
• Approach to resilience: We operated on an active / passive configuration, with passive being a 'warm stand-by.' Data is pushed to the passive servers on a high frequency (every 5 minutes) to ensure high data accuracy and consistency. Front end traffic manager it used to facilitate switching between sites as required.
• Outage reporting: There is extensive error handling and reporting to provide early and detailed logs of any issues / errors. Additionally our Client Support Team would notify affected clients via email as appropriate.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Other
• Other user authentication: Each user will have a unique username and password provided along with company name. TransUnion also utilises the control of IP white listing and 24/7 security monitoring.
• Access restrictions in management interfaces and support channels: A policy of least privilege access is applied across the group to ensure employees only have access to what is required - this is regularly reviewed. Any privileged accounts are rigorously checked both prior to granting access, during use and on termination of permissions. Users come under multiple levels of policy regarding accounts and device usage. Networks are highly segmented with monitoring for inter-segment violations. Any sensitive systems are housed in dedicated secure environments.
• Access restriction testing frequency: At least once a year
• Management access authentication: Other
• Description of management access authentication: Available on request

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 29/05/2021
• What the ISO/IEC 27001 doesn’t cover: A.14.1.3, A.14.1.2
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Payment Software Company, Inc. (DBAPSC)
• PCI DSS accreditation date: 02/08/2021
• What the PCI DSS doesn’t cover: Full Report on Compliance (ROC) can be screen shared upon request
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: Cyber Essentials Plus; PCI DSS
• Information security policies and processes: TU follows a dedicated Information Security Policy, as well as other processes such as data encryption and key management, secure application development etc.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: TU defined product development lifecycle, which includes various gates including budget, security and IT infrastructure. Small changes are captured within our internal ticketing system.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Internal scans are completed on a regular basis (Daily, Weekly, Monthly depending on the endpoint). All Critical findings must be addressed within 30 days, High/Medium 60 days and Moderate to low 90 days. Any findings that cannot meet these deadlines must have a risk acceptance review and a deadline agreed by the business.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Threat Detection Service, Data Loss Prevention team, Incident Management team - All monitoring 24/7/365
• Incident management type: Supplier-defined controls
• Incident management approach: NIST 800-61 and SANS PICERL

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  In 2021, TransUnion announced our commitments to address climate change. We intend to reach net zero on our scope 1 and 2 greenhouse gas (GHG) emissions by 2025 while reducing our scope 3 emissions from real estate 30% by 2030. All our climate change targets use a 2019 baseline, as that was the last year before our operations were impacted by the COVID-19 pandemic.; ; Our climate plan focuses on the operational footprint of our real estate. The implementation of our climate change goals will reduce the impact our office spaces and energy intensive data servers will have on the environment. We are focused on mobilising resources to reduce and abate our greenhouse gas emissions as rapidly as possible, and we are already making tangible progress towards these targets.; ; From 2020 to 2021, we reduced greenhouse gas emissions by 263 MTCO2e by procuring renewable energy for our Leeds office.; ; Where we cannot meet our reduction targets, we plan on purchasing credible carbon offsets on an annual basis. As we begin seeing reductions in greenhouse gas emissions from our renewable energy purchases and operational efficiencies, we will reduce the amount of offsets we purchase.; ; Our Leeds office is ISO 14001 certified for our environmental management systems. ; ; To engage our colleagues in our climate change journey we have an employee Network Resource Group, Green @ TU, which helps engage and educate colleagues on what they can do both in and out of the office to reduce their environmental footprint.
• Covid-19 recovery:

  Covid-19 recovery

  Employee well-being remains front and centre as we navigated the uncertainties related to the COVID-19 pandemic. We developed programmes and resources for our employees ensuring they felt heard and supported. ; ; During the pandemic colleagues worked from home. Our office is now open with social distancing measures in place. Initial opening of the office was at a 25% capacity which has recently increased to 50% capacity. To support this an online desk booking tool has been introduced for colleagues to book socially distanced space in the office. ; ; Through our Total You wellbeing programme we placed colleagues’ well-being first by providing mental health benefits to them and their families around the world, expanding our employee assistance programme to allow colleagues’ families to access mental wellbeing support, continued to invest in our trained Mental Health First Aider’s to support all colleagues, offering the Headspace app free to all colleagues, and by creating multiple global wellness days so colleagues could spend down-time with their family and friends. Over the summer period we offered Flexible Fridays with the ability to take personal time every Friday in July & August to focus on their own needs, personal development and to recharge. A virtual GP service was introduced giving all colleagues access. ; ; As we continued remote work for the second year, we looked for new ways to connect associates — from virtual onboarding to everyday virtual activities, including fitness classes and meditations, recipe contests, talent competitions, coffee and conversation events, and DJ-led online music sessions. ; ; As we look at a return to office we have introduced Flex-Together programme. Colleagues now have the choice of where they work, either at home or in the office, with flexibility crucial as people continue to juggle careers with home life demands and deal with the continuing pressures of the pandemic.
• Tackling economic inequality:

  Tackling economic inequality

  TransUnion recognise the skills shortage in tech roles and in particular the gender imbalance in IT. To address this, we have a number of programmes to inspire and educate the next generation on the opportunities available.; ; Our #GirlsIntoTech programme is run with local schools to give girls aged 15 and over a chance to learn more about careers in tech and the many paths available. ; ; In 2021 120 students took part in workshops to understand the many job roles and the diversity of people who make our business what it is. Students received insights into potential future career paths in tech, got to know some of our women working in such roles and heard about their career journeys. We also work alongside our Women @ TU network resource group to help students connect one-to-one with a role model working in the tech space. ; ; TransUnion colleagues worked with Leeds University Technical College A-level computer science students for the second year in 2021. Our colleagues provided support and mentoring around the project aspect of the course, giving informed feedback and actively supporting hands-on skills development. ; ; Colleagues also shared their insights into the world of work to give students practical insights on how they could apply their chosen study subjects in a workplace environment. ; ; TransUnion recognises the importance of having a robust and responsible supply chain. This year, we included second-tier supplier diversity requirements in all our supplier contract templates. Our Procurement team has committed that for each competitive sourcing opportunity, it will search for qualified, diverse suppliers to compete for TransUnion’s business.
• Equal opportunity:

  Equal opportunity

  TransUnion is working to tackle workforce inequality.; ; We are creating clear and accessible pathways to senior roles for women through our Women Emerging (WE Lead) programme. This focuses on active learning, personal coaching and business mentoring to help participants feel more prepared and confident with leadership. 52% of participants have received a promotion, moved and/or broadened their role since staring the programme. ; ; TransUnion is a signatory of the Race at Work charter created by Business in the Community to improve outcomes for black, Asian and minority ethnic employees in the UK and is committed to diversity. We recently launched our jEDI (justice, Equity, Diversity & Inclusion) Network Resource Group which looks at ways to improve diversity around gender, age and disability.; ; We are committed to furthering colleague training and last year signed up to The 5% Club charter, committing to raising the number of colleagues on formal training programmes to 5% of our UK workforce within five years. We are already halfway to achieving that, with a silver accreditation just one year into the programme.
• Wellbeing:

  Wellbeing

  Total You is the TransUnion wellbeing programme focusing on three areas of wellbeing: physical, financial & mental. The programme is shaped locally by out Total You Committee, made up of colleagues from across the business who develop and drive activities ensuring a high level of take up across the organisation.; ; To showcase wellbeing we have a full wellbeing day planned for all colleagues in May. All colleagues will be offsite and have the opportunity to take part in activities to support all areas of wellbeing and to have face to face interaction with our wellbeing providers.; ; Activities to support wellbeing include:; ; Physical wellbeing:; • Challenge 90 – working with Yorkshire Cancer Research to support colleagues to take part in 90 minutes of exercise per week to reduce their risk of cancer; • Physical activity challenges; • Bike User Group, support for cyclists; • Weekly yoga & Boxfiit sessions; • Webinars, including content on nutrition; • Invested in social space including yoga fitness space in Leeds office; • Discounted gym membership ; • Private Health Insurance ; • Health & wellbeing webinar content available to all colleagues on demand ; • Bupa anytime healthline; • Digital GP services for all colleagues; ; Mental wellbeing:; • Mental Health First Aiders; • Employee Assistance Programme to include families for mental wellbeing support; • Mandatory mental health training for all colleagues & managers, plus toolkits; • Headspace app for mindfulness, meditation; • Walking meetings; • Mental Health Awareness week activities; • Wellbeing days off & flexible Fridays in July & August; • Bupa mental health line for families; • Dedicated intranet page with information & signposting; ; Financial wellbeing:; • Pensions advice sessions; • Free access to credit scores & reporting

Pricing

• Price: £2.85 to £16.25 a unit
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at mark.pestereff@transunion.com. Tell them what format you need. It will help if you say what assistive technology you use.