Avoco Secure Ltd

Trust&Assure

Avoco’s Orchestration and Decisioning Engine (ODE) is the technology behind Trust&Assure, a service that connects government services to Open Banking data, eWallets, CIFAS and other data sources, to deliver assured identity. Trust&Assure connects to your identity service to provide the data, verification, and deepfake checks to deliver secure services.

Features

• remote verification
• identity verification
• protocol translation
• OIDC
• SAML
• OAuth
• FAPI
• Open Banking
• verification
• authentication

Benefits

• Translate protocols between services
• Normalise data
• Handle consents
• No data storage
• Issue and handle assurance levels
• Rules-driven orchestration of identity data
• Orchestration and decisioning for risk-based verification (RBV)
• Connect identity ecosystem, easily and quickly
• Connect to bank data using open banking and premium APIs
• Issue wallet passes

£5,000 a licence

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sandy.porter@avocosecure.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

311601005311153

Contact

Sandy Porter
07917507636
sandy.porter@avocosecure.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Government and any commercial identity service. It connects any type of wallet, verified data and fraud service and can provide protocol translation. Connects to third-party verification and deepfake detectors.
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
• Service constraints: No constraints.
• System requirements: None

User support

• Email or online ticketing support: Yes, at extra cost
• Support response times: As per agreed SLA
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Avoco offer tiered support based on an SLA agreement. Levels include:; ; Level one: Basic service, telephone, email, online form support, Mon-Fri, 9am - 5pm UK. Includes bug fixes and general trouble-shooting: +10% of service cost, annually. ; Level two: Upgraded service, telephone, email, online form support, Mon-Fri, 8am - 7pm UK. Includes bug fixes and general trouble-shooting: +15% of service cost, annually. ; Level three: Advanced service, in-person support, extended hours of support, advanced trouble-shooting, some additional capabilities, as per SLA, +20% of service cost, annually.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Avoco can provide on-site and off-site training as well as providing full documentation on the use of Trust&Assure.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Avoco holds no data; any processing of data is done under data protection and privacy laws but no data is stored.
• End-of-contract process: Holding

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: No difference, the service is managed using a central console that can be accessed by any browser on a mobile or desktop.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: "Desk" is a central console that allows the system admin or other authorized team member to configure the service. Desk is an application used to configure clients and projects for use with the Avoco API. It; can be thought of as the front end to all of the Avoco API functionality. Desk allows you to; configure your identity-based projects by applying specific settings.; Once Desk is installed you will may to create further admins or Desk users. These users will; use Desk to configure API projects on a per client basis - clients being tenants.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Extensive testing with assistive technologies.
• API: Yes
• What users can and can't do using the API: Avoco's APIs provide complete functionality to set up and manage a service. APIs are managed, requiring access tokens to authorise their use. Account creation may use a Dynamic Client Registration API.
• API documentation: Yes
• API documentation formats: PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Desk provides the interface to allow customers to customise the orchestration of data and verification connections.

Scaling

• Independence of resources: AvocoSecure ensures resource independence through its horizontally scalable architecture, which distributes load across multiple servers in different data centers. This setup prevents any single user’s high demand from impacting others. Statelessness of the application servers ensures that each request is handled independently, with no reliance on local server state, enhancing both scalability and resilience. Additionally, Avoco employs load balancers to manage traffic and optimize resource allocation, ensuring consistent performance and availability across all users, regardless of individual demands on the service.

Analytics

• Service usage metrics: Yes
• Metrics types: Avoco Secure provides comprehensive service usage metrics, including:; ; User Activity: Detailed reports on login activity, successful and failed authentication attempts, and user engagement.; API Usage: Metrics on API calls, error rates, and latency to monitor system performance.; Resource Utilization: Insights into server usage, bandwidth consumption, and storage trends.
• Reporting types:
  • API access
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
• Other data at rest protection approach: User data is also protected with KMS-backed encryption, which safeguards data in transit and at rest. Our advanced Key Management Service utilizes a highly secure master key to generate unique encryption keys for each transaction. This process isolates security breaches, preventing compromised keys from impacting other data.
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Data Export Formats:; Avoco supports exporting data in several formats:; ; BSON: Binary JSON format, suitable for high efficiency data storage and scanning.; CSV and TSV: For exporting data that needs to be used in spreadsheet applications or other database systems.; JSON: Easily readable and can be used in various applications that do not require the full schema representation offered by BSON.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • BSON
  • JSON
• Data import formats: Other
• Other data import formats:
  • JSON
  • CSV and TSV
  • BSON

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: SLA Details:; 99.9% Uptime Guarantee:; AvocoSecure commits to maintaining a 99.9% uptime for all its deployed services, calculated on a monthly basis. This ensures that services are operational and accessible with minimal downtime.; Compensation for Downtime:; If AvocoSecure fails to meet the 99.9% uptime commitment, users are eligible for service credits. These credits are typically proportional to the amount of time the service was unavailable beyond the agreed SLA. The specifics of how these credits are calculated and applied are detailed in the service agreement each user signs.; SLA Exclusions:; The SLA typically excludes planned downtime for maintenance, which is announced in advance, and downtime resulting from circumstances beyond AvocoSecure’s reasonable control, such as natural disasters or third-party service failures.; This SLA framework ensures that users can rely on AvocoSecure for critical services, with clear remedies available should the promised level of service not be achieved.
• Approach to resilience: Key Resilience Features:; Multi-Location Data Centers:; Services are hosted across geographically dispersed data centers with redundant infrastructure, ensuring fault tolerance and high availability.; Data Replication and Automatic Failover:; Data is replicated across sites, with automatic failover mechanisms in place to maintain service continuity during system failures.; Load Balancing and Regular Testing:; Load balancing distributes requests evenly across servers, optimizing performance. The infrastructure undergoes regular resilience testing, including disaster recovery drills and security updates to mitigate risks.; Additional Information:; Detailed resilience strategies and data center information are available on request to protect sensitive details while ensuring stakeholders have access to necessary compliance information.; ; This streamlined approach ensures AvocoSecure meets high standards for reliability and security, providing a trustworthy and resilient service environment.
• Outage reporting: Public Dashboard:; Avoco Secure offers a public dashboard that provides real-time status updates and detailed information on the health of the service. This includes insights into any ongoing outages, historical incidents, and updates on recovery efforts. Users can conveniently monitor the status of the service independently through this dashboard.; ; API:; Avoco Secure provides an API that allows automated access to the service's health status and outage data. Monitoring systems can leverage this API to automatically alert users in case of service outages or disruptions.; ; Email Alerts:; Avoco Secure configures email alerts to notify users directly about service outages, expected resolution times, and ongoing status updates. The alerts can be tailored to inform specific user groups or the entire user base, ensuring that affected parties receive timely information about outages.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
• Other user authentication: LDAP or similar
• Access restrictions in management interfaces and support channels: Access is managed based on roles. For example, if using LDAP or digital certificate access to manage/configure Trust&Assure, the role can be configured to allow for granular use of the Desk Configuration console.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
• Description of management access authentication: LDAP and digital certificate

Audit information for users

• Access to user activity audit information: Users receive audit information on a regular basis
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users receive audit information on a regular basis
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: Avoco carries out regular security reviews. We have daily contact with the security architect to ensure that security is an ongoing process
• Information security policies and processes: Policies:; ; Access Control Policy: Governs access based on the principle of least privilege.; Data Encryption Policy: Sensitive data is encrypted during transmission and at rest.; Incident Response Policy: Procedures for identifying, responding to, and recovering from security incidents.; Data Retention and Disposal Policy: Data is securely retained and disposed of according to requirements.; Processes:; ; Risk Assessment: Regular assessments to identify and mitigate security risks.; Penetration Testing: Regular testing ensures systems are resilient against threats.; Security Awareness Training: Employees receive regular training on security best practices.; Reporting Structure:; ; Information Security Officer: Oversees security policies' development, implementation, and enforcement.; Security Team: Audits and ensures consistent compliance.; Incident Reporting: Incidents are reported and resolved through established protocols.; These measures ensure Avoco Secure maintains a strong commitment to information security.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Avoco Secure employs a robust configuration and change management process:; ; Tracking Components: All service components are logged and tracked through their lifecycle, from deployment to decommissioning, using an inventory system for real-time monitoring.; Change Assessment: Each proposed change undergoes a security impact assessment to identify potential vulnerabilities. Changes are prioritized based on risk and implemented in controlled environments to minimize disruption.
• Vulnerability management type: Undisclosed
• Vulnerability management approach: Threat Assessment: We continuously monitor systems and networks for vulnerabilities, conducting regular threat assessments to identify potential risks.; Patch Deployment: Patches are prioritized based on severity, and critical patches are deployed immediately. Routine patches follow a structured deployment schedule to minimize disruption.; Threat Intelligence Sources: We stay updated on potential threats through reputable sources like government advisories, cybersecurity forums, and vulnerability databases. This ensures rapid identification and response to emerging threats.
• Protective monitoring type: Undisclosed
• Protective monitoring approach: Identifying Compromises: We employ advanced monitoring tools and analytics to detect unusual activities indicative of potential compromises. This includes network traffic analysis, user behavior analytics, and intrusion detection systems.; Response to Compromises: Upon identifying a potential compromise, our security team is alerted immediately. The team assesses the threat, contains the impact, and begins remediation processes following our incident response plan.; Response Time: We prioritize rapid response to incidents. Critical threats are addressed immediately, with initial responses typically within hours of detection to mitigate potential damages.
• Incident management type: Undisclosed
• Incident management approach: Pre-defined Processes: We have pre-defined processes for common incidents, enabling swift identification and resolution. Procedures cover detection, containment, and recovery.; User Reporting: Users can report incidents through a dedicated support portal or via email. Immediate attention is given to all reported incidents.; Incident Reports: Detailed incident reports, including impact assessment and mitigation steps, are provided to affected users and stakeholders promptly, ensuring transparency and fostering trust.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Equal opportunity

  Equal opportunity

  Trust&Assure is designed to optimise match rates by offering citizens choices when registering to access a government service. This ensures that citizens from all walks of life are offered a chance to engage with online government.

Pricing

• Price: £5,000 a licence
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: A trial is paid for and includes full access for a limited number of users for a limited time. The terms are agreed on a per trial basis.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sandy.porter@avocosecure.com. Tell them what format you need. It will help if you say what assistive technology you use.