AORA GROUP LIMITED

Automated UK Citizenship and Work Visa Eligibility Assessment

Using proprietary AI, AORA models UK nationality and immigration law, automating UK citizenship and work visa eligibility assessments and providing a fully explainable outcome referencing the applicable legal provisions. If an application is eligible, the platform automates the form filling of the applicable Home Office forms.

Features

• Intelligent Service Automation
• Automated opinion with determination of UK citizenship or grant eligibility
• Attended, unattended and cognitive automation
• Intelligent Automation (IA), Decision Automation (DA)
• Auditable AI, Transparent AI, Explainable AI, Model auditability
• Natural Language Processing (NLP), Artificial Intelligence (AI)
• Built around open standards and open source stack including Python
• Fully featured collaborative tool including an efficient workflow
• Pre-packaged digital, automated end-to-end process
• UK Nationality law modelled as rules in maintainable Python expressions

Benefits

• Consider all possible avenues to attain UK citizenship
• Minimise rework arising from appeals against refused applications
• Consistently apply nationality and immigration laws, policies and guidance
• Save time through automation; producing opinions and reports in real-time
• Substantially reduce the requirement for in-depth training
• All levels of caseworkers can process complex cases
• Produce automated reports in perfect grammatically correct prose
• Improve staff productivity through human in loop automation
• Provide better citizen and staff experience and outcomes
• Easy spot checking for work visa eligibility

£2.90 to £75.00 a transaction

• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at rlove@aoralaw.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

315639720155999

Contact

Robert Love
0203 3899422
rlove@aoralaw.com

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
• Service constraints: There are no service constraints.
• System requirements:
  • Users need a stable internet connection
  • Modern internet browser (Edge, Chrome, Safari , Firefox etc.)
  • No third-party software licenses are required

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: It depends upon the priority of the issue/question:; Critical - respond within 1 hour, resolve within 4 hours.; High - respond within 2 hours, resolve within 8 hours.; Normal - respond within 4 hours, resolve within 24 hours (next working day on weekends).; Low - respond within 8 hours, resolve within 48 hours (next 2 working days on weekends).
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 A
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: WCAG 2.1 AAA
• Web chat accessibility testing: None
• Onsite support: Yes, at extra cost
• Support levels: We provide two levels of support package - Regular and Premium.; There are no additional costs for Regular Support.; Premium Support includes a named dedicated account manager and a named technical account manager who are assigned to the client for initial onboarding and on a regular basis to ensure service satisfaction.; The Premium Support package is costed on a case by case basis depending upon that specific client set-up.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We provide a documented process for onboarding clients, which is a largely self-driven user setup.; We provide onsite training, as well as online training, user documentation and video tutorials which are accessed through the web.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • ODF
  • PDF
• End-of-contract data extraction: The data will be extracted upon written request to our Support team to perform a final full export.
• End-of-contract process: If the service is hosted within the client's private cloud then the client will be responsible for the deletion and/or destruction of the data.; ; In any other event, then at the end of the contract, we will thereafter delete or destroy all copies of the client's data within our databases or otherwise in our possession or control, unless legally prohibited from doing so. We will confirm such deletion and/or destruction in writing within ten (10) days of the client’s request for such confirmation.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: There are no differences in functionality, as the service was designed from the outset to be fully responsive. UI layout is slightly rearranged for better display on mobile devices.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: Clear graphical interface that facilitates simple evaluation of cases and browsing of historic data.; Strong colour contrast and simple colour coding aid readability and intuitive understanding. ; Multi-user system that allows different users (within an organisation) to collaborate easily.; Tools for controlling data visibility and privileges for users within an organisation.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Extensive user testing by a diverse range of users with different accessibility requirements.
• API: Yes
• What users can and can't do using the API: The AORA API allows authorised services to log in and create, view, and edit data that they have access to in AORA. This facilitates development of scripts that automate processes such as the uploading of data from external sources.; ; Users cannot access any data outside their organisation, or internal data they do not have permission to access.
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Users have the flexibility to represent the data folder structure used to represent users and cases in the way that represents their way of case management.; ; Users are set up with differing levels of user permissions, as appropriate for their work by administrators.; ; Numerous aspects of AORA's behaviour can be controlled by user-specific and account-wide (given sufficient privileges) settings. These settings include parameters that control the behaviour of AORA's AI engine and the layout of the reports produced by the system.

Scaling

• Independence of resources: Our products use a micro-service architecture that distributes work between several services that can be hosted on separate servers. Where possible, we use docker containers for compute-intensive services. This allows extra resources to be dynamically acquired and load-balanced, as needs demand. AORA can also deploy its entire platform to dedicated hardware (on-premises or in-cloud) for clients who desire this for operational security needs, hence UK Government clients will be set up on a dedicated instance within AWS.

Analytics

• Service usage metrics: Yes
• Metrics types: The number of unique active users.; The number of evaluations started.; The number of evaluations completed.; Breakdown of completed evaluations (qualified, did not qualify etc.).
• Reporting types:
  • API access
  • Real-time dashboards
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Other
• Other data at rest protection approach: Filesystem encryption is used (LUKS) on nodes that store persistent data.
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: User (citizen) data is easily viewable and editable within the system by authorised users.; Upon request to our Support team, data relating to a specific case, or cases, can be exported.
• Data export formats: CSV
• Data import formats: Other
• Other data import formats:
  • Manual data capture within a browser question and answer process
  • Ingested via our API from an external data source

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: Other
• Other protection within supplier network: Within our network we use SSH tunnels to encrypt all internal traffic. Local network traffic is also restricted using a firewall whitelist containing a minimal list of required and trusted IPs/ports.

Availability and resilience

• Guaranteed availability: We provide a 99.99% uptime SLA around network, power and virtual server availability.; ; If the service provider fails to deliver on this SLA, we will credit users based on the amount of time that service was unavailable.
• Approach to resilience: Please see https://aws.amazon.com/compliance/data-center/controls/; ; In addition, we have several internal systems in place:; - We developed a monitoring service that polls our APIs at 1-minute intervals and notifies administrators of any outages. This allows us to identify and respond to outages immediately.; - All operational databases are backed up, encrypted, and stored on an external network daily.; - We maintain up-to-date installation procedures and deployment scripts that allow us to set up new deployments, or restore 'old' ones (using a database backup) in less than an hour.
• Outage reporting: A public dashboard summarising service availability is accessible to clients. Email alerts to designated recipients are automatically generated and dispatched in the event of any outages.; ; We use an API to provide this functionality but have not yet made it available to clients. If there is a specific need to provide some/all of this API's functionality in future, we will consider it.

Identity and authentication

• User authentication needed: Yes
• User authentication: Username or password
• Access restrictions in management interfaces and support channels: User permissions restrict access to specific functions within the system.
• Access restriction testing frequency: At least once a year
• Management access authentication: Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: We have established a security governance framework that is aligned to (and compliant with) ISO 27001, as we are acutely aware of the need to protect client information and personal data. We are not yet certified but are working towards it.; ; Within this framework, we have established information security objectives that are aligned with our organisational priorities and business objectives, and have allocated responsible and accountable persons. Our policies and procedures enable an effective risk management approach and are supportive of our business operations and take into account the size and maturity of our business.
• Information security policies and processes: We have employed an overarching Information Security Policy which outlines our company’s overall approach, security obligations of all personnel and any applicable third parties, and sets out our information security objectives. ; ; We have a set of additional policies in place including Acceptable Use, Supplier Security, Secure Development and Access Control. These are underpinned by documented operational procedures which have been designed with security in mind from the outset and throughout. These policies are periodically updated in line with our continuous improvement philosophy.; ; As a small organisation, our reporting structure is straightforward. We have several non-managerial staff all of whom report to executives (Technology, Sales and Operations, etc.) and report directly to the Chief Executive Officer (CEO), who has overall accountability for information security within the organization, The executives have individual responsibilities for ensuring that security requirements, knowledge and awareness flows down within their spheres. ; ; We perform a periodic Risk Management Assessment of our information assets, taking corrective action as and when controls need to be updated.; ; Our Chief Technology Officer (CTO) is responsible for overseeing activities that impact the company’s security and is responsible for the overall maintenance and management of the information security and allied policies.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: We follow AWS best practices, incorporated into our documented change management policy, which describes the procedures to be followed. All significant software changes are subject to code review and end-user testing before deployment. Reviews are also conducted when changes to the deployment (staging) environment (relocating databases, changing firewall settings etc.) are made. Expert, external contractors are engaged as and when security-specific questions arise.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We rely on our cloud-hosting provider, to manage vulnerabilities relating to their host machines and hypervisors. In addition, we employ a third party vendor to provide continuous external vulnerability scanning and management. We monitor external websites (National Cyber Security Centre, Threatpost, Phoronix etc.) for news about threats pertaining to our hosted VMs and the components we deploy on them. Patches can be deployed in near real-time (within an hour) when serious vulnerabilities are uncovered.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: All externally-accessible endpoints feature automated systems to detect and block brute-force/DDoS attacks. Our monitoring service checks all host machines for signs of suspicious activity (multiple failed logins, access from an unknown IP etc.) and notifies administrators immediately. In the event of a potential compromise, an administrator would be notified (via email) within 5 minutes, and they would then enact an intrusion procedure (which involves changing all authorised keys etc.).
• Incident management type: Supplier-defined controls
• Incident management approach: We maintain and follow security incident management policies and procedures to promptly notify users in the event in that we become aware of any actual or reasonably suspected unauthorized disclosure of customer data. ; ; We have a defined incident response plan that can be shared with prospects or customers under an NDA

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Tackling economic inequality
  • Equal opportunity

  Tackling economic inequality

  Our software produces automated opinions as to whether an applicant is eligible to become or is a British Citizen. Thus it dramatically reduces immigration practitioners' and caseworkers' time which could lead to a reduction of fees for the applicant to apply to and get their case reviewed by the Home Office.

  Equal opportunity

  Our software produces automated opinions as to whether an applicant is eligible to become or is a British Citizen. Thus it obviates the need for caseworkers to go through the mechanical repetitive task of doing an assessment, referring to guidance and legal provisions. Instead, caseworkers can focus on the humanistic aspect of the case - what story do the supporting documents tell, are they valid, do they support the claim being made?

Pricing

• Price: £2.90 to £75.00 a transaction
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: We will provide a free version, which contains all functionality, for 3 months to an unlimited amount of users.

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at rlove@aoralaw.com. Tell them what format you need. It will help if you say what assistive technology you use.