VouchforMe

Service scope

Software add-on or extension: Yes, but can also be used as a standalone service
What software services is the service an extension to: Identity services, like One Login or other government identity systems.
Cloud deployment model: Public cloud

Private cloud

Community cloud

Hybrid cloud
Service constraints: VouchforMe connects to an existing identity service. However, VouchforMe supports all identity protocols, so integration should be straightforward. Avoco will require interaction with the identity service team to ensure a seamless fit.
System requirements: None

User support

Email or online ticketing support: Yes, at extra cost
Support response times: As per agreed SLA
User can manage status and priority of support tickets: No
Phone support: Yes
Phone support availability: 9 to 5 (UK time), Monday to Friday
Web chat support: No
Onsite support: No
Support levels: Avoco offer tiered support based on an SLA agreement. Levels include:

Level one: Basic service, telephone, email, online form support, Mon-Fri, 9am - 5pm UK. Includes bug fixes and general trouble-shooting: +10% of service cost, annually.
Level two: Upgraded service, telephone, email, online form support, Mon-Fri, 8am - 7pm UK. Includes bug fixes and general trouble-shooting: +15% of service cost, annually.
Level three: Advanced service, in-person support, extended hours of support, advanced trouble-shooting, some additional capabilities, as per SLA, +20% of service cost, annually.
Support available to third parties: No

Onboarding and offboarding

Getting started: Avoco will work with the closely with the government team to help gather the Vouching-as-a-Service requirements that are specific to the needs of the identity service. Using these requirements, Avoco will help in the overall design of the vouching service, helping to discover the most appropriate vouching entities and the best channels for interaction. The design of the voucher interface itself can be done by Avoco, one of Avoco's partners, or the government team itself.
Service documentation: Yes
Documentation formats: PDF
End-of-contract data extraction: Avoco hold no data, all data is shared with the government service. The vouching entity does have the option to save data, but this is at the discretion of the government service.
End-of-contract process: Holding

Using the service

Web browser interface: Yes
Supported browsers: Internet Explorer 11

Microsoft Edge

Firefox

Chrome

Safari

Opera
Application to install: No
Designed for use on mobile devices: Yes
Differences between the mobile and desktop service: None, except when using mobile devices as a channel to communicate with the service, i.e. WhatsApp for Business.
Service interface: Yes
User support accessibility: WCAG 2.1 AA or EN 301 549
Description of service interface: For voucher only. The voucher will use the interface to go through the vouch process and send the results (via the interface) back to the government identity system.
Accessibility standards: WCAG 2.1 AA or EN 301 549
Accessibility testing: Extensive testing with assistive technologies.
API: Yes
What users can and can't do using the API: Avoco's APIs provide complete functionality to set up and manage a service.
APIs are managed, requiring access tokens to authorise their use.
Account creation may use a Dynamic Client Registration API.
API documentation: Yes
API documentation formats: Other
API sandbox or test environment: Yes
Customisation available: Yes
Description of customisation: The Avoco API is UI agnostic so that customers can create their own UI and UX to reflect their service needs.

Scaling

Independence of resources: AvocoSecure ensures resource independence through its horizontally scalable architecture, which distributes load across multiple servers in different data centers. This setup prevents any single user’s high demand from impacting others. Statelessness of the application servers ensures that each request is handled independently, with no reliance on local server state, enhancing both scalability and resilience. Additionally, Avoco employs load balancers to manage traffic and optimize resource allocation, ensuring consistent performance and availability across all users, regardless of individual demands on the service.

Analytics

Service usage metrics: Yes
Metrics types: Reports can be generated either using Avoco's own report console or by outputting data to an SIEM.
Reporting types: API access

Regular reports

Reports on request

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Conforms to BS7858:2019
Government security clearance: None

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom

European Economic Area (EEA)
User control over data storage and processing locations: Yes
Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency: At least once a year
Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest: Physical access control, complying with CSA CCM v3.0

Physical access control, complying with SSAE-16 / ISAE 3402

Physical access control, complying with another standard

Encryption of all physical media

Scale, obfuscating techniques, or data storage sharding

Other
Other data at rest protection approach: User data is also protected with KMS-backed encryption, which safeguards data in transit and at rest. Our advanced Key Management Service utilizes a highly secure master key to generate unique encryption keys for each transaction. This process isolates security breaches, preventing compromised keys from impacting other data.
Data sanitisation process: Yes
Data sanitisation type: Explicit overwriting of storage before reallocation

Deleted data can’t be directly accessed
Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach: Avoco holds no data.
Data export formats: CSV
Data import formats: CSV

Data-in-transit protection

Data protection between buyer and supplier networks: TLS (version 1.2 or above)
Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability: SLA Details: 99.9% Uptime Guarantee: AvocoSecure commits to maintaining a 99.9% uptime for all its deployed services, calculated on a monthly basis. This ensures that services are operational and accessible with minimal downtime. Compensation for Downtime: If AvocoSecure fails to meet the 99.9% uptime commitment, users are eligible for service credits. These credits are typically proportional to the amount of time the service was unavailable beyond the agreed SLA. The specifics of how these credits are calculated and applied are detailed in the service agreement each user signs. SLA Exclusions: The SLA typically excludes planned downtime for maintenance, which is announced in advance, and downtime resulting from circumstances beyond AvocoSecure’s reasonable control, such as natural disasters or third-party service failures. This SLA framework ensures that users can rely on AvocoSecure for critical services, with clear remedies available should the promised level of service not be achieved.
Approach to resilience: Key Resilience Features: Multi-Location Data Centers: Services are hosted across geographically dispersed data centers with redundant infrastructure, ensuring fault tolerance and high availability. Data Replication and Automatic Failover: Data is replicated across sites, with automatic failover mechanisms in place to maintain service continuity during system failures. Load Balancing and Regular Testing: Load balancing distributes requests evenly across servers, optimizing performance. The infrastructure undergoes regular resilience testing, including disaster recovery drills and security updates to mitigate risks. Additional Information: Detailed resilience strategies and data center information are available on request to protect sensitive details while ensuring stakeholders have access to necessary compliance information. This streamlined approach ensures AvocoSecure meets high standards for reliability and security, providing a trustworthy and resilient service environment.
Outage reporting: Public Dashboard: Avoco Secure offers a public dashboard that provides real-time status updates and detailed information on the health of the service. This includes insights into any ongoing outages, historical incidents, and updates on recovery efforts. Users can conveniently monitor the status of the service independently through this dashboard. API: Avoco Secure provides an API that allows automated access to the service's health status and outage data. Monitoring systems can leverage this API to automatically alert users in case of service outages or disruptions. Email Alerts: Avoco Secure configures email alerts to notify users directly about service outages, expected resolution times, and ongoing status updates. The alerts can be tailored to inform specific user groups or the entire user base, ensuring that affected parties receive timely information about outages.

Identity and authentication

User authentication needed: Yes
User authentication: 2-factor authentication

Public key authentication (including by TLS client certificate)

Identity federation with existing provider (for example Google Apps)

Username or password

Other
Other user authentication: Our system federates with existing idenitity services and uses any type of authentication required.
Access restrictions in management interfaces and support channels: Access is managed based on roles. For example, a verified voucher can access their own instance of the Vouching interface.
Access restriction testing frequency: At least every 6 months
Management access authentication: 2-factor authentication

Public key authentication (including by TLS client certificate)

Identity federation with existing provider (for example Google Apps)

Username or password

Other
Description of management access authentication: Linked to the identity service, so any authentication method, as required

Audit information for users

Access to user activity audit information: Users receive audit information on a regular basis
How long user audit data is stored for: User-defined
Access to supplier activity audit information: Users receive audit information on a regular basis
How long supplier audit data is stored for: User-defined
How long system logs are stored for: User-defined

Standards and certifications

ISO/IEC 27001 certification: No
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: No
Cyber essentials plus: No
Other security certifications: No

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: No
Security governance approach: Avoco carries out regular security reviews. We have daily contact with the security architect to ensure that security is an ongoing process
Information security policies and processes: Access Control Policy: Governs access based on the principle of least privilege. Data Encryption Policy: Sensitive data is encrypted during transmission and at rest. Incident Response Policy: Procedures for identifying, responding to, and recovering from security incidents. Data Retention and Disposal Policy: Data is securely retained and disposed of according to requirements. Processes: Risk Assessment: Regular assessments to identify and mitigate security risks. Penetration Testing: Regular testing ensures systems are resilient against threats. Security Awareness Training: Employees receive regular training on security best practices. Reporting Structure: Information Security Officer: Oversees security policies' development, implementation, and enforcement. Security Team: Audits and ensures consistent compliance. Incident Reporting: Incidents are reported and resolved through established protocols. These measures ensure Avoco Secure maintains a strong commitment to information security.

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: Avoco Secure employs a robust configuration and change management process: Tracking Components: All service components are logged and tracked through their lifecycle, from deployment to decommissioning, using an inventory system for real-time monitoring. Change Assessment: Each proposed change undergoes a security impact assessment to identify potential vulnerabilities. Changes are prioritized based on risk and implemented in controlled environments to minimize disruption.
Vulnerability management type: Undisclosed
Vulnerability management approach: Threat Assessment: We continuously monitor systems and networks for vulnerabilities, conducting regular threat assessments to identify potential risks. Patch Deployment: Patches are prioritized based on severity, and critical patches are deployed immediately. Routine patches follow a structured deployment schedule to minimize disruption. Threat Intelligence Sources: We stay updated on potential threats through reputable sources like government advisories, cybersecurity forums, and vulnerability databases. This ensures rapid identification and response to emerging threats.
Protective monitoring type: Undisclosed
Protective monitoring approach: Identifying Compromises: We employ advanced monitoring tools and analytics to detect unusual activities indicative of potential compromises. This includes network traffic analysis, user behavior analytics, and intrusion detection systems. Response to Compromises: Upon identifying a potential compromise, our security team is alerted immediately. The team assesses the threat, contains the impact, and begins remediation processes following our incident response plan. Response Time: We prioritize rapid response to incidents. Critical threats are addressed immediately, with initial responses typically within hours of detection to mitigate potential damages.
Incident management type: Undisclosed
Incident management approach: Pre-defined Processes: We have pre-defined processes for common incidents, enabling swift identification and resolution. Procedures cover detection, containment, and recovery. User Reporting: Users can report incidents through a dedicated support portal or via email. Immediate attention is given to all reported incidents. Incident Reports: Detailed incident reports, including impact assessment and mitigation steps, are provided to affected users and stakeholders promptly, ensuring transparency and fostering trust.

Secure development

Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks: No

Social Value

Equal opportunity

Vouching is an enhancement of digital government services to help individuals register for online services even if they find online digital verification challenging. There are many reasons why online verification fails for people, including a distrust of online verification as a process, disabilities, no smart phone, no fixed abode, little or no digital footprint, and many other reasons. Vouching provides and alternative way to engage with these citizens and allow them access to online services without the barrier that online verification checks can often present. In other words, Vouching can provide ways for government to be more inclusive and to take the challenges of digital life experienced by many groups in society into account.

Pricing

Price: £5,000 a licence
Discount for educational organisations: Yes
Free trial available: Yes
Description of free trial: Free trial available
Yes

Description of free trial
A trial is paid for and includes full access for a limited number of users for a limited time. The terms are agreed on a per trial basis.

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

VouchforMe

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents