Grove Information Systems

MIRACL MFA and DVS

MIRACL Trust Proof is a service using the Designated Verifier Signature (DVS) digital signature scheme that allows the signing of any digital transaction, user action, data transfer or Machine-Machine interaction to make it irrefutable. Authenticity of action can be proven due to the immutable and cryptographic nature of the signatures.

Features

• Single-Step MFA
• Multi-Factor, Single Step
• Deployment Made Easy
• Data Protection & Privacy
• PSD2 Compliant

Benefits

• Secure
• Simple
• Bespoke, flexible setup

£0 to £0.05 a transaction

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at pwitheridge@groveis.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

392028793387757

Contact

Philip Witheridge
+44 207 493 6741
pwitheridge@groveis.com

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Hybrid cloud
• Service constraints: None
• System requirements:
  • Subject to integrating the APIs and SDKs
  • Mobile app minimum version requirements: iOS8 and Android 4.1
  • Software-only solution requiring neither a dongle nor a smartphone
  • Supports all browsers with a consistent interface cross platform

User support

• Email or online ticketing support: Yes, at extra cost
• Support response times: 15 minutes
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: P1 – Critical business impact or critical loss of service Must be logged via telephone 75% of calls within Business Hours will be responded to within 1 minute. Outside Business Hours be responded within 30 min. Resolution plan will be relayed within next 4 hours P2 – Major or partial loss of service where a work-around does not exist May be logged via telephone or via mail. Logged within Business Hours will be responded to within 30 mins. Logged outside of Business Hours will be responded on the next Business Day P3 – Question or how to queries or minor service impact May be logged via telephone or via mail. Logged within Business Hours will be responded to within 1 Hour. Logged outside of Business Hours will be responded on the next Business Day P4 - Documentation and enhancement requests May be logged via telephone or via mailL Logged within Business Hours will be responded to within 3 Hours. Logged outside of Business Hours will be responded on the next Business Day Provided that the customer provides all requested information in timely manner Technican Account Manager can be assigned.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: User documentation is provided for admin users for integration as well as user documentation for the service. Further online or onsite training is also available depending on client size/whether required. The MIRACL Trust Platform utilizes a distributed cryptography scheme to ensure high security for its key-generation and authentication services. The scheme incorporates two or more Distributed Trusted Authority (D-TA) servers, which are the core of MIRACL’s distributed cryptosystem. For a typical hosted service, MIRACL provides two physically and geographically separated D-TAs for each partner. In some cases though, it is a requirement for a partner to self-host one of the D-TAs, in which case MIRACL provides an On-Premise D-TA which can be installed on the partner’s premises and connected to the MIRACL Trust Platform. MIRACL provides documentation to describe how to setup such an On-Premise D-TA on Windows-based servers.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: This is not applicable. The service has been engineered to avoid GDPR risk associated with client data. No data stored by MIRACL of any value to customer or end-client.
• End-of-contract process: Standard SaaS offering is free to implement with ongoing pricing based on PAYG invoicing in arrears with no contract notice period. Basic support level is included with further support levels available at an additional cost. Some advanced features of the service such as management APIs are for an additional cost. See pricing document for further details. For On Premise, Hybrid Cloud and Private Cloud implementation is included in the price of the 12 months contract subject to 30day notice prior to automatic contract rollover. Total cost of of contract is dependent on features required, see pricing document for further details.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Service Provider as Buyer - all functions are customised from a browser. As an enterprise service we do not recommend configuring service from a mobile device. End-User as Customer -MIRACL Trust Proof service is cross platform and almost all primary functions are identical.
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: Buyer admin user - all functions are customised from a browser. Admin Users can monitor authentication/signing activity and set up new points of authentication on websites and mobile apps. End-User of the Buyer - MIRACL Trust Proof authentication is as easy as entering a 4-6 digit PIN code to sign a digital transaction. Setting up new users is default by email verification but can be any process the service provider requires. All functions and features are managed on one page.
• Accessibility standards: None or don’t know
• Description of accessibility: Buyer Admin User - service accessed via a browser based portal with limited graphics, no visual or audio media, use of colour or animations. End-User of the Buyer - service providers have a great deal of flexibility how they integrate the service and expose it to the end clients. So they can determine the accessibility of the system taking into account platform and form of delivery.
• Accessibility testing: Buyer Admin User - we have tested with various screen readers, screen magnifiers, speech input, alternative input devices and text to speech. As a browser based portal, most assistive technologies are of some use. End-User of Buyer - service providers have a great deal of flexibility how they integrate the service and expose it to the end clients. So they can determine the accessibility of the system taking into account platform and form of delivery.
• API: Yes
• What users can and can't do using the API: Admin User can integrate our service with their website/app/service by connecting to our APIs using 3 simple function calls. APIs and SDKs can then be used to enrol users, authenticate users to controlled services, authenticate users to multiple services (Single Sign On), irrefutably sign actions/transactions/documents and monitor all actions taken by the end-user, all services are cross-platform and delivered to the End-User via browsers or custom-built applications. Our APIs and SDKs support open standards such as (but not limited to) SAML, OIDC, ADFS and RADIUS. We support Python, Django, NodeJS, Ruby, PHP, Go, Java, .NET and many other languages with our own SDKs and numerous additional languages using open source clients.
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
• API sandbox or test environment: Yes
• Customisation available: No

Scaling

• Independence of resources: Predictive auto-scaling and using elastic cloud servers that scale based on usage.

Analytics

• Service usage metrics: Yes
• Metrics types: We track all events that go through the MIRACL Trust Proof service. The metrics we provide are number of authentications and unique users broken down by day, month, year, geographic region etc.
• Reporting types:
  • API access
  • Real-time dashboards
  • Reports on request

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: MIRACL

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: Data can be fetched through the API or in CSV from the service admin portal.
• Data export formats: CSV
• Data import formats: Other
• Other data import formats: Nothing to import.

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • Other
• Other protection between networks: We never have access to buyers' data. For our service: the portal access, web login access and API access are protected using TLS 1.3.
• Data protection within supplier network: Other
• Other protection within supplier network: We have implemented Googles Beyond Corp which means we do not have an internal network that gives access to data. We have strong authentication to each service and VPN for sensitive infrastructure used only for administrative actions - not day to day work. Those VPNs area lso protected with two factor authentication through our own service. Access to data is given on a needs only basis.

Availability and resilience

• Guaranteed availability: SLA depends on the level selected. As an example for an Uptime Commitment of 99.9%, if the availability of MIRACL Services for a given month is less than the applicable Uptime Commitment, MIRACL will provide Buyer with a credit of the Fees paid for the affected MIRACL Services for such month as follows: Availability less than Uptime Commitment but at least 99.5%:5% credit. - Availability less than 99.5% but at least 99%: 10% credit. - Availability less than 99%but at least 97.5%: 35% credit. - Availability less than 97.5%: 100% credit. In the event Partner is not current in its payment obligations when an outage occurs, remedies will accrue, but credits will not be issued until payment obligations are up to date. To receive service credits, Partner must submit a written request to billing@MIRACL.com,within 30 days after the end of the month in which the MIRACL Services failed to meet the Uptime Commitment, or the right to receive credits with respect to such unavailability will be waived.
• Approach to resilience: The service is architected in such a fashion as to be always available. Each of the multiple interchangeable nodes is distributed across multiple zones in a single data-center. Load-balancing as well as auto-scaling technology is used to ensure availability even under high demand. There is no single point of failure. Further details available on request.
• Outage reporting: The service is end-to-end monitored from a number of places on the globe at least every minute. An internal company dashboard is updated with the results in real-time and the support team are notified should the service be unavailable from any of these points on the globe. The service is configurable to provide email alerts to customers. Once a month the availability information is distributed to customers with a valid contract.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: All access secured by strong 2 Factor Authentication (2FA) associated to each unique User-Access Point combination. Where an Access Point is a specific Browser-Device, Mobile etc. Full, real time, configuration of user roles determined on a per-user basis by admin user. Ability to revoke user access or enable/disable access to individual functions and groups of functions.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Other
• Description of management access authentication: 2-Factor Authentication tied to each User-Access Point combination. Where an Access Point is a specific Browser-Device, Mobile etc. This enables customer to know who initiated and how they initiated access. Service provided with MIRACL Trust Proof meaning there are no additional charges associated with adding management users or access points.

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Assessment Bureau
• ISO/IEC 27001 accreditation date: 14/07/2023
• What the ISO/IEC 27001 doesn’t cover: Not applicable
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: We have a Security Policy and carry out regular risk assessment to then manage the identified risks. We also carry out internal audits that lead to continual improvement with corrective and preventative actions. Internal audits help in ensuring policies are followed. Information

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: We follow all the good practices both for secure software development and for infrastructure. We aim for everything as code (software, infrastructure, policies) approach which gives us a number of important features of the process: -Each change is reviewed by at least 2 people before it is accepted. - Audit log of all changes both code or infrastructure (infrastructure is built with code). - We can version state of the system and revert if needed. - We do Continuous Integration and Continuous Delivery (CI/CD).
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We aim at limiting the surface that's managed by us and could be potentially vulnerable. We perform regular in-house vulnerability scanning and take actions based on the recommendations. We are able to apply patches within hours.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: The system generates reporting information on a daily basis. Any unusual activity will result in a SAR (suspicious activity report) going to the COO. An investigation (typically within hours) will occur. User ID's, if a compromise is suspected, will be blocked pending further investigation.
• Incident management type: Supplier-defined controls
• Incident management approach: The user will report the service issue via email, phone or on the user portal. The incident will be logged in our incident management system. The user will be notified by email of actions or progress made towards resolution of the incident. Priority will be given to : - Ensuring the service is not compromised - Then ensuring the user is capable of accessing the service - Finally determining the root cause analysis of the incident No pre-determined processes exist at present, as production incidents are negligible. We will monitor for patterns and create process as appropriate.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Equal opportunity

  Equal opportunity

  The solutions and services we offer to G Cloud procurement organisations typically require new skill sets for which we provide employment and follow on mentorship training and growth opportunities.

Pricing

• Price: £0 to £0.05 a transaction
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: The first 1,000 transactions per month are free.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at pwitheridge@groveis.com. Tell them what format you need. It will help if you say what assistive technology you use.