CONDATIS GROUP LIMITED

Portable Identity Orchestration - Cenda by Condatis

Decentralised identity platform, Cenda© simplifies the orchestration of decentralised identity user journeys. The platform provides Verifiable Credential and Trust Framework capabilities using industry standards, supporting integration with existing data sources, verifiable credential and identity verification service providers, eliminating vendor lock-in and future proofing deployed solutions.

Features

• Decentralized Identity Service
• Allows customers to easily issue and verify credentials
• Enables passwordless sign-in journeys
• Integrates with existing systems
• Custom credentials and proof/presentation requests
• Integrates with other services, such as identity verification services

Benefits

• Simplifies credential issuance and verification
• System-neutral solution
• Supports easy integration with verifiable credential services
• Trusted data exchange use a Trust Framework
• Supports multiple user journeys via the same architecture
• Privacy preserving (minimum data is required)
• Providing identity technology future proofing, extensibility and reusability
• Extends identity across organisational boundaries
• Easily integrates Verifiable Credentials with IAM systems

£500 to £10,000 a licence a month

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@condatis.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

393987150873775

Contact

Chris Tate
0800 538 5533
sales@condatis.com

Service scope

• Software add-on or extension: Yes
• What software services is the service an extension to: Verifiable Credential providers: such as Microsoft Verified ID and Others; ; Identification Verification Service providers: such as Yoti - Onfido - Others
• Cloud deployment model: Public cloud
• Service constraints: No - Cenda is delivered via public cloud services, with constraints per that cloud and cloud service(s).
• System requirements:
  • Access to cloud services (at an organisational and procurement level)
  • Appropriate connectivity (internet access)

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Dependent on customer requirements, notification, logging and responses can be immediate.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Condatis provides SLA-backed break-fix support 24/7 as part of the SaaS version of Cenda. For deployed systems, Technical account managers and cloud support engineers can be available for all 3rd line support levels depending on the specific agreement.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Combination of online training, user documentation and workshops.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • ODF
  • PDF
• End-of-contract data extraction: Configuration, Audit and Billing data stored in the system can be extracted for the purposes of migration / deletion. This work could be undertaken by the authority with required support from Condatis.; ; No PII data is persisted within the service.
• End-of-contract process: All data is extracted and deleted. The customer's instance of Cenda is deactivated and access removed.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The service supports mobile device deeplinking and QR code display for both mobile and desktop devices.; ; Web experience is via adaptive templates. Experience is ultimately dependant on user's device, operating system and browser of choice.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AAA
• Description of service interface: QR code display screen.
• Accessibility standards: WCAG 2.1 AAA
• Accessibility testing: Baseline accessibility testing has been performed.
• API: Yes
• What users can and can't do using the API: Users can perform the following:; - Onboarding; - Create new credentials; - Verify credentials; - Configure identity journeys; - Configuration of trust framework; - Credential management, including revocation
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
  • PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Users can add custom credentials and create custom verification requests - this can be done via the API.; ; Users can use the API to configure when an issuance, verification or Identity verification check happens within a custom flow.; ; Nominated users can be given access to the API (secured access).; ; Users can customise the look and feel of the product.

Scaling

• Independence of resources: System autoscales according to load through the public cloud architecture.

Analytics

• Service usage metrics: Yes
• Metrics types: Metrics include: Number of credential issuances - Number of credential verifications - Number of identity verification checks - Service uptime (or downtime) - User traffic over a specific period - Any failed requests
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Data stored in the system can be extracted for the purposes of migration / deletion. This work could be undertaken by the authority with required support from Condatis.
• Data export formats:
  • CSV
  • ODF
  • Other
• Other data export formats: JSON
• Data import formats: Other
• Other data import formats: JSON

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Other
• Other protection within supplier network: Encryption (AES 256) of data at rest.; Message level security through signing and verifying requests.

Availability and resilience

• Guaranteed availability: Condatis SLA(s) indicate service availability. This is backed by cloud provider's own SLA(s). Condatis and cloud provider offer service credits where SLA availability is not met.
• Approach to resilience: Azure resilience from a cloud provisioning perspective can be enhanced by configuring some elements to be georedundant or manually configuring failover duplicates in other regions or datacenters.; ; Customisation based on client needs is possible.
• Outage reporting: Outage reporting is per SLA and can include: - dashboard - email alerting - telephone alerting

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Public key authentication (including by TLS client certificate)
  • Other
• Other user authentication: Application client ID and secrets
• Access restrictions in management interfaces and support channels: Access to system interfaces is restricted by username and password, and additional factors as required. Also, the authority's own access technology (e.g., if access is federated).
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Centre for Assessment (CfA)
• ISO/IEC 27001 accreditation date: 27/05/2022
• What the ISO/IEC 27001 doesn’t cover: Condatis' ISO 27001 statement of applicability covers all the controls defined by ISO 27001 with the exception of 14.2.7 Outsourced development and 11.1.6 Delivery and Loading Areas because they do not apply to Condatis.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Information Security Manager reports to CEO. ; Regular internal and external audit and management review meetings ensure the following are followed:; Information Security Objectives Information Classification policy, Information Handling policy, Document Control policy, Clear Desk and Clear Screen policy, Secure Development policy, Mobile Computing and Remote Working policy, Access Control policy, Acceptable Use policy, Cryptographic policy, Anti-virus and anti-malware policy, Software Installation policy, Supplier Security & Quality policy, Business Continuity Management policy, Network Security policy, Secure Systems Engineering policy, Media Destruction policy, Communications policy, Password policy, Security Updates policy, Capacity Management policy, Hardware Disposal policy, Data Retention policy, Privileged Utility Programs policy, IPR Management policy, Guest Control policy, Condatis Backup policy, Sustainability policy, Security incident management procedure, Employees departure and arrival processes, Change Management procedure, Risk Assessment methodology

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Condatis operates an agile development lifecycle where feature changes are defined by PBIs (product backlog items). Developed code is version controlled as it passes through a gated release process that is an intrinsic part of the develop, build & deploy DevOps process. Release builds (software components deployed to Azure assets) are strictly controlled within the Azure DevOps platform, and cascade from development to test and pre-production environments before final deployment to production. Changes at organisational level undergo an ITIL change management process, where the CAB (change authority board) evaluates impact and implications for proposed changes before they are authorised.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Computer endpoints are regularly scanned for vulnerable software, Windows updates are regularly applied, malware protection software is installed. Security advisories are regularly monitored and actioned accordingly. The solution deployment within the build pipeline will typically include processes for checking for vulnerabilities in code (Secure Code Scan) and in external software components used (Dependency Checker). Once the solution is deployed within the Azure cloud infrastructure, the use of Defender For Cloud will continually assess the security posture and be monitored for any relevant risk mitigation actions.
• Protective monitoring type: Undisclosed
• Protective monitoring approach: Alert monitoring based on transactional volumes processed by Cenda.; ; Add-on monitoring possible using 3rd party partner services, such as ITC Secure.
• Incident management type: Supplier-defined controls
• Incident management approach: We operate an ITIL-aligned support desk ticketing solution that is able to track the incident lifecycle stages of logging, triage, categorisation, prioritisation, analysis, resolution and post-incident review. Incidents are reported via alerts or by users through email, phone or portal channels. Incidents can transition to problem tickets where root cause and subsequent full resolution can be established. An incident playbook is maintained for common incident types with respective responses, along with a knowledge base accessible via customer portal. Incident reports with timelines, impact and root cause analysis will be provided as part of post-incident engagement with customer.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  We are committed to continuous action that helps flight climate change and works towards ‘net zero’ status. Our current initiatives to support environmental sustainability are as follow: ; • Our engagements, workshops and on-boarding are standardised around Teams or Zoom calls including demos, white boarding and retrospectives. ; • Whilst we encourage colleagues in the Edinburgh area to visit the office once a week, we work flexibly, thereby enabling colleagues to travel in quieter times and make use of public transport where possible. We have taken this approach since Covid rules were removed resulting in a reduction of travel, company-wide, by 95% and thereby reducing our carbon footprint. ; • Our serviced office uses energy efficient lighting and appliances. We reduce waste through our recycling system and near paperless operations. ; • We will also use any G-Cloud contracts to assist us in achieving ISO 14001 the environmental standard which will in turn involve us vetting our suppliers and partners over their environmental impact. ; • We can leverage distributed ledger technology to support environmental initiatives and drive influence with a positive impact on suppliers, partners and customers.

  Covid-19 recovery

  During COVID-19, we moved to a fully remote office, allowing all colleagues to continue in employment from their own home while still being able to fulfil all the obligations to our customers and complete contracts on time and to standard. ; We now work with a hybrid model where colleagues living locally are encouraged to work from the office once a week. Colleagues further away visit the office once a fortnight or once a quarter (location dependant), to support social connections and collaboration between and across teams. ; Condatis is able to support those shielding or impacted by Covid by continuing to provide full time remote working for those that want/require it. We also continue to provide a home office set up for all colleagues. This allows Condatis to provide valuable employment for those affected or shielding from Covid while still being able to deliver services as per the contract and customer requirements.; During and post-Covid Condatis offered physical and mental health training to colleagues, including Mental Health First Aid, Mental Health Awareness for Managers, Resilience Training and First Aid at Work. As we develop our wellbeing approach we will continue to provide wellbeing training and awareness sessions to all colleagues and through these initiatives our intention is that this will help to reduce the demand on the health and care services.

  Tackling economic inequality

  Through the following initiatives, Condatis is committed to playing a role in helping to tackle economic inequality in our society:; • We advocate and educate other employers to support apprentice programmes. We have presented to over 100 companies about the benefits of having apprentices as part of the Scottish Apprenticeship week. ; • Partnerships: this year we will be developing our CSR approach through partnerships with organisations who exist to support those who are marginalised and/or face barriers to employment. ; • We are currently supporting the Saltire Scholar Programme run by Entrepreneurial Scotland by offering a summer internship to an undergraduate. The internship provides experience on live commercial projects and the opportunity to work with new technologies and expert technologists in their field, thereby creating a training opportunity that supports a high growth area of the market.; • Colleagues are remunerated in line with external benchmarking data and we commit to an annual salary review.; • We are a Real Living Wage Employer and committed to paying our colleagues according to the cost of living.

  Equal opportunity

  One of Condatis’ core values is 'Inclusive' which means we strive to create an environment where everyone feels respected and heard and has a sense of belonging. Our values and behaviours as well as business policies and operations promote equity and fairness to avoid bias, prejudice or discrimination. We are committed to ensuring that recruitment, training, development and promotion procedures result in no candidate or colleague receiving less favourable treatment because of a protected characteristic. Our aim is to ensure that our processes are equitable and inclusive and that skills, knowledge and behaviours are assessed as objectively as possible and that everyone has equity of opportunity.; We will continue to provide training for all colleagues based on personal development plans and promotion opportunities based on transparent and objective criteria. ; This year we are committed to developing our approach to diversity, equity and inclusion through:; • A review of key processes and follow-up action to further improve accessibility and inclusivity in our behaviours and our operations.; • Developing our partnerships with organisations who exist to support those who are marginalised and/or face barriers to employment. ; • Working with a local partner to champion women in technology ; • Providing inclusion training for all colleagues involved in recruitment and selection.; • Becoming a Real Living Wage Employer

  Wellbeing

  We believe that good mental and physical wellbeing is key to thriving at work and performing well. As an employer, we take our duty of care seriously and seek to empower colleagues with knowledge and resources to help them look after their health, and offer support to colleagues who may be struggling. Our key wellbeing initiatives are: ; • We have a team of trained Mental Health First Aiders, who provide confidential support to colleagues in need.; • We have a Wellbeing Hub that offers practical ways to sustain and improve wellbeing as well as guidance on staying active and helping others. ; • Our managers have weekly 1:1 meetings with each team member in which wellbeing is discussed and any issues are supported with confidentiality and sensitivity.; • Volunteering Days – we recognise that giving back and helping others is not only good for our communities but also for our own wellbeing, so every colleague is encouraged to take a volunteering day each year to support a cause important to them. ; • This year we will be launching Able Futures, a government mental health initiative, to offer all colleagues access to a mental health professional should they need it. ; • As part of our own supplier assessments, we ensure that any third party supplier needs to meet our own ethical standard, which includes their treatment of their workforce. We do the same for prospective customers.

Pricing

• Price: £500 to £10,000 a licence a month
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Prospective clients can be provided with time limited access to a fully functional trial environment. The trial version should not be used with live PII data and is intended for test and evaluation purposes only.

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@condatis.com. Tell them what format you need. It will help if you say what assistive technology you use.