Inverid Software B.V.

ReadID - Identity Document Verification (Optional Face and Optical Verification)

ReadID securely reads and verifies Passports, BRPs, BRCs and other Identity Documents on Smartphones using NFC chip technology. ReadID also orchestrates Facial Verification and for non-chipped documents we provide Optical Verification services.

ReadID is provided as SaaS with a mobile SDK, or a white-label ready-to-use app, or in client-only format.

Features

• Verification of ICAO9303 Passports, ID/Residence Permits with NFC
• Optical verification of documents and facial verification
• Machine Readable Zone scanning/OCR optimised for smartphones
• Secure, Straight-through processing
• Extraction of High-resolution face image from the chip
• Digital signature verification and cloning detection at server side
• SDK to build into own app and Ready-to-use app available
• Test documents provided to allow testing without personal data
• Server-side (REST) APIs to get access to verification results
• Management Portal and Customer analytics dashboard for performance measurement

Benefits

• Used for Digital Identity and Attributes Trust Framework (DIATF)
• No manual input, OCR mistakes using NFC
• Server-side verification allows for self-service remote verification
• Secure and privacy-friendly, Good Practice Guide (GPG) 45 High Compliant
• Customisable UX, easy to use by end users
• Dynamic animations help users by maximising conversion and satisfaction
• Full control over customer journey
• Fully automated and scalable; full coverage with optical fallback.
• Data via ReadID server in (signed) XML, JSON and PDF
• High-resolution image in chip for better face verification

£0.50 to £3.95 a transaction a month

• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at readid@inverid.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

407817361930293

Contact

Maarten Wegdam
+31 53 4878178
readid@inverid.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Orchestration of Optical (OCR) verification and Face (liveness and matching) verification.
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
• Service constraints: ICAO 9303 NFC verification needs to be undertaken on a suitable iOS or Android device such as all modern smartphones.
• System requirements:
  • Android mobile phones/tablets with NFC (Android v7 and higher)
  • IPhones with NFC (from iOS 14, iPhone 7 and higher)

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: The response time depends on the priority, see Service Definition document for full details.; There is 24x7 support for highest priority issues; for other issues, office hours apply.; ; Online ticketing system is available to customers only - not open to end users. WCAG support question below is therefore not applicable to online ticketing system.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: There are generic support channels (email, phone).; Support is included in the price. ; Additional professional services are available at a daily rate as per SFIA rate card.; Each customer will get a primary technical contact during the implementation phase. On request, this can be continued after the implementation phase.; Extended support hours are possible at additional costs.; For P1 incidents there is 24x7 support.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: At the start there will be a kick off with the customer, in which the use-case will be explained and understood. Then we explain the technology and options regarding potential (happy/unhappy) flows, technical integration and business rules. Throughout the implementation phase a technical implementation lead is made available to the customer.; ; If the SDK is used, the customer (buyer) has full control over the functionality and UX of the app, and thus has to provide own user documentation. Templates are available from Inverid.; ; For the white label app there is user documentation provided by Inverid.; ; We can provide additional online and onsite user training as needed. ; ; Of course, we provide implementer and developer documentation to explain our SDKs, APIs and other aspects of the service implementation - all accessed through an IAM managed customer portal.; ; In addition to supported onboarding Inverid offers the production and supply of happy flow and unhappy flow Test Documents (both ID Card and Passport formats) for country "Utopia" for development, testing and training purposes.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: The ReadID server API allows extracting of all identity document data.; ; The ReadID servers only cache the identity document information, i.e., we do not provide long-term storage, since we do not need to have access to this very privacy sensitive information. This data will also have been extracted during the contract.; ; Audit information can be extracted at the end of the contract at an additional cost.
• End-of-contract process: There are no additional costs.; ; Access to the API is removed. Customer (buyer) will have to stop using the SDK/libraries at the date the contract ends.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Yes. The solution to use NFC technology requires a smartphone. ; ReadID Ready, the ready-to-use white-label app, can be triggered from a desktop or mobile web-session through, for example, a QR code. ; There is a desktop (browser) based management portal for the service, but this is only for the customer (administrator) to manage the service, not to use the service.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: If the Customer uses the ReadID SDK, the service interface will be defined by the Customer. For ReadID Ready, the ready-to-use app is provided by Inverid direct to the end-user.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Regular usability end-user testing is conducted.
• API: Yes
• What users can and can't do using the API: There is a client-side SDK/API, i.e., to implement into a mobile app. This can call the Machine Readable Zone (MRZ) scanning and Visual Inspection Zone (VIZ) capture functionality and the NFC reading functionality.; ; There is server-side REST API, to get the results of the identity document VIZ capture, chip data and chip verification results.; ; In case of orchestration with optical (OCR) and/or facial verification, additional results will be provided via the same server REST API.
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
  • Other
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: ReadID can be considered a toolbox, where the customer (buyer) can determine how to use it and integrate this in the mobile app. For example, how to implement the UX and what security mechanisms to use.; ; There is a white-label ready-to-use app (ReadID Ready) which can be customised, by Inverid for customers, including for specific branding requirements and preferred user journey.; ; Also, there is a Client-Only option for specific use cases.

Scaling

• Independence of resources: ReadID is fully automated and can scale almost unlimitedly. ReadID undertakes auto-scaling.; ; ReadID can be provided as a multi-tenant environment (shared resources) or as a single-tenant environment which is fully at the disposal of the customer.

Analytics

• Service usage metrics: Yes
• Metrics types: Metrics on ReadID's operations are supplied via an online management portal in which the customer (buyer) can see information such as the number of transactions executed per period of time (hour, day, month, year, etc.) and audit logs. ; ; In addition the customer (buyer) will have access to the specific Customer dashboard containing details such as processed documents, security features, countries and smartphones.
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Identity document data is exported via the provided REST API.; Alternatively, the management portal allows manual export (JSON, XML or PDF). Exported data is encrypted and can be signed.; ; Billing data is exported via the management portal, as CSV.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • JSON
  • XML
  • PDF
• Data import formats: Other
• Other data import formats: Not applicable

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: We offer a 99.5% availability in our default SLA.
• Approach to resilience: We use a combination of 1) several servers that are stateless and automatically restart if unhealthy, 2) redundant database and 3) several availability zones.
• Outage reporting: We monitor the service via different means, including automated end-to-end tests. If there is an outage, the customer is notified via email.; ; The customer has the option to access a customer dashboard.

Identity and authentication

• User authentication needed: Yes
• User authentication: Other
• Other user authentication: How/if the end-users authenticate in the app is up to the customer ( buyer), if the SDK is used. For the ready-to-use app they need a token, e.g., provided as a QR code.; ; The apps/SDK need to use a password-like authentication mechanism (static or dynamic); this is hidden from the end-users.
• Access restrictions in management interfaces and support channels: For the management interface two-factor authentication is used. ; ; For the support channel one-factor authentication is used.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: TÜV AUSTRIA Deutschland GmbH
• ISO/IEC 27001 accreditation date: 20/12/2023
• What the ISO/IEC 27001 doesn’t cover: Not applicable
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • ISO27701 (Privacy Management)
  • Component certification eIDAS for QTSP
  • Component certification eIDAS eIDAS High
  • SOC II type 2

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Important roles for the security polices are a CISO and DPO.; ; Our ISO27001 ISMS and Security documentation details the information security policies and processes, including internal and external audits if they are properly followed. Details are available upon request.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: We use a state of the art source code repository system, including issue tracking. We combine this with processes such as manual code reviews and automated source code scans.
• Vulnerability management type: Undisclosed
• Vulnerability management approach: We have very strict processes for this, including monitoring public sources for known vulnerabilities and frequent patching.; ; Details are available to customers.
• Protective monitoring type: Undisclosed
• Protective monitoring approach: We use a combination of an intrusion detection system, centralized logging on different layers and a 24x7 team to respond to potential compromises.; ; Details are available to customers.
• Incident management type: Undisclosed
• Incident management approach: This is part of our ISO27001 certified ISMS, and includes a formalised data breach policy.; ; Details are available to customers.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality

  Fighting climate change

  ReadID as a secure, remote, identity verification tool can be utilised to reduce carbon emissions by allowing individuals to avoid travel to verify in person.

  Covid-19 recovery

  ReadID as a secure, remote, identity verification tool is ideally supportive of organisations and individuals such as those shielding for health reasons.

  Tackling economic inequality

  ReadID as a secure, remote, identity verification tool is ideally placed to support verification of individuals in remote areas who may otherwise be disaffected by the need to incur costs to verify in person.

Pricing

• Price: £0.50 to £3.95 a transaction a month
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: The free to use ReadID Me personal app is available in the App and Play Store. ; ; Contact us for access to other iOS or Android apps.; ; Access to the APIs is not included in the free trial.
• Link to free trial: For Android this is: https://play.google.com/store/apps/details?id=nl.innovalor.nfciddocshowcase or For iOS this is: https://apps.apple.com/nl/app/readid-nfc/id1463949991

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at readid@inverid.com. Tell them what format you need. It will help if you say what assistive technology you use.