NetsNexi ID Authentication and eSignature suite
With the fully eIDAS and PSD2 compliant NetsNexi ID Authentication and eSignature suite, we provide lifecycle management of your customers' identities and authenticators, secure logon on self-service websites, and legally binding signing of documents. We also provide digital on-boarding of new customers and authentication in the same specific app.
Features
- Customer self-service portal.
- Multiple authentication means including mobile app
- Secure log on and secure website login:, eIDAS compliance.
- Two factor authentication according to eIDAS.
- Open standard access to websites supporting OpenID connect, SAML.
- Digitalize onboarding, digitalize new customers providing user-friendliness, and eIDAS compliance
- Digitally sign legal documents’ and digital signature validation.
- Digital identity management providing, creation, maintenance, and identity revocation.
- Fraud reduction, gathering of risk data, device detection, IP-addressing monitoring.
- Implementation of an ISMS which complies with ISO/IEC 27001:2013.
Benefits
- Modular design. Platform on OpenShift, Kubernetes for hosting microservice.
- User-friendly two-factor mobile app authentication supporting PIN or biometrics.
- authenticator variety lincluding password, OTP, FIDO U2F token
- Built-in redundancy and replication ensure high availability and minimal downtimes.
- Efficient integration based on RESTful API’s, Swagger.
- eIDAS and GDPR compliance, auditor assurance, audit assurance
- Risk -and Vulnerability Management process. ISO27002 test of DDOS protection
- Digitize processes, reduced manual processes, on-boarding new customers.
- Secure authentication and remote id verification
- New customer onboarding cost reduction, user friendly. .
Pricing
£1,098,000.00 a unit
Service documents
Request an accessible format
Framework
G-Cloud 13
Service ID
4 9 7 3 6 7 2 2 3 2 5 7 4 4 1
Contact
Nets Denmark A/S
Sebastien Graux
Telephone: +45 51519195
Email: sebastien.graux@nexigroup.com
Service scope
- Software add-on or extension
- No
- Cloud deployment model
- Private cloud
- Service constraints
-
Web: OS minimum Windows 7, MAC: minimum OS 10.15, Mobile platforms: minimum iOS 12, minimum Android 9 .
Nets passport reader requires ICAO 9303 compliant id documents. Mobile phone require camera to read MRZ for self image capture. - System requirements
-
- Web browser or web application to interface with restful JSON
- E-Signing is accessed via a Nets proprietary web service interface
- Passport Reader as optional service is accessed via OIDC
User support
- Email or online ticketing support
- Yes, at extra cost
- Support response times
-
Nets provide e-mail support Mon-Fri 08-18 CET. Response time is maximum 12 working hours.
Support related to incident handling is available on phone and e-mail 24/7/365 - User can manage status and priority of support tickets
- No
- Phone support
- Yes
- Phone support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support
- No
- Onsite support
- Yes, at extra cost
- Support levels
-
Service Desk opening hours
Working days: 08.00-20.00.
Weekends + holidays, including the day after Christs Ascension and Constitution Day (5th of June): 10.00-16.00.
24/12 + 31/12: 10.00-14.00.
End-user related support
Nets offers the following KPI’s related to end-user related support (tickets opened by the customer):
• At least 95% of all inquiries is answered within 120 seconds.
• 100% of all inquiries is answered within 180 seconds.
• At least 95% of all inquiries is processed and resolved within 8 hours.
Technical support:
Nets offers the following KPI’s related to technical support:
• 95% of all inquiries is answered within 120 seconds.
• 100% of all inquiries is answered within 180 seconds.
• At least 95% of all inquiries is processed and resolved within 2 days.
The listed support levels are included in our pricing. A Service Delivery Manager will be appointed to support the customer and ensure that other roles like a technical account manager or cloud support manager will be available if needed. - Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
-
Nets supports onboarding and offboarding of the buyer/customer/users by delivering different kinds of documentation.
1) The buyer/customer has access to documentation describing how to set up and interface the solution. There is also access to developers' site/testing environments to support the integration to own systems.
2) The End-users have access to online documentation describing how to onboard and use the solution. Nets has proven that the documentation provided is sufficient to onboard and use the solution.
If additional support is needed e.g. onsite training or online training, Nets delivers assistance on a Time & Material basis. Hourly rates are listed in the price list. - Service documentation
- Yes
- Documentation formats
- End-of-contract data extraction
-
The transaction data is registered in the database and can be retrieved via the addition of a log appender, so users can either pull data from the database or data can be fetched from the log appender a the end of the contract.
End-user perspective: Electronic signed documents that is stored in Nets E-Archive can either be extracted by customers through web services or by a customized process agreed with customers. - End-of-contract process
-
Nets has the project management responsibility for the termination service, and Nets is responsible for the overall management of the activities and tasks that are necessary and appropriate for the termination service as well as for project management of Nets’ and the Buyers/customer's resources.
Nets will advise the Buyer/customer on the activities and tasks that are necessary and appropriate for the termination service.
Unless otherwise agreed, Nets has a duty of initiative in relation to the activities and tasks that are necessary and appropriate for the termination service. As part of the termination service Nets will deliver relevant documentation and deliver the agreed user data to the buyer/customer in an agreed format and in a secure way compliant with data regulation.
The termination service will be delivered on a Time & Material basis. Hourly rates are listed in the pricing list.
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Internet Explorer 11
- Microsoft Edge
- Firefox
- Chrome
- Safari
- Application to install
- Yes
- Compatible operating systems
-
- Android
- IOS
- Designed for use on mobile devices
- Yes
- Differences between the mobile and desktop service
- In the mobile version the client can be delivered as an independent mobile app or as a SDK that can be embedded into your own mobile app. In a web browser you will also have rich possibility to adjust the look and feel of the user interface and experience.
- Service interface
- Yes
- User support accessibility
- WCAG 2.1 AA or EN 301 549
- Description of service interface
- A portal is provided that enables your customer to perform self-service, i.e. management of own personal information and authenticators.
- Accessibility standards
- WCAG 2.1 AA or EN 301 549
- Accessibility testing
- Nets is using an efficient, End-user-centric design process and a robust UX Governance setup. We have a detailed plan for UX activities in defined phases throughout our Development process and Maintenance process. This ensures that there's continuous involvement of End-users and other Stakeholders e.g. organisations representing End-users with different kinds of disabilities to ensure the assistive technology they use will be supported by our solutions. You can also be certain of the rigor of our Design System and the focus we put on measuring user experience over time. Our UX team setup, with senior specialists and deep experiences from large-scale and high-security projects, and innovation projects within conversational design and biometrics, ensure high-quality outcomes. Furthermore, we offer devices that are designed for visually impaired people.
- API
- Yes
- What users can and can't do using the API
-
Authentication API: Authentication API – allows the authentication frontends in the solution to carry out authentications. Each authenticator in the solution exposes an authentication API that is specific to the authenticator.
Administration API: Administration API that exposes functionality enabling and supporting organisations to implement the administrative processes for end-user eID, authenticators, and credentials. Administration API is the sole interface for programmatic access to end-user administration and identity and credential/authenticator-related support.
By using the E-Signing API's E-signing flows can be embedded into users own business applications. The API's support to initiate sign processes, receive status information, change existing processes and download signed documents. - API documentation
- Yes
- API documentation formats
-
- Open API (also known as Swagger)
- Other
- API sandbox or test environment
- Yes
- Customisation available
- Yes
- Description of customisation
- All our interfaces are based on API's meaning that you have maximum flexibility to customize the solution. Our mobile client can be provided as an independent app that could be customizable to your preferred look and feel, or it can be provided as a SDK that can be embedded into your own app. In a browser the user experience of the authentication front end could also be adjusted to fit the specific nature of the authenticator and your preferred look and feel.
Scaling
- Independence of resources
-
Buyer/customer data is separated from Nets' own data and data from other customers.
Nets uses CISCO ACI infrastructure to ensure uptime and security, which means that Nets has control over the entire network, and can control which components/zones are allowed to communicate with each other.
When launching the solution, the buyers/customers forecast will be used to allocate the initial capacity needed. Due to the chosen architecture capacity will be added on the fly to support the estimated volumes, but also reporting including trend analysis (number of users, usage per user, etc.) will be used to adjust the capacity needed.
Analytics
- Service usage metrics
- Yes
- Metrics types
-
Monthly transaction statistics are provided as a part of the service.
- The number of document signatures.
- The number of archived digital signed documents.
- The number of enrolled end-users and number of transactions.
- The number of end-users using the different kinds of devices (app, TOTP tokens, U2F tokens). - Reporting types
-
- Real-time dashboards
- Regular reports
- Reports on request
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Other security clearance
- Government security clearance
- Up to Baseline Personnel Security Standard (BPSS)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
-
- United Kingdom
- European Economic Area (EEA)
- User control over data storage and processing locations
- Yes
- Datacentre security standards
- Complies with a recognised standard (for example CSA CCM version 3.0)
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- Another external penetration testing organisation
- Protecting data at rest
- Other
- Other data at rest protection approach
-
Cryptographic data used by authenticators in connection with authentication, is encrypted and integrity protected in the database.
The confidentiality and integrity scheme use symmetric keys for encrypting the database data. The symmetric keys are encrypted using HSM private keys and these encrypted keys are stored in the database. Only the application (through use of the HSM) has access to encryption keys used for confidentiality and integrity protection. .
Access to database(s) is access restricted. An application can only encrypt and decrypt data within its own scope and can only modify integrity protection of the data in its own scope. - Data sanitisation process
- Yes
- Data sanitisation type
- Deleted data can’t be directly accessed
- Equipment disposal approach
- Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001
Data importing and exporting
- Data export approach
- The end-user can export the data registered in the solution due to GDPR regulations. The customer will as a part of the termination service receive a file with registered end-users.
- Data export formats
- Other
- Other data export formats
-
- XML based SDO (Signed Data Object) for signed documents
- PDF for signed documents
- Data import formats
- Other
- Other data import formats
-
- XML based SDO (Signed Data Object) for signed documents
- PDF for signed documents
Data-in-transit protection
- Data protection between buyer and supplier networks
- TLS (version 1.2 or above)
- Data protection within supplier network
-
- TLS (version 1.2 or above)
- Other
- Other protection within supplier network
- Authentication utilizes authenticator related secure cryptographic protocols based on cryptographic standards. These protocols have themselves security properties protecting against eavesdropping, manipulation, and replay attacks. E-Signing servers are inside dedicated security room, no external access.
Availability and resilience
- Guaranteed availability
-
Nets services are operated with service availability guarantees at 99,5 % measured on a monthly basis.
In the event that availability falls below the agreed SLA target, the following SLA compensations for the Production environment will apply.
- SLA-target 99,5 or over = 0% of the monthly service fee.
- SLA-target 99,0-99,49 = 2 % of the monthly service fee.
- SLA-target 98,5-98.99 = 5 % of the monthly service fee.
- SLA-target Below 98,5 % = 10% of the monthly service fee. - Approach to resilience
- Nets services are operated in different data centres and with failover infrastructure ensuring operational stability. Furthermore, each data centre is dimensioned to handle the service by itself. All data centres comply with the TIA-942 Tier 3 standard. More details can be shared on request.
- Outage reporting
- Monthly service reports include service availability and response times for the services in scope, Outages are reported via SMS and e-mail including regular updates with status.
Identity and authentication
- User authentication needed
- Yes
- User authentication
-
- 2-factor authentication
- Other
- Other user authentication
-
NetsNexi App + PIN or NetsNexi App + biometrics
The NetsNexi App includes a PIN which is validated centrally. This is, in itself, a genuine two-factor authentication solution with a knowledge- and a possession element.
Password + OTP/OTP Audio Reader
The OTP or the OTP Audio Reader combined with a password accomplishes a multi-factor authentication with a possession and a knowledge element.
Password + Chip (U2F Token)
The Chip combined with a Password accomplishes a multi-factor authentication with a possession and a knowledge factor.
Authentication based on other electronic ID's supported by the E-Signing service. - Access restrictions in management interfaces and support channels
-
Nets has excellent experience with the use of segregation of duties such as access control and dual access (four-eye principle) as well as mitigating controls such as reviewing audit logs. The following controls are implemented in the solution:
•Use of HSM’s (Hardware Security Modules) for critical cryptographic keys.
•Logical separation of functions in all pre-production environments and production environments, supported by Nets’ Identity Management System.
•Access controls, both physical and logical.
•Securing transaction and control tracks.
•Approval of changes.
•Design review, code review, and security testing performed by two parties.
•Quarterly review/follow-up of logs, including transaction and control tracks. - Access restriction testing frequency
- At least once a year
- Management access authentication
-
- 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Other
- Description of management access authentication
-
Physical access is based on roles and privileged entitlements given to personnel in trusted positions. The roles and privileges are implemented in the electronic keypad on the doors to the datacentres. The process of assignment of roles and privileges follow the procedure described in the Nets Identity and Access Management Framework and include approval by Line Managers and Group Security.
The Nets Line Managers audit access to the datacentres for their employees biannually, to ensure access is only granted as long as it is necessary.
Audit information for users
- Access to user activity audit information
- You control when users can access audit information
- How long user audit data is stored for
- User-defined
- Access to supplier activity audit information
- Users receive audit information on a regular basis
- How long supplier audit data is stored for
- At least 12 months
- How long system logs are stored for
- At least 12 months
Standards and certifications
- ISO/IEC 27001 certification
- Yes
- Who accredited the ISO/IEC 27001
- Nemko AS
- ISO/IEC 27001 accreditation date
- 26/10/2020
- What the ISO/IEC 27001 doesn’t cover
- NetsNexi authentication suite is not certified according to ISO/IEC 27001 but is compliant with ISO/IEC 27001.
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- Yes
- Who accredited the PCI DSS certification
- Adsigo AG, Advantio Ltd, Foregenix Ltd
- PCI DSS accreditation date
- 02/03/2022
- What the PCI DSS doesn’t cover
- N/A
- Cyber essentials
- No
- Cyber essentials plus
- No
- Other security certifications
- Yes
- Any other security certifications
-
- Passport Reader: Identity proofing compliance according to ETSI TR 119-461
- Passport Reader: Equivalent assurance to remote-physical presence, eIDAS 910/2014
- Passport Reader: Registration service qualified certificates according ETSI 319 411-2
- Passport Reader/E-Signing: ISO 9001 Quality management system
- Passport Reader/E-Signing: ISAE 3000/3402: Data processing and data protection
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
- ISO/IEC 27001
- Information security policies and processes
-
Nets has implemented an Information Security Management System (ISMS) that complies with ISO / IEC 27001:2013.
The ISMS is a structured overview of relevant policies, guidelines, and procedures in relation to the service including the Statement of Applicability (SoA). The goal is to minimize risks and ensure stable operations by proactively limiting the impact of threats and incidents.
The ISMS manages the processes required to ensure the necessary protection of information assets and data in the services.
Operational security
- Configuration and change management standard
- Supplier-defined controls
- Configuration and change management approach
- For over 10 years, the ITIL v3 framework has formed the basis for the vital processes on which Nets IT operations are based. The processes ensure optimal operation with maximum uptime as well as correct and fast communication to all stakeholders. All components are listed in our CMDB to ensure an overview of components and the relationship between components and services. All changes are handled in our IT Service Management (ITSM) tool and no changes are implemented without being reviewed and approved. Potential security impacts and other operational impacts are evaluated as a part of the process.
- Vulnerability management type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Vulnerability management approach
-
The Risk- and Vulnerability Assessment is maintained through the lifetime of the solution using periodic threat modelling and risk assessment activities. Threat modelling sessions and risk assessments are performed periodically but are also triggered by design activities and feature development
The Risk- and Vulnerability Assessment receives input from a wide variety of events including the event of security events. Nets' Computer Emergency Response Team includes a structured process for evaluating accumulated events. This way Nets' Computer Emergency Response Team ensures that experiences result in changes in processes, training, the configuration of tools, and additional controls. - Protective monitoring type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Protective monitoring approach
-
One of the functions under the Service Desk is IT Business Services (ITBS), which operates 24/7/365 and performs system monitoring and handles alarms. The team works based on ITIL's 'best practice' principles and can initiate the incident management process on the basis of incidents in the system monitoring. The Service Desk visits the inquiry and creates a case in the ITSM system before sending the case to the relevant resolver group. We have categorised incidents into four severity categories with the following response times:
Priority A-Immediately, Priority B- <15 minutes, Priority C-<4 hours, Priority D- <8 hours. - Incident management type
- Supplier-defined controls
- Incident management approach
- The Service Desk is the customers' entrance to the support organisation and ensures efficient and fast troubleshooting. The customers contact the Service Desk via e-mail or telephone. The Service Desk also handles the ongoing communication with the customers. The Service Desk visits the inquiry and creates a case in the ITSM system before sending the case to the relevant resolver group. When the incident is resolved the customer is informed. As a part of the monthly reporting, there will be statistics covering the number of incidents, severity, etc.
Secure development
- Approach to secure software development best practice
- Conforms to a recognised standard, but self-assessed
Public sector networks
- Connection to public sector networks
- No
Social Value
- Fighting climate change
-
Fighting climate change
Access to digital self-service applications reduces the need for transportation. Digital signing reduces the need for paper.
In general, Nets has as part of Nexi Group committed to being Net-Zero by 2040 and will work to set reduction targets for scopes 1,2 and 3 that can be validated by the Science-Based Target Initiative. - Covid-19 recovery
-
Covid-19 recovery
Across Nets there has been a number of initiatives to promote health and well being during the lock downs and long periods of working from home this include webinars on wellbeing, training and communication to managers and employee engagement surveys. In 2020 Nets created the Nets COVID-19 Relief Fund, which supported 9 causes and where employees also could volunteer to help out the work was carried out in2021. Nets has in 2022 to respond to the war in Ukraine through fundraising and various of initiatives across different of the brands and legal entities in Poland and Germany. - Tackling economic inequality
-
Tackling economic inequality
Nets has in 2021 launched a Diversity & Inclusion Board that is prioritising and overseeing the activities implemented in this field, this includes an equal pay review, and several activities to promote female talent, including a project on diverse hiring with the aim of having 40% female applicants and hires in the future. - Equal opportunity
-
Equal opportunity
Nets has in 2021 launched a Diversity & Inclusion Board that is prioritising and overseeing the activities implemented in this field, this includes an equal pay review, and several activities to promote female talent, including a project on diverse hiring with the aim of having 40% female applicants and hires in the future. - Wellbeing
-
Wellbeing
Nets has continued to provide support for employees during the global pandemic to enable them to work from home. This has included guidelines and tools for how to cope with the situation, as well as the loan of office and IT equipment. In 2021, Nets worked together with an external provider to offer a series of online webinars which focused on helping employees to combat fatigue and maintain their health while remote working. Hybrid working guidelines were also made permanent during the year, to enable employees to work in a more flexible way, while an allowance was introduced for employees to purchase permanent home office equipment.
Pricing
- Price
- £1,098,000.00 a unit
- Discount for educational organisations
- No
- Free trial available
- No