Skip to main content

Help us improve the Digital Marketplace - send your feedback

Entrust Datacard (Europe) Limited

Identity Verification as a Service (IDVaaS)

IDVaaS is a mobile digital enrolment and identity verification service. IDVaaS uses common smartphone technology and app to guide applicants through a private, secure and convenient self-service process 100% remotely. IDVaaS incorporates realtime biometric and document authentication checks, liveness detection and works with all common forms of machine-readable ID documents.

Features

  • Applicants use their phone to register and verify claimed identification
  • Intelligent multilingual guidance on privacy and applying with video assistance
  • OCR scan of the Passport or ID Card transcribes biographics
  • Checks document authenticity, integrity and validity and detects fakes
  • Authenticates a selfie using facial matching comparing face from chip
  • Configurable rules-based workflow automates casework, eligibility checks and decisions
  • Validates citizen, migrant or client identification and lost or stolen
  • Integrates easily with a digital identity ecosystem and enrolment processes
  • Compatible with all ICAO compliant ISO/IEC 14443 enabled ID documentation
  • Includes optional payment gateway functionality for fee collection

Benefits

  • Supports settlement, ETA, eVisa, ePassport, residency and digital onboarding programmes
  • Remote application means no government facility visit is required
  • Selfie matching against document chip with liveness detection recognises/authenticates users
  • Secure, private, app guides applicants and obtains informed consent
  • eID chip reading using iOS/Android phone NFC&MRZ scanning reduces errors
  • Checks validity, authenticity and integrity of ePassports or eID
  • GDPR compliant, ISO accredited, components deliver cyber security
  • Scalable, integrates via API with other systems and applications
  • Configurable workflow allows integration within application enrolment or registration processes
  • Provides a trusted Identity as a Service (IaaS) capability

Pricing

£0.55 to £1.00 a transaction

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at robert.hann@entrust.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

5 3 3 6 9 5 9 0 8 4 8 5 9 9 1

Contact

Entrust Datacard (Europe) Limited Robert Hann
Telephone: 07818 552411
Email: robert.hann@entrust.com

Service scope

Software add-on or extension
No
Cloud deployment model
Public cloud
Service constraints
Mobile application is currently constrained to Android and iOS devices subject to technology innovations and client requirements.
System requirements
  • Applicant: Connectivity via the cellular network or Wi-Fi
  • Applicant: Smartphone with camera to conduct the facial biometric check
  • Applicant: 3G or higher connection, can also use GPRS link
  • Applicant: A modern browser that supports HTML5 and HTTPS connections

User support

Email or online ticketing support
Email or online ticketing
Support response times
Support is 24/7 where a Critical (severity 1) issue resolution is applied according to the determined severity of the problem.
For all Critical (severity 1) problems reported to Entrust's 24/7 helpdesk, support begins within one hour of being reported.
Questions or advice requests from the customer will be responded to in due course dependent on the information request during regular business hours Monday to Friday 9:00 to 17:00.
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Entrust has flexible support levels that can be tailored to the needs of the client. Response and corrective actions are defined based on the level of severity of the reported incidents. Our support staff are available by phone and email for reporting incidents and general inquiries. We also offer 24/7 support. Costs dependent upon Service Agreement, some services may be at additional costs as per SFIA. All new customers are assigned a Customer Success Manager that will provide proactive support and advise throughout the contract.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
All new customers are assigned a Customer Success Manager that will provide proactive support and advice throughout the contract. Our architects ensure the appropriate solution is provisioned and maximised for workloads, along with a range of instructions and of user guides. Training options combine instruction, workflow assessment, real-world examples and hands-on exercises so that users, trainers and system administrators walk away with the knowledge they need to impact operational results, accelerate adoption and lower software administration costs. Training options include onsite classroom style and virtual training sessions or combinations of both. The virtual options include: online tutorials, web-based sessions, telephone or regional training sessions. The smartphone app can optionally provide multi-lingual guidance to applicants on its use.
Service documentation
Yes
Documentation formats
  • HTML
  • ODF
  • PDF
End-of-contract data extraction
Entrust provides assistance in extracting the data in CSV or DB backup format.
End-of-contract process
There is no need for offboarding due to the IDVaaS service not retaining operational data.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
Application to install
Yes
Compatible operating systems
  • Android
  • IOS
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
IDVaaS has a mobile component for use by the public to verify identity. This can be supplemented by a web application if desired with seamless transition between them. The other desktop component is for use by the government agency to manage these applicants.
Service interface
No
User support accessibility
None or don’t know
API
Yes
What users can and can't do using the API
An alternative application process to using a mobile device can be provided. An API could be used to submit data to the Agency when used in conjunction with an access/bar code. The system can check the status of applicants after initial approval (given eTAs
& eVisas are valid for a period of time)- to see if at any point they have been revoked.
API documentation
Yes
API documentation formats
PDF
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
IDVaaS has a flexible configuration. Users and Administrators can 'configure' many parts of their applications. Eg. Members of the Public using the app can select from available languages. Dev Ops set thresholds for photo matching, volume of users to allow on the system.

Scaling

Independence of resources
Client is provided a dedicated instance with auto-scaling capability.

Analytics

Service usage metrics
Yes
Metrics types
Entrust applies many metrics to its product suites for IDV, these include but are not limited to: the number of application approved or failed and reasons, the number of submitted photos approved or failed and reasons, etc.
Reporting types
  • Regular reports
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2019
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Yes
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Other
Other data at rest protection approach
Entrust encourages clients to select the option to protect their data using database encryption technologies where only we have the decryption key. In this way, our customers are assured that their data can never be accessed by a third party.
Data sanitisation process
Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Entrust provides assistance in extracting the data in CSV or DB backup format.
Data export formats
CSV
Data import formats
Other
Other data import formats
DB backup files.

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
99% for the SaaS application, depending on infrastructure aspect.
Approach to resilience
The Business Continuity plan details the process followed in the case of an outage, from detection to deactivation. It's a three-phased approach: Activation and Notification Phase, Recovery Phase, and Reconstitution Phase. This approach ensures system recovery and reconstitution efforts in a methodical sequence, maximizing the effectiveness of the recovery and reconstitution efforts and minimizing system outage time due to errors and omissions.

A ubiquitous security control environment is maintained across all regions. Each data centre is built to physical, environmental, and security standards in an active-active configuration, employing an n+1 redundancy model, ensuring system availability in the event of component failure. Components (N) have at least one independent backup component. All data centres are online and serving traffic. In case of failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.

Customers are responsible for implementing contingency planning, training and testing for their systems. Customers have the capability to implement a robust continuity plan, including the utilization of frequent server instance back-ups, data redundancy replication, and the flexibility to place instances and store data within multiple geographic regions across multiple Availability Zones.
Outage reporting
All outages notifications will be reported to the identified client representative. Outages are identified as Planned maintenance, Emergency maintenance, and platform issues.

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Other
Other user authentication
Agency users are assigned a user ID. A two factor authentication process is put in place such as password and Time-based One-time Password Algorithm (TOTP).
Access restrictions in management interfaces and support channels
For Agency use - Access to software features is restricted by roles. These roles and access controls are defined by the client during the on-boarding process. For example, an administrator role will have much broader permissions across the system.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Other
Description of management access authentication
Users are assigned a user ID. A two factor authentication process is put in place such as password and Time-based One-time Password Algorithm (TOTP).

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
A-LIGN Compliance and Security, Inc.
ISO/IEC 27001 accreditation date
01/03/2022
What the ISO/IEC 27001 doesn’t cover
N/A.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Cyber essentials
Yes
Cyber essentials plus
Yes
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
Implemented: Formal, documented policies and procedures that provide guidance for operations and information security within the organisation. Policies address purpose, scope, roles, responsibilities and management commitment.

Employees maintain policies in a centralised and accessible location. Security Assurance is responsible for familiarizing employees with the security policies.

There are established information security functions that are aligned with defined structure, reporting lines, and responsibilities. Leadership involvement provides clear direction and visible support for security initiatives.

The output of Leadership reviews include any decisions or actions related to:

• Improvement of the effectiveness of the ISMS.
• Update of the risk assessment and treatment plan.
• Modification of procedures and controls that affect information security to respond to internal or external events that may impact the ISMS.
• Resource needs.
• Improvement in how the effectiveness of controls is measured.

Policies are approved by leadership at least annually or following a significant change to the environment.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
We have documented configuration and change management policies and processes, which have been implemented, maintained and assessed in accordance with the guidance from ITIL v.3 and the current ISO 20000 standard. Formal configuration management activities, including record management and asset reporting, are monitored and validated constantly, and any identified discrepancies promptly escalated for investigation. A robust, established process for the formal submission of change requests is mandated prior to review and approval of the daily Change Advisory Board, which is attended by a quorum of operational and technical management personnel.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Entrust conducts vulnerability assessments throughout the lifecycle. Our development process includes use of static code analysis to identify vulnerabilities introduced in source code and methods to remedy. We conduct penetration testing on our service platform along with tests to identify vulnerabilities and policy-violating configurations. Entrust also employs a number of tools in the production environments to automatically identify suspicious activities and components (e.g. operating systems) with available security patches. A process exists to alert the responsible parties in the event of a security incident. Entrust also monitors newsfeeds/vendor sites and the AWS security bulletin (https://aws.amazon.com/security/security-bulletins/) for security threat information.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
We deploy (pan-environmental) monitoring devices to collect information on unauthorized intrusion attempts, usage abuse, and network/application bandwidth usage. Devices monitor:
• Port scanning attacks
• Usage (CPU, processes, disk utilization, swap rates, software-error generated losses)
• Application metrics
• Unauthorized connection attempts

Near real-time alerts flag incidents, based on the Service/Security Team- set thresholds.

Requests to KMS are logged and visible via the account’s CloudTrail Amazon S3 bucket. Logs provide request information, under which CMK, and identify the resource protected through the CMK use. Log events are visible to customers after turning on CloudTrail in their account.
Incident management type
Supplier-defined controls
Incident management approach
We have a documented incident management policy and process, which have been implemented, maintained and assessed in accordance with the guidance from ITIL v.3 and ISO27001 standards. This activity is responsible for the progression of alerts generated by automated monitoring systems, issues identified by our personnel, and incidents identified and reported to us by its customers and partners. All incidents are promptly reported into a central ticketing system, which ensures that each is promptly assigned to an appropriate resource, and its progress tracked (and escalated, as required) to resolution.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
No

Social Value

Social Value

Social Value

  • Fighting climate change
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

Fighting climate change

Environment – Our goal is to manage our manufacturing, warehousing, distribution, and office facilities to minimize ecological impact. Entrust maintains an ISO 14001 certification at its headquarters and principal manufacturing facility and is working to set organizational carbon reduction goals to achieve net zero carbon emissions by 2050. We also comply with important environmental measures such as REACH, RoHS, and Proposition 65 where applicable to our business.

Tackling economic inequality

Diversity, Equity and Inclusion – Entrust has established concrete goals to build a more diverse workplace and supplier base. We actively promote an inclusive and welcoming culture across our business through our Entrust Includes initiative and we look for suppliers that embrace similar values through our formalized supplier diversity program.

Equal opportunity

Diversity, Equity and Inclusion – Entrust has established concrete goals to build a more diverse workplace and supplier base. We actively promote an inclusive and welcoming culture across our business through our Entrust Includes initiative and we look for suppliers that embrace similar values through our formalized supplier diversity program.

Wellbeing

Diversity, Equity and Inclusion – Entrust has established concrete goals to build a more diverse workplace and supplier base. We actively promote an inclusive and welcoming culture across our business through our Entrust Includes initiative and we look for suppliers that embrace similar values through our formalized supplier diversity program.

Pricing

Price
£0.55 to £1.00 a transaction
Discount for educational organisations
No
Free trial available
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at robert.hann@entrust.com. Tell them what format you need. It will help if you say what assistive technology you use.