TrustID Identity Checking Service (GPG45 High Level of Confidence)

Service scope

Software add-on or extension: No
Cloud deployment model: Private cloud
Service constraints: Customers may submit documents for checking at any time. Documents which require manual review by an Analyst will be checked between 8am and midnight, 7 days a week, including public holidays. Checks to acheive a High Level of Confidence under the Digital schemes must be performed using a smartphone with a camera and will require NFC reading capability. TrustID has a daily window of 3am-6am to perform maintenance tasks. Expected usage of the window is normally once per week for 15 minutes.
System requirements: WiFi or 4G/5G mobile signal

User support

Email or online ticketing support: Email or online ticketing
Support response times: Document Helpdesk support SLA is 2 hours (8am-midnight), 7 days a week.

Technical support SLA is 2 hours during weekday business hours. Technical support is not provided at weekends.
User can manage status and priority of support tickets: No
Phone support: Yes
Phone support availability: 9 to 5 (UK time), 7 days a week
Web chat support: Web chat
Web chat support availability: 9 to 5 (UK time), 7 days a week
Web chat support accessibility standard: None or don’t know
How the web chat support is accessible: Web chat is accessible directly from the TrustID website. Webchat relies on text rather than sounds, images or colours. The text may be increased or decreased using zoom controls.
Webchat supports English language only.
Web chat accessibility testing: None specifically.
Onsite support: Yes, at extra cost
Support levels: Support is provided for:
Identity document queries.
Right to Work eligibility queries.
User account set up and password resets.
Service error reporting and suggestions.
Integration support (via API)

There are not normally any additional costs for remote support. Onsite support may be chargeable depending on the requirement.
Support available to third parties: Yes

Onboarding and offboarding

Getting started: No training required as the workflow is simple and includes wizards to guide users through the process.

Initially, we set up management user accounts (email address and name required) and send login details to the management users, along with a short get-started guide. Management users are then able to create and manage user accounts for their own users.
Service documentation: Yes
Documentation formats: PDF
End-of-contract data extraction: Users can download and extract their data at any point while it remains in our system. Data from submitted documents is automatically deleted 7 days after submission by default. Users can manually delete this at any point before the automatic deletion date.
End-of-contract process: Checks are sold on a per-document basis rather than a contract length basis. Users can no longer use the service to perform checks once all credits have been used. Additional credits can be purchased at any time.

Each document checked uses up a single credit, whether passed, failed or rejected.

Included in the service is the checking of the agreed quantity of documents and images to the agreed standard. The service also includes access to our Document Analyst team, which is available to provide support for individual document checks or general questions.
Account holders can have unlimited user accounts for users across their organisation.
Access to the API is included at no extra cost.

Using the service

Web browser interface: Yes
Supported browsers: Microsoft Edge

Firefox

Chrome

Safari
Application to install: Yes
Compatible operating systems: Android

IOS
Designed for use on mobile devices: Yes
Differences between the mobile and desktop service: The service can be accessed by the relying party on both desktop and mobile devices from a web browser, with no difference in functionality.

The website has been optimised for mobile.

The end user or data subject will need to use a mobile device to submit their data for review. In order to capture the data from a chip embedded in an identity document, the data subject will need to download the TrustID chip reading app, available from Google Play and iOS app stores.
Service interface: Yes
User support accessibility: WCAG 2.1 AA or EN 301 549
Description of service interface: The TrustID Cloud website is the service interface. All functions can be performed from the website:
Identity document submission
GuestLink creation
Review results
Manage Users
Run reports
Accessibility standards: WCAG 2.1 AA or EN 301 549
Accessibility testing: We have used Shaw Trust to perform an assessment of our user interface as follows:
The Shaw Trust Digital Assessment and Accreditation process is rigorous. Over 60 hours of accessibility testing by users with a disability goes into each and every accreditation. This is in addition to a stringent technical assessment by our digital auditors. All assessments are carried out in line with the Web Content Accessibility Guidelines (WCAG) 2.1 A and AA criteria.
API: Yes
What users can and can't do using the API: The API provides flexibility to integrate TrustID into other systems both to submit images and data, and to retrieve results of checks. There are a variety of routes available to achieve this, allowing you to implement the most appropriate flow for your desired journey. For example, our customers can use the API to create a GuestLink for data subjects to then submit their own data directly to TrustID. Note that the UKDIATF requirements mean that checks performed in support of the Digital Schemes require the GuestLink route as described above. Once documents have been checked, TrustID uses webhooks and callbacks to let you know that the documents have been checked, and enable you to retrieve documents, images, data and results for importing into your own platform. TrustID consultants can advise on the most appropriate method of integration and assist with the implementation and testing prior to going live.
API documentation: Yes
API documentation formats: HTML

Other
API sandbox or test environment: Yes
Customisation available: Yes
Description of customisation: The TrustID GuestLink may be customised in a variety of ways (requires TrustID to implement this for you):
1. Change default message in GuestLink email
2. Customise GuestLink email logo
3. Customise document selection wizard to ensure you're capturing the documents your organisation needs

Scaling

Independence of resources: Alerts are set for when loads reach a set threshold. TrustID's architecture ensures instant scalability to cope with spikes in demand.

TrustID monitors the capacity of the document analyst team and has a personnel responsible for ensuring sufficient capacity to cope with expected demands. We have the ability to add additional manpower at short notice to manage unanticipated increased demand.

Analytics

Service usage metrics: Yes
Metrics types: SPOC user can receive a monthly report via email. Report contains a breakdown of number of documents submitted by user in the past month and all time, as well as remaining credits.
A reporting tool is available on website to allow users with appropriate permissions to filter and run reports and export as CSV.
The remaining credits are also displayed on the web client at all times.
Reporting types: Real-time dashboards

Regular reports

Reports on request

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Other security clearance
Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom

European Economic Area (EEA)
User control over data storage and processing locations: No
Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency: At least once a year
Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest: Physical access control, complying with another standard

Encryption of all physical media
Data sanitisation process: Yes
Data sanitisation type: Deleted data can’t be directly accessed
Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach: Users receive results of their check directly on the web client. The results can then be downloaded as PDF.
Data can also be extracted using the API.
Data export formats: CSV

Other
Other data export formats: PDF

CSV - used to export metadata
Data import formats: Other
Other data import formats: PDF

JPEG

PNG

Data-in-transit protection

Data protection between buyer and supplier networks: TLS (version 1.2 or above)
Data protection within supplier network: TLS (version 1.2 or above)

IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability: The service is available for document submission at any time, with analysts performing any required manual review from 8am-midnight, 7 days a week. The service level is not guaranteed but systems and processes are in place to minimise the possibility of service levels not being met, including scalable Azure architecture, and a flexible workforce to deal with peaks and increases in demand.
Approach to resilience: TrustID uses Microsoft Azure and benefits from the security and resilience measures that Azure offers. In addition to the DR measures, TrustID takes full daily backups to provide points in time to restore back to in case of an incident.
Outage reporting: Planned outages are reported via email to account holders.

Identity and authentication

User authentication needed: Yes
User authentication: Username or password

Other
Other user authentication: 2-factor authentication available upon request
Access restrictions in management interfaces and support channels: Management interfaces are only accessible via a specific TrustID controlled user-interface. Access is restricted to TrustID personnel and protected by usernames/passwords and permission levels.
Access restriction testing frequency: At least every 6 months
Management access authentication: 2-factor authentication

Username or password

Other
Description of management access authentication: Access only via specific TrustID-software.

Audit information for users

Access to user activity audit information: Users contact the support team to get audit information
How long user audit data is stored for: Between 1 month and 6 months
Access to supplier activity audit information: Users contact the support team to get audit information
How long supplier audit data is stored for: Between 1 month and 6 months
How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification: Yes
Who accredited the ISO/IEC 27001: British Assessment Bureau
ISO/IEC 27001 accreditation date: 01/03/2024
What the ISO/IEC 27001 doesn’t cover: The Information Security Management System has been assessed and certified as meeting the requirements of ISO 27001:2013 for the following activities:
Solutions to validate identity, based on bespoke software and scanning technology - preventing fraud and providing organisations with confidence that they are complying with legislative and regulatory requirements - and the protection of the associated customer and corporate information from our head office in Reading to UK and International clients. This is in accordance with the Statement of Applicability Issue 2 dated January 2024.
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: Yes
Cyber essentials plus: Yes
Other security certifications: No

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: ISO/IEC 27001
Information security policies and processes: TrustID defines information security as the protection of the confidentiality, integrity and availability of information in order to ensure business continuity, minimise business risk and maximise return on investment and business opportunities.

An Information Security Manager is appointed, reporting to an Executive management team. Their responsibilities include:
• Ownership and management of the ISMS, including the information security objectives and their achievement
• Advising senior management of any additional resource requirements needed in support of the ISMS delivery
• Information security awareness and training of TrustID staff
• Maintaining links with external advisory groups and authorities e.g. law enforcement agencies, Information Commissioner’s Office.

Operational security

Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach: Configuration and change requirements are managed using a shared tracking tool which records the change, the impact, resolution and steps taken, before being signed off by the relevant department manager.
Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach: TrustID has a SIEM and a SOC to identify vulnerabilities, and ensures critical or high risk patches are deployed as soon as possible after identification, and always within 14 days.

Software code is checked daily using a static analyser tool to identify security vulnerabilities.

Independent penetration testing is performed at least annually.
Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach: TrustID has implemented a SIEM and SOC via a third party provider, providing 24/7 cover, logging events and monitoring for threats, and providing incident response.

Incidents are assessed and appropriate actions are assigned to advise affected parties and remedy the situation,

Incidents are responded to as soon as they are identified.
Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach: Users report incidents to the Information Security Manager via a tracking portal. The Information Security Manager determines the actions required to deal with the action request or assigns the ticket to the appropriate Owner, who sets a target date for completion.
The aim is to analyse the root cause of the problems reported, with a view to preventing recurrence.
Action owners report completion to the Information Security Manager by changing the state to ‘Finished’, before the Information Security Manager verifies that the actions have addressed the issue.

Secure development

Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks: No

Social Value

Fighting climate change

TrustID is committed to achieving Net Zero emissions by 2050 for emissions scope 1, 2 and outsourced Scope 3 operations. Achieving net zero means we will reduce the greenhouse gas emissions from our operations as far as possible and ensure overall we have no impact on greenhouse gases in the atmosphere.
We will be working with our suppliers to reduce our Scope 3 emissions towards having a positive impact in our supply chain. Our training and development schemes will include information on reducing our Scope 1 and 2 emissions through energy efficiencies such as heating and lighting management, and we will support our team members to use such knowledge and skills in saving energy and reducing emissions at home too.
We will continue to develop and review our Remote Working policy and explore options to help employees minimise travel requirements.
The commitment was made on 11th March 2024 by the approving Senior Management Team.

Pricing

Price: £2.50 to £4.00 a unit
Discount for educational organisations: No
Free trial available: Yes
Description of free trial: A free trial may be offered after an initial discussion, depending on requirements. A typical trial is for 10 units (known as credits), valid for 2 weeks.

TrustID Identity Checking Service (GPG45 High Level of Confidence)

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

TrustID Identity Checking Service (GPG45 High Level of Confidence)

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents