TRUU LTD

Digital Staff Passport

Digital Staff Passport SaaS platform for organisations to issue and verify Verifiable Credentials with compatible digital wallets, including the Truu Mobile App. The platform supports employment checks, passwordless single-sign on, identity management, regulatory, membership and training records.
Compatible with NHS Digital Staff Passport and W3C Verifiable Credential standards.

Features

• Remote pre-employment and identity checks of digital passport users
• Real time update of valid credential schemas within the ecosystem.
• Access and authentication into local systems with single sign-on
• Digital transformation and service onboarding/offboading services
• Issue and verify verifiable credentials
• Establish unique pairwise encrypted Decentralised Identifier connections to digital wallets
• Customisable interfaces, credential schemas and personalised on-demand reports
• Secure peer to peer messaging between organisations and individuals.
• Interoperable with other digital identity systems and staff passports
• Online training and implementation services

Benefits

• Improve the process of certification, pre-employment and identity checks.
• Trusted authentication of individuals in virtual and physical environments
• Save time onboarding individuals into permanent and temporary roles
• Reduce costs of onboarding individuals into permanent and temporary roles
• Reduce administrative burden and resources for organisation administrators and individuals
• Increase workforce movement through trusted and streamlined verification of individuals.
• Increase trust in work, regulatory and membership checks,
• Reduce liability for employing organisations and increase public safety.
• Increase auditability and transparency
• Improve staff retention and morale

£30,000 to £100,000 a licence a year

• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at simon@truu.id. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

647992043614538

Contact

Simon Wickes
0330 220 6061
simon@truu.id

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Our Digital Staff Passport integrates with the NHS Digital Staff Passport; IAM single-sign on; door access systems and clinical access management.
• Cloud deployment model: Public cloud
• Service constraints: There are no service constraints above the minimum system requirements.
• System requirements:
  • Public cloud instance
  • Instances should be secured by IAM and network security.
  • Minimum 1GB hard drive space with the ability scale up.
  • Minimum 4GB RAM on the Service virtual machines
  • Minimum of 1.2 GHz processor
  • Access to creating virtual machines and databases.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Standard support is provided during UK business hours, Monday to Friday. The first response time is within 4 hours for a question categorised as severity level 1 support, with a target resolution time of 8 hours. Response and resolution times extend for decreasing levels of severity. Questions raised during the weekend will be addressed on a Monday morning.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
• Web chat accessibility testing: Not applicable as we use a third party solution integration.
• Onsite support: Yes, at extra cost
• Support levels: Standard support is included in the annual licence fee. Support is provided during UK Business Hours, Monday to Friday, with response times varying depending on the level of severity of the support request. ; ; Premium Support options are available to purchase. The cost of Premium Support is dependent on the size and type of the organisation and the complexity and number of third party integrations with the Truu platform. Premium support provides 24x5 coverage for the most severe incidents and faster response times than Standard support. An account manager is allocated to a customer.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Truu uses a tested remote implementation methodology that ensures a safe transition from legacy processes to a smooth onboarding process for service users.; ; We provide user documentation, online training, digital walkthroughs and webinars to answer FAQs. On site training for administrators with refresher sessions available on request at extra cost.; ; We provide dedicated account managers who are available for remote support and trouble-shooting. On-site support will also be provided on request at extra cost.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: The Enterprise Portal allows full data extraction for customers at any time point through the duration of the contract through the exporting of a CSV file based on the locally held database that logs the content and details of issued and received credentials to and from individuals. At the end of a contract, as part of the decommissioning schedule the database CSV file will be exported including, but not limited to, populated details of contact cards, credentials issued and credentials received.
• End-of-contract process: Upon receipt of a termination requestor in advance of a non-renewal of the annual license, we will agree a decommissioning schedule with the project sponsor. This schedule will include generating a CSV export of the database including, but not limited to, populated details of contact cards, credentials issued and credentials received. Upon receipt of the CSV, the customer shall remove all copies of Truu software from their systems.; Where block app purchases have been made, app users will be informed that they will be transitioned to a personal payment plan. The credentials held by them in their app will remain accessible.; Any further consultancy to make use of the CSV file in other customer systems will be at an additional cost.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The Truu Mobile App is for individuals to connect with organisations to undertake pre-employment and identity checks and single sign-on. The App enables storing, receiving and sharing of information with organisations in the form of verifiable credentials. The App is licensed to the individual and can be used across multiple organisations using the Enterprise Portal or compatible third-party software.; ; The Enterprise Portal is a webapp enabling connection with the App and undertake pre-employment and identity checks, physical and virtual resource authentication and issue credentials to employees or members for, but not limited to, training, membership, licences and single sign-on.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: Using the app, individuals can connect with organisations, preview and accept issued credentials, view credentials in their wallet and share a choice of information with organisations. ; Using the Enterprise Portal Webapp, Organisations can make connections with individuals and view them as contacts which can be filtered or organised as preferred, issue credentials and request information. Organisations can view and download existing schemas, as well as create and store their own. Users can access online support features and provide feedback that can be prioritised for agreed updates.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: The interfaces are tested for accessibility standards compliance across popular web browsers and digital devices. Tests have been designed with different age groups and abilities in mind, then conducted with a range of people with different needs. The interface is continuously being tested for UI and UX errors and improvements with opportunities for users to provide feedback.
• API: Yes
• What users can and can't do using the API: We provide a REST API that gives organisations the ability to transmit data for the purpose of populating credential schemas to issue certifications or verified information to employees or members. The API also allows organisations to export data from the verified information received by individuals into their local systems and databases if required.; The Truu technical team will configure the API for the client depending on the client’s requirement to issue and/or verify information. Administrators will need to go through an authentication client to access the API.
• API documentation: Yes
• API documentation formats: Open API (also known as Swagger)
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: The Truu Enterprise Portal has elements that are customisable by the client. The Portal requires the client’s logo to be used as part of the Verifiable Credential process. Furthermore, the client can create custom local schemes for credential issuance and information requests that align specifically with the client’s requirements. The Truu team will help with customisation and configuration of these during the implementation process.; Additional customisation including colour schemes and client specific real-time reporting can be undertaken and priced using the SFIA rate card.

Scaling

• Independence of resources: Every customer will have their own individual instance of the Enterprise Portal service deployed on their own public cloud instance. The Mobile App is downloaded by users and connections with Enterprise Portals are only used when a credential is issued or a request for information is sent. Therefore, demand by each customer will not be affected by the demand of other users in the ecosystem.; Truu's own services are monitored and server capacity can be expanded instantly with demand.

Analytics

• Service usage metrics: Yes
• Metrics types: - Access Logs; - Service log of all actionable items of the Portal; - Number of transaction including issuing and verifying credentials; - Number of times API hit
• Reporting types:
  • Real-time dashboards
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Staff screening not performed
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest: Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Users will have the ability to export their data from the local database provided as a part of the service hosted on their public cloud in CSV format.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Truu operates a Support Services agreement, available on request, that provides metrics for the availability and support of the Truu Enterprise Portal. The Truu Mobile App does not have associated service level agreements.; ; Truu monitors service level metrics and calculate availability based on ​​the percentage of time over a given Metrics Reporting Period the Truu Enterprise Portal is responding to messages sent to the API endpoint with either a 200 or 300 series response, and where the unavailability is not due to planned/scheduled maintenance or due to third parties.; A Service Level Credit is available where in a given month the service availability falls below 99.49%, at 5% of the period fees; between 95% and 90%, at 10% of the period fees; and at 15% for less than 90%.
• Approach to resilience: We offer 99.5% uptime for all our customer facing services. Further information is available on request. The Enterprise Portal is deployed into a client public cloud. Typically these provide at least 99.9% network up-time and are subject to their own Service Level Agreement.
• Outage reporting: We would provide email alerts to all affected users. Account managers provide support as required.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: Truu employs a full set of Role Based Access Controls (RBAC) and permissions for user accounts, with different access privileges for Truu staff, customer managers, and their administrators.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users receive audit information on a regular basis
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users receive audit information on a regular basis
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications: NHS Data Security and Protection Toolkit

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: We are currently working towards ISO 27001 compliance and as such are following all the standards laid out for the certification. Truu is a registered data controller with the ICO, assessed as standards met for the NHS Data Security and Protection Toolkit and Cyber Essentials Plus certified,
• Information security policies and processes: Security is at the heart of all of the work we do at Truu. Security by design is enforced across all of our services and service providers.; ; Truu is Cyber Essentials Plus certified which means all members of staff have 2 factor authentication, along with a high complexity password in order to access any of our platform tools. We are assessed to Standards Met for the NHS Data Security and Protection Toolkit and registered with the ICO.; ; We use role based access control to determine who has access to our cloud services and so only people who need to have access will be able to make changes to those services. Each of our environments staging, demo and production are completely isolated from each other.; Truu maintains IS policies that include established procedures for breaches. Any breaches of information security policies are encouraged to be self reported or any concerns rasied to the Chief Operating Officer. An investigation will then be opened to establish facts and escalated and dealt with appropriately with relevant actions to be taken. Once closed an incident report will be shared with relevant parties as part of our continued education and governance process.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Every alteration to code is peer reviewed during development and prior to release of an update.; Updates are QA tested by a separate team, including the potential security impact of the change. ; All features are continually tracked from both a technical and operational perspective with feedback loops used to maintain quality of service. ; Automated tooling ensures compliance to development standards and is enforced as part of our Continuous IntegrationI and deployment pipelines. ; Major changes use a Feature Flag system to allow code to be deployed and then activated on a per-organisation basis alongside the service updates, including training.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Truu receives information of potential threats from Sentry and AWS. Threats are assessed by the security team. In response to the threat we write code, test the code to ensure a fix and then deploy the patch as soon as possible.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Automated monitoring is in place for both infrastructure and application level with alerts configured to detect unusual activity, errors, or performance issues in any way.; ; If issues are detected, technical resources are immediately prioritised for further investigation, patching, and prevention of the issue.; ; Data Breaches are logged with the ICO within 72 hours as per GDPR requirements.; ; Audits of logs are performed on an ongoing basis; We are going through the process of obtaining formal certification.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Clients will notify us through support services. These are triaged and prioritised by our team. A response will be generated, and the incident will be dealt with aligned with the service and response level as outlined in our Support Services Addendum. Once the incident is deemed to be closed an incident report will be sent out via email.; ; Monitoring is built into our infrastructure, any anomalies of traffic, or unusual activities will be flagged and a member of our support team will be alerted with the details of the issue.; Breaches are logged with the ICO within 72 hours.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  Truu’s Digital Staff Passport platform means that employees can complete their pre-employment and identity checks remotely, without the need to travel to workplaces and other organisations as well as negating the need for paper documents. This reduces carbon emissions due to travel as well as reducing the need for wasteful paper documents, their photocopying and storage, whilst still providing reliable, secure and trusted credentials. ; Our modelling with the healthcare industry has determined that pre-employment checks for healthcare workers account for around 10.3m miles of travel, producing around 5,500 tonnes of CO2e per year. The ability to undertake these checks remotely and securely creates significant savings in carbon costs as well as reducing transport emissions including carbon monoxide, nitrogen oxides, sulphur dioxide.; ; These checks also produce 1.92m pieces of paper, or 9.6 tonnes per year from photocopying. This does not include the original paper documentation, which has a carbon footprint 1024 times greater than its digital equivalent. For comparison, the entire global population identity data can be stored in less than 100TB which has an energy cost of c. 800kWh per year to store, which is around 7% of the energy costs of an average family home.; ; Our Digital Staff Passport eradicates the need for unnecessary travel and dependence on paper-based identity, qualification and training checks.
• Covid-19 recovery:

  Covid-19 recovery

  Truu’s Digital Staff Passports creates new ways of working that are emerging as part of the COVID-19 recovery. The move towards remote or hybrid working means that workers have expectations for reduced travelling. Digital Staff Passports enable an extension of this by removing the requirement for individuals to complete pre-employment and identity checks in person and still retain high levels of assurance in their documentation. This approach enables checks to be completed remotely. In addition, the passports support remote working through the passwordless single sign on facility that adds additional layers of security to existing sign on processes and the ability to use DID-encrypted connections for secure communications.
• Tackling economic inequality:

  Tackling economic inequality

  Truu is an SME with a focus on digital staff passports using next generation technology that enables a trust layer on the internet, part of the principles of Web 3.0. We are supporting the implementation of disruptive technology to revolutionise how personal information is shared and trusted. The media is awash with large businesses being frivolous with personal data either in its sharing or breaches, despite GDPR. The answer is self-sovereign identity: placing the individual in control of their data as it was in the pre-digital age. Web 1.0 and 2.0 have promoted centralised data stores of personal data through companies such as Facebook, Google, Amazon and Microsoft, where individuals’ data is not under their control. Our Digital Staff Passport redresses this inequality by enabling individuals to hold and consent to sharing of their personal data. This approach empowers the individual, moving away from a model where big business is responsible for hosting data as well as delivering this approach at lower cost and more efficiently than existing traditional methods of employment checks. Our platform manages the inherent cyber security risks of data transportation through real point-to-point encryption based on pairwise encrypted connections that are unique between any two given parties.; ; Our approach is founded on a worldwide initiative to create a digital trust layer that enables direct connections between parties. Through this initiative, we have an open approach to collaboration in terms of selecting best-of-breed suppliers and promoting interoperability across the industry to create the best experiences for buyers, organisations and individuals. For example, the platform already interoper
• Equal opportunity:

  Equal opportunity

  Truu’s Digital Staff Passport enables secure, remote identity and pre-employment checks to be conducted without the need for individuals to travel to the new place of work in advance of their employment. This application supports its utility by disabled people in reducing dependence on unnecessary travel, thus reducing the disability employment gap. Our services support international movement of staff, significantly reducing the time to start employment, and enhancing social mobility. Our work with the World Justice Forum has evaluated the applicability of digital passports in refugee camps in Bangladesh enabling the use of verifiable credentials in support of refugees without paper documents. ; ; The platform reduces the demand for keeping track of paperwork to support job applicants and ensuring documents remain current. This further supports a workforce who have mental impairments and have trouble maintaining order, remembering and tracking paperwork.
• Wellbeing:

  Wellbeing

  Our passport provides a single place where all the credentials are held digitally, reducing this administrative stress. For some professions, individuals are required to take the documents in person to their new employer often leading them to either have to take a day off work or fit it into their busy schedules. This is a poor use of employee and HR staff time and not having adequate rest and recuperation has been shown to have a detrimental effect on mental health. Our platform enables checks to be conducted remotely and securely, in some cases reducing onboarding time from 2 months to 2 minutes. This means the individual does not have to travel to new employers and yet checks can be undertaken to the same high standards as a paper-based procedure and importantly not overburdening the individual. ; ; Our platform has been co-designed with users to ensure it meets their requirements. From the outset, our Service Designer has worked alongside users to understand, build and test the user experience, flows and data requirements to meet their needs. We are firm believers in co-design as we have learnt from the implementation of large IT projects that have struggled with adoption due to a lack of usability and user engagement.

Pricing

• Price: £30,000 to £100,000 a licence a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: The Trial Option is for a pre-agreed limited time to evaluate the platform. It will be hosted in a Truu cloud environment with dedicated organisation logins. The evaluation version enables core functionality of the platform to be tested. The credentials databases is erased upon trial expiry.

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at simon@truu.id. Tell them what format you need. It will help if you say what assistive technology you use.