ECOSPEND TECHNOLOGIES LIMITED

Open Banking Payments and Data Services

Ecospend, a Trustly company, caters to diverse industries, sectors and prestigious brands. Ecospend provides standardised and customisable products including Payment Initiation Services (PIS) and Account Information Services (AIS) including value-add data services boasting unparalleled expertise, especially in delivering tailored open banking solutions for the Public Sector.

Features

• Account to Account payments
• Bulk Account to Account payments
• Real time bank account authenticity assessment
• Identity verification via open banking
• Affordability and eligibility assessments
• Fraud prevention solutions
• Financial transaction data categorisation
• Reporting and dashboard
• White label and API-only solutions
• Available via multiple channels for end user benefit

Benefits

• Enhanced user experience, enabled by automated population of data
• Reduced processing costs
• Reduced overheads due to automated and accurate reconciliation
• Efficient decisioning enabled by automated and accurate financial data collection
• Fraud mitigation
• Coverage of personal, business and corporate bank accounts
• Immediate settlement for payments
• Reduced overheads due to back office automation (AIS)
• Improved accuracy and mitigation of human error

£0.20 a unit

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at greta.akintoye@trustly.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

733108351970266

Contact

Greta Akintoye
+447586681287
greta.akintoye@trustly.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Our payments service can be integrated into your existing e-commerce journey, telephone payments, chatbot, physical correspondence etc. ; ; Our data services can be integrated into your existing processes and/or systems for eligibility, affordability and fraud prevention/mitigation etc.
• Cloud deployment model: Public cloud
• Service constraints: Our 24/7/365 services remain uninterrupted since inception, ensuring stable, reliable and scalable operation for our clients. Regular scheduled maintenance ensures stability, continuous improvement, and innovation in line with evolving open banking standards. Our clients receive prior notification of any planned downtimes, strategically scheduled for minimal disruption wherever possible. While some issues in the open banking ecosystem are beyond our control (e.g. bank API failures), proactive end-to-end monitoring and swift intervention ensures that any negative impacts on user and merchant experience are mitigated as much as possible.
• System requirements: N/A

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Our standard SLAs are covered in our standard contract. These SLAs are designed to prioritise proactive issue resolution and prompt client communication. We endeavour to tackle issues proactively and promptly notify clients upon their identification. Our SLAs can be customised to align with the unique requirements of each client. We recognise that different issues may have varying levels of priority and impact, and therefore, our SLAs incorporate different response times to ensure efficient resolution based on the severity of the issue.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: No
• Support levels: Ecospend has developed a varied and experienced team since its launch in 2017, drawing on multi-disciplinary executives spanning technology support, technology development, account management from the Financial Services and Payments Industries. We are dedicated to fostering successful partnerships by providing dedicated account management resources who are supported by our in-house technical teams. Our commitment to excellence extends beyond the initial engagement, as we believe in nurturing relationships for long-term success. Through our dedicated account management team, we offer personalised support and guidance tailored to the unique needs of each partnership. This ensures that our clients receive the attention and assistance necessary to achieve their objectives and maximise the value of our collaboration.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We believe in facilitating a seamless transition for clients as they start using our service. Our approach is hands-on and supportive, ensuring that every step of the onboarding process is smooth and efficient. Our dedicated technical team is readily available to provide guidance and assistance, whether it's resolving technical queries or offering strategic advice. Clients have access to our team throughout the onboarding journey, allowing for real-time support and troubleshooting as needed.; ; In addition to our hands-on support, we provide comprehensive guidance documents that are publicly available. These documents serve as valuable resources for users, offering detailed instructions, best practices, and troubleshooting tips. You can access our onboarding guide https://docs.ecospend.com/new/guides.html#merchantOnboardingIntro. They empower clients to explore our service at their own pace and address any questions or challenges they may encounter.; ; Whether it's through direct interaction with our technical team or through self-service resources, our goal is to ensure that users feel supported and confident as they begin using our service. We are committed to providing the necessary tools and assistance to help users unlock the full potential of our platform.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: The migration and timing for switching off the service will be agreed with the client in order to ensure no disruption. There will also be a clear transfer/demobilisation plan in place with the client. ; ; All data stored by Ecospend as part of the services, from management data to transaction data, will be deleted or transferred to the new supplier in line with the timeframes and requirements agreed with the client as part of the exit management plan.; ; Any physical copies of data, management reports, etc will be returned to the buyer or destroyed. Only data required to be kept by Ecospend as part of any legal, financial or regulatory requirements will be kept by the Supplier as part of those obligations.
• End-of-contract process: Ecospend will agree a comprehensive exit management plan with the client, prioritising uninterrupted operations and compliance with individual requirements of the client.; ; Our plan will outline a collaborative approach, emphasising joint working groups with key stakeholders from both Ecospend and the client, ensuring alignment and efficiency throughout the exit process.; ; Critical steps include assessing ongoing work progress, documenting records, finalising financial matters, and maintaining regular communication through business-as-usual and exit plan meetings.; ; Ecospend will commit to providing uninterrupted services until the agreed-upon end date, adhering to all Key Performance Indicators (KPIs) and Service Level Agreements (SLAs), and supporting a seamless transition to any new supplier (if appropriate).; ; Our will feature plan features structured schedules for meetings, demobilisation timelines, risk management, action logging, and asset tracking to ensure systematic proceedings.; ; Additionally, as part of annual review meetings with the client's joint working group we will evaluate the plan's effectiveness and make necessary updates collaboratively.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The consumers are able to initiate a payment and/or complete their consent journey in a number of ways depending on their preference:; - by using their mobile phone (mobile journey via their mobile banking app, authentication using biometrics); or; - online (Web journey) which will require the consumers to log in to their online banking using their online banking credentials; or ; - start the journey on the Web, go through the payment initiation / consent journey using their mobile and go back to the client's Web page to complete the engagement (de-coupled journey).
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: Our Management Console serves as a value-adding tool for our clients, offering a range of functionalities including reporting, configurations, user management, and dashboard access. Designed with clarity and efficiency in mind, it provides a clear breakdown of transactions and other key metrics, empowering our clients with actionable insights to make informed decisions. Whether it's tracking performance, managing users, or configuring settings, our Management Console delivers a seamless experience tailored to meet the diverse needs of our clients.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: We have tested our service with the following assistive technology:; ● JAWS ; ● NVDA; ● VoiceOver (MacOS and iOS); ● ZoomText and Fusion; ● Native magnifier ; ● Voice Control for Mac or iOS; ● Native OS features (high contrast mode)
• API: Yes
• What users can and can't do using the API: Ecospend provides its Open Banking services via RESTful APIs in line with open banking standards. A merchant first authenticates to our API services using a client_id and client_secret. They then receive an access_token to be used for the subsequent services. A detailed flow of the process is provided at: https://docs.ecospend.com/new/guides.html#pisInstantPayment; ; Our APIs are implemented in accordance with OAS 3.0.
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
  • PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Our white label products offer customisation options to align with the merchant's branding. Clients can tailor the bank list and send payment/data links via SMS and/or email. Additionally, we provide a pure API option, granting clients full control over the look and feel of the solution, ensuring complete alignment with their brand identity and user experience preferences.

Scaling

• Independence of resources: Our system is engineered for autonomous scalability and adept management of fluctuating volumes. Key components of this design include:; ; - Leveraging the substantial transaction volumes processed daily to establish a robust data feedback loop. This enables continuous performance optimisation and proactive issue identification.; ; - Employing an automatic scale-up and scale-down architecture for maximum efficiency.; ; - Regular assessment of clients' evolving requirements, facilitating system configurations tailored to enhance performance and resource utilisation.; ; - Implementation of a comprehensive monitoring system with alert mechanisms. This proactive approach allows for early issue detection and timely intervention to prevent escalation.

Analytics

• Service usage metrics: Yes
• Metrics types: Comprehensive reporting is available via our Management Console. This includes, but is not limited to:; - Service availability; - API connection status; - API call volumes / values (where appropriate); - System monitoring, such as latency; - Error rates; ; We can customise reporting suite based on individual requirements.
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Other
• Other data at rest protection approach: We make use of application level data encryption where PII data is encrypted in memory before being written on the database.
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: The users can export the data in different file formats (CSV, Excel, JSON).
• Data export formats:
  • CSV
  • Other
• Other data export formats: JSON
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Other
• Other protection within supplier network: Mutual TLS

Availability and resilience

• Guaranteed availability: Our service aims to ensure 24/7/365(366) availability with an uptime of 99.9%, while SLAs can be tailored to meet the specific requirements of our customers.
• Approach to resilience: This is available on request.
• Outage reporting: Whilst we have not experienced any outages of our system since inception, we have deployed a multi-faceted approach to report outages promptly. Our service offers several channels for outage notifications, including API endpoints for automated monitoring, email alerts sent directly to relevant stakeholders, announcements via our platform, and visibility through our management console dashboard. This comprehensive system ensures that our clients are promptly informed of any disruptions, enabling swift response and resolution.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
• Other user authentication: End customers authenticate themselves using Strong Customer Authentication in line with industry standard; ; Merchants use unique client credentials to access our environment, e.g. management console.
• Access restrictions in management interfaces and support channels: We enforce access restrictions in our management interfaces and support channels through measures such as IP address restrictions and the implementation of 2-factor authentication for accessing the management console.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: TBC
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: Cyber Essentials
• Information security policies and processes: At Ecospend, our commitment to data protection extends beyond implementation to ongoing evaluation and improvement of our technical measures:; ; - Annual Evaluation of Data Protection Impact Assessments (DPIAs): Our dedication to maintaining the highest standards of data protection is demonstrated through the annual evaluation of Data Protection Impact Assessments (DPIAs). This systematic review ensures that our data processing activities are continually assessed for compliance, effectiveness, and alignment with evolving regulatory standards. By conducting these evaluations on a regular basis, we demonstrate a proactive commitment to identifying and mitigating potential risks associated with our projects.; - Regular Testing of Technical Measures: Ecospend prioritises the reliability and effectiveness of our technical measures by subjecting them to regular testing. Our Quality Assurance (QA) team conducts thorough assessments whenever changes are made to the system. This rigorous testing process ensures that any updates or modifications to our systems do not compromise the integrity, confidentiality, or availability of personal data. It serves as a proactive measure to identify and rectify any potential vulnerabilities or issues, contributing to a robust and secure data processing environment.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Change requests are logged on the project board for assessment. The security, performance, and usability impact of changes are evaluated at various stages of the Software Development Lifecycle (SDLC) by designated teams:; ; Security and Architecture: Pre-design and design phases.; Product Management: Requirement and production phases.; Software Development: Design and development phases.; Quality Assurance Team: Testing phase.; ; Each team documents their evaluation and approves their respective stage. Our SDLC allows tracking of changes through 'Work Items' managed by these teams. Additionally, the delivery of changes to product environments is traced via recorded CI/CD steps linked to these 'work items'.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We are ISO 27001 certified and therefore, our vulnerability management process is aligned with those requirements.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We are ISO 27001 certified and therefore, our protective monitoring processes are aligned with those requirements.
• Incident management type: Supplier-defined controls
• Incident management approach: We are ISO 27001 certified and therefore, our incident management process is aligned with those requirements.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Tackling economic inequality

  Tackling economic inequality

  At Ecospend, we are not merely content with being innovators in financial technology. We aspire to be pioneers, trailblazers who lead not only in delivering cutting-edge solutions for the public sector but also in making a tangible positive difference in the communities we serve.; Our vision is rooted in a profound sense of purpose, a belief that our success is intrinsically linked to the well-being and prosperity of those around us. We understand that true innovation is not just about disrupting industries; it is about creating value that extends far beyond boardrooms and balance sheets.; ; Our contributions to social responsibility initiatives will be proportional to the size and maturity of our business. In addition to our organisational objectives of effecting positive change, we are dedicated to optimising value for our clients while adhering to the specific Social Value requirements. We understand that government priorities may evolve over time. Therefore, we propose a collaborative approach, working closely with each client throughout the duration of the contract to periodically review our Social Value initiatives. This will ensure that our deliverables will remain responsive to any shifts in priorities, thereby maximising their effectiveness and alignment with clients' evolving objectives.; We will commit to delivering relevant and proportionate Social Value outcomes which may cover the following areas:; - creation of new jobs and skills, e.g apprenticeships;; - financial education covering budgeting, saving, debt and investment; and; - volunteering at relevant charities.; ; This will be discussed and agreed with each client on a case by case basis.

Pricing

• Price: £0.20 a unit
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Trials, pilots, and proof of concepts are evaluated on a case-by-case basis. Nevertheless, we offer complimentary access to our Sandbox environment.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at greta.akintoye@trustly.com. Tell them what format you need. It will help if you say what assistive technology you use.