Melissa Data Ltd

ID Document Scan & Biometric check

Mobile Service that runs advanced scans against UK & Global ID documents: Passport; Driver Licence; National ID etc, to ensure a person's identity is thoroughly authenticated and verified. Verification checks combine Facial Matching, Liveness Test, Pattern Match, Data Crosscheck, and MRZ uplift, for efficient onboarding and protection from fraudulent identities.

Features

• Verify ID documents are real and unaltered
• Capture information from ID documents
• Real time verification of users / customers (KYC)
• Perform Biometric validation of an individual
• Confirm 'proof of life' with active & passive detection
• Cross check live facial image to stored ID image
• Simple SDK to embed into any service platform
• Machine Readable Zone (MRZ) data capture
• 2-click app download for easy end-user document uploads
• Generate Customer Due Diligence reports

Benefits

• Capture, check and verify a persons Identity
• Check UK & Global ID documenets: Passport; Drivers licence etc
• Authenticate who an individual is, Know Your Customer (KYC)
• Improve user experience of online services (On-Boarding)
• Conform to compliance regulations
• Protect organisations from fraud, enhance online security
• Quick deployment option - hours not weeks
• Meet KYC, AML and Customer Due Diligence requirements
• Automatic capture of ID document MRZ data
• Integrates with android, iOS and PC systems

£0.50 to £2.75 a unit

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info.uk@melissa.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

811447311758537

Contact

Barley Laing
020 7718 0070
info.uk@melissa.com

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Hybrid cloud
• Service constraints: No constraints with correct licencing
• System requirements:
  • Licenced dependent on use case
  • Ideal for Mobile apps
  • Pre formed 'out of the box' - ready to go

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Response times are within 3 hours during week days, and by 12 noon for the following work day after a weekend.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: None or don’t know
• How the web chat support is accessible: Our web chat enables customers/users to communicate with Melissa representatives in real time via a web link. Typically this is through text in a pop-up window, with audio prompts.
• Web chat accessibility testing: N/A
• Onsite support: Onsite support
• Support levels: Standard support is 20 hrs a day Mon to Fri. This can be via email, phone or webex. This support is provided for free for the lifetime of the service licence, and includes service training and integration assistance. Standard support is based on a ticketed system and accesses all of our global support agents. ; SLA's - tailored support packages are available. These vary depending on requirement but can provide response times of within 3 hours 24/7, with named technical support engineers in a tiered escalation process. SLA costs are based on the individual requirements for uptime and support levels.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Full service start up guidance is available through our technical documentation; sample code; service URLs; FAQs etc. ; ; Training can be delivered: Onsite, Telephone, Online webex, and Email.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: This is clarified at the beginning of individual contracts, and is covered in our service Licence and T&C's, Melissa Data conform to the relevant regulations and procedures.
• End-of-contract process: Contracts & T/C's detail the period for which a service is licenced and how it can be used. ; ; Licencee's can renew at the end of the agreed initial licence, or stop licencing the service without penalty - as long as no agreed conditions or contractual arrangements have been breached.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
  • Linux or Unix
  • MacOS
  • Windows
  • Windows Phone
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Services can be delivered to any screen size resolution
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: There is a web portal (for the organisation or service provider) and app (for the end user / customer) that creates a simple and effective system for capturing, verifying and storing customer identity documents and information.
• Accessibility standards: None or don’t know
• Description of accessibility: Use of system is via connected devices
• Accessibility testing: N/A
• API: Yes
• What users can and can't do using the API: Users can consume the service through a simplified SDK and as such it can be integrated in an organisations platform.
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
  • PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: The format and integration of the service can be defined to some extent by the licence holder, this will need to be explored through the service definition stage of engagement

Scaling

• Independence of resources: The service feature a clustered approach so incoming requests are equally distributed on many nodes ensuring consistency and failover. Service monitors have On-Demand instances ready to spin up at a moment's notice in response to load. Globally distributed DNS architecture means there aren't any single points of failure.

Analytics

• Service usage metrics: Yes
• Metrics types: A count of transactions and the date submitted is kept. SNMP metrics, Server metrics and network protocol metrics are also kept for a six month duration.
• Reporting types: Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: The service requires data to be sent using the mobile application
• Data export formats: Other
• Other data export formats: Scanned data
• Data import formats: Other
• Other data import formats: Scans

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Services will be available during each calendar quarter at least 99.9% of the time, measured inside Melissa Data’s data centers. The measurement will be in 5 minute intervals, with each 5 minute interval of downtime counting as 3.5% (5/(60 * 24)) of the downtime for the day. The system is designed for full availability during routine maintenance.
• Approach to resilience: The Melissa Data cloud is running Windows servers using Network Load Balancing cluster technology in multiple geographically distributed commercial data centre locations. DNS Load balancing and web service health monitoring are enabled so unhealthy servers are removed from rotation automatically. All incoming requests are sent immediately to available servers in the cluster. Melissa Data provides monitoring and real time testing of all servers, so that any problems will be flagged and technicians notified. This design eliminates single points of failure and helps ensure high availability for critical systems.
• Outage reporting: Outages are reported via Email Alerts.

Identity and authentication

• User authentication needed: Yes
• User authentication: 2-factor authentication
• Access restrictions in management interfaces and support channels: Staff accesses the production system through directly attached terminals, secure VPNs. Multi-factor authentication is used for staff when accessing production systems. Callers for support will need to provide an encrypted license key or have an email requesting support from an authorized person in the authorized distribution group for the requesting company.
• Access restriction testing frequency: At least every 6 months
• Management access authentication: 2-factor authentication

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Between 6 months and 12 months
• Access to supplier activity audit information: You control when users can access audit information
• How long supplier audit data is stored for: Between 6 months and 12 months
• How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Certification Europe Ltd
• ISO/IEC 27001 accreditation date: 02/06/2020
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Beyond Security
• PCI DSS accreditation date: 14/01/2024
• What the PCI DSS doesn’t cover: Melissa can attest to testing web service endpoints with the PCI-DSS standard penetration tests, however Melissa does not send or receive financial information.
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • SOC 2 Type 1 & 2
  • HITECH

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: SSAE16, SOC 2, PCI DSS, HITECH
• Information security policies and processes: A. It is the policy of MELISSA that information, as defined hereinafter, in all its forms--written, spoken, recorded electronically or printed--will be protected from accidental or intentional unauthorized modification, destruction or disclosure throughout its life cycle. This protection includes an appropriate level of security over the equipment and software used to process, store, and transmit that information. B. All policies and procedures must be documented and made available to individuals responsible for their implementation and compliance. All activities identified by the policies and procedures must also be documented. Policies will be periodically reviewed for appropriateness and currency at least semi annually. C. At each department and/or department level, additional policies, standards and procedures will be developed detailing the implementation of this policy and set of standards, and addressing any additional information systems functionality in such department. All departmental policies must be consistent with this policy. All systems implemented after the effective date of these policies are expected to comply with the provisions of this policy where possible. At each department level periodic reporting will be made of adherence to policy to the Information Security Officer.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Web Service compatibility is maintained throughout the lifetime of the service. New versions are periodically rolled out but any deprecated elements are maintained to support existing client code. Changes are communicated well in advance and new URLs are sent out to facilitate a gradual migration to new service endpoints. All planned releases follow a security testing model that is OWASP compliant to ensure security.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Periodic training is conducted to keep all information security personnel up to date with security bulletins and vendor patches. All services are tested using the OWASP framework to ensure security guidelines are followed. Patches are deployed on a monthly basis, however, they could be applied in a day or two after release depending on severity. Information security personnel are briefed by enterprise vendors for equipment and antivirus software and stay informed using Open Threat Exchange, and other security professional sources.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Periodic training is conducted to keep all information security personnel up to date with security bulletins and vendor patches. All services are tested using the OWASP framework to ensure security guidelines are followed. Patches are deployed on a monthly basis, however, they could be applied in a day or two after release depending on severity. Information security personnel are briefed by enterprise vendors for equipment and antivirus software and stay informed using Open Threat Exchange, and other security professional sources.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Logging and audit trails are kept at every level and are reviewed continuously by company personnel. Users can report incidents directly to the IT staff and reports on outages and or intrusions will be sent out via a special web service bulletin email when a security breach is detected and when the postmortem is generated and the remedies identified.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Equal opportunity

  Equal opportunity

  Being able to prove your identity enables access to broader opportunities and services

Pricing

• Price: £0.50 to £2.75 a unit
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Access for service testing (some limits on response outputs depending on application requirements)
• Link to free trial: http://bit.ly/doc-scan-bio

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info.uk@melissa.com. Tell them what format you need. It will help if you say what assistive technology you use.