Nuggets Ltd

Nuggets Verified Self-Sovereign Decentralised Super Wallet & Payment

Nuggets is a global verified self-sovereign decentralised identity payment platform, certified to the UK Digital Identity and Attributes Trust Framework, GPG 45 and 44, eIDAS, and GDPR. Nuggets merges payments with identity, which means you can trust each and every payment transaction without the fraud or the friction.

Features

  • Muti-rail payments - customers can pay anywhere, physically or virtually
  • Various payment methods, including credit, debit and direct bank payments
  • Strong Customer Authentication, transactions are tied to a verified identity
  • No need for one time pass codes or 2FA
  • Trusted Transactions, identities are verified on both sides ensuring trust
  • Privacy by design, encryption, zero-knowledge proofs, blockchain ensure cryptographic proof
  • Zero Trust on anything, anywhere, on any network
  • KYC and AML without holding PII data
  • W3C Verifiable Credentials, enabling global, private and secure interoperability
  • Minimise regulatory, reputational risks, comply with PCI DSS, and PSD2

Benefits

  • Individuals and Businesses can pay and authenticate using biometrics
  • No usernames or passwords – at any level
  • No need to store or pass payment details
  • Simple, powerful and frictionless user experiences across all devices
  • Reduced cybercrime and privacy and security assured
  • Increased operational efficiency
  • Users own and control their data for services and applications
  • Works alongside existing payment, IAM and CRM Solutions
  • Secure, quick, easy integration and white labeling
  • Global and cross-platform - Android, iOS, Mobile and Desktop

Pricing

£0.10 to £0.20 a unit

  • Education pricing available
  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at seema@nuggets.life. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

9 3 6 0 3 7 4 7 3 3 9 0 5 2 8

Contact

Nuggets Ltd Seema Khinda Johnson
Telephone: 020 3287 4375
Email: seema@nuggets.life

Service scope

Software add-on or extension
No
Cloud deployment model
Public cloud
Service constraints
No.
In order to use the verified identity service users need to download the free Nuggets app and create their verified digital identity. This one-time process only takes a few minutes, and consists of a user verifying their biometrics, uploading a government issued ID (eg Passport or Driving Licence) and completing a liveness check. Once their ID is verified their account will be created and they are ready to start using the platform. Nuggets requires connectivity to the internet and a device, such as any modern smartphone.
System requirements
  • Nuggets supports iOS 10 and later software
  • Nuggets supports apple iPhone 5 and later
  • Nuggets supports Android 5.0 and later software
  • Requires an internet connection

User support

Email or online ticketing support
Email or online ticketing
Support response times
We respond to questions within 30 minutes during business hours. Outside of business hours our response time is 60 minutes.

Our business hours are as follows:
Mon - Fri 9am - 6pm
Sat - Sun 12pm - 9pm
User can manage status and priority of support tickets
No
Phone support
No
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
We offer support throughout the onboarding process and then continued support during the duration of the contract. This covers all of the technical integration process and then general support during the use of the platform. This standard level of support is included within the usage costs laid out in the Pricing document.

We use Zendesk to manage all support enquiries and have the following response times to various levels of enquiry on a 24/7 365 day per year basis:

Service Category: 1- First Return Response by 2 hours, acceptable work around within 6 hours, final resolution within 24 hours
----
Service Category: 2 - First Return Response by 4 hours resolution within 2 Business Days
----
Service Category: 3 - First Return Response by Same Business Day, resolution within 5 Business Days
----
Service Category: 4 - First Return Response by 2 Business Days, resolution on next scheduled maintenance
----

In addition to Zendesk support, we make all of our developer documentation available, alongside instructional videos on how to get started and an FAQ page on our website.

We can offer clients a dedicated account manager at an additional cost.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
For businesses we provide an API and integration documentation that explains how our integration process works. We have an SDK and our support team are on hand to help guide companies through the integration process.

Users simply need to download the free app and run through our two step onboarding process. Once they have scanned a government issued ID and completed a liveness test, they will have generated a Nuggets account. The app is intuitive and user-friendly, however should a user encounter any issues, they can visit the FAQs section of our website for further information or contact our support team.
Service documentation
Yes
Documentation formats
HTML
End-of-contract data extraction
Users are able to permanently delete their Nuggets account, which means all data associated with that account is also deleted.
End-of-contract process
Users are able to permanently delete their Nuggets account before the contract expires, which means all data associated with that account is also deleted. This account deletion function is available throughout the length of the contract and is included in the pricing.

Using the service

Web browser interface
No
Application to install
Yes
Compatible operating systems
  • Android
  • IOS
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
All features are multi-platform and there are no differences.
Service interface
No
User support accessibility
WCAG 2.1 A
API
Yes
What users can and can't do using the API
They can connect using open standards of W3C Verifiable Credentials (VCs), Decentralised Identifiers (DIDs), and DIDComm Messaging (DIDComm).
API documentation
Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
Nuggets is modular and can be white labelled.

Scaling

Independence of resources
The Nuggets platform has been built to process millions of transactions per day. Our infrastructure has been architectured so that as demand on the platform increases, we can scale to deal with the increased load and capacity.

Analytics

Service usage metrics
Yes
Metrics types
- Number of Users (IDs associated to merchant ID)
- Number of Logins
- We can also report on events by status (i.e. user cancelled, user approved, merchant declined, merchant approved, etc)
Reporting types
Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Yes
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
Other data at rest protection approach
All storage devices used on the Nuggets Platform have AES256 Encryption enabled by default. Each piece of data is cryptographically signed by AES256 encryption and the keys used to encrypt the data are themselves encrypted by a server-supplied key held within a secure hardware device.
Data sanitisation process
Yes
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
N/A
Data export formats
Other
Other data export formats
N/A
Data import formats
Other
Other data import formats
N/A

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Nuggets Services will be available, based on calculations laid out in our T&Cs, 99.5% of the time on a monthly basis. Available is defined as responding via the internal and external monitoring services and functioning per features described in Schedule B in our T&Cs. If a particular Nuggets Service or Application is not available, the lack of availability will not impact the availability of any other Nuggets Service or Application. Under our standard terms we offer credit equivalent to 5% of the fees payable in the relevant month where there has been a service failure.
Approach to resilience
Nuggets Platform is housed in a Tier III+ datacentre which offers strict security and runs redundancy for all service offerings. The Nuggets Platform was designed to be highly available and resilient to outages. Its services are stored on multiple servers across different locations. This allows an automated instantaneous failover too should any server become unavailable. In the event of a disaster recovery situation, Nuggets operates a 2hour recovery time objective (RTO) and a 24 hour recovery point objective (RPO).
Outage reporting
As a first step any service issues are recorded in Nuggets’ Zendesk. Our response times are correlated to the seriousness of the issue and we have implemented a tiered structure for our Service Categories. For any Level 1 incidents, a 1st return response will happen within 2 hours, and we target a resolution within 6 hours and a final resolution within 24 hours. Following this structure a final resolution for Level 2 incidents is 2 Business Days, Level 3 incidents are 5 Business Days and Level 4 incidents are covered in the next scheduled maintenance. We also report these incidents publicly via our website and email notifications. During business hours our partnership team are also available to assist with any service outage enquiries.

Identity and authentication

User authentication needed
Yes
User authentication
Public key authentication (including by TLS client certificate)
Access restrictions in management interfaces and support channels
Senior Management control and monitor access to all management interfaces and support channels. Depending on their role, job requirements and level of seniority, only those members of staff who need access to specific areas are granted such access. This is reviewed every six months. In addition to this approach of limiting access to only those for who it is essential, all logins are protected with 2FA.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
BAB Activ
ISO/IEC 27001 accreditation date
17/06/2021
What the ISO/IEC 27001 doesn’t cover
It covers an information security management system (ISMS), using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Cyber essentials
No
Cyber essentials plus
No
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
Nuggets is certified to ISO27001. We have a Business Management System in place to ensure that we maintain the confidentiality, integrity and availability of our information.
The system is designed to be consistent with the requirements of:
- ISO 27001:2017;
-All information security legal requirements;
-Any other information security requirements to which Nuggets subscribes;
The system has been authorised by Nuggets’ Senior Management. Support for its implementation and compliance with its procedures and policies is a condition of employment for all employees.
The scope of Nuggets’ Management System encompasses people, processes and all IT and physical infrastructure.
Governance and Reporting:
Senior Management meets on a monthly basis to cover all risk issues and mitigations including any reported security issues. The CEO is required to report to the Board on a regular basis on the performance of the Group, from a product, operational and a risk management perspective.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
All aspects of configuration and change management are managed under our ISO27001 guidelines, processes and principles. Nuggets use various systems to track and manage all configuration and change programmes and follow industry best practices and guidelines at all times. All changes are approved by senior management who are qualified to assess the security impact of the changes.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
All aspects of vulnerability management are managed under our ISO 27001 guidelines, processes and principles. Nuggets uses various systems to track and manage all potential threats and can respond promptly to address threats and apply patches. Nuggets follow industry best practices and guidelines at all times and work with industry leading partners to keep ahead of all information relevant to threat management.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
All aspects of protective monitoring are managed under our ISO 27001 guidelines, processes and principles. Nuggets uses various systems to track and manage all potential threats and can respond promptly to address threats and apply patches. Nuggets follow industry best practices and guidelines at all times and work with industry leading partners to keep ahead of all information relevant to threat management.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
All aspects of incident management are managed under our ISO27001 guidelines, processes and principles. Nuggets uses an incident management system called Zendesk and follows industry best practices and guidelines including ITIL for service desk management. Users can report incidents by email or using our 24/7 support numbers. Using our support processes we will track and monitor progress and report back to users as necessary.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
No

Social Value

Covid-19 recovery

Covid-19 recovery

N/A

Pricing

Price
£0.10 to £0.20 a unit
Discount for educational organisations
Yes
Free trial available
Yes
Description of free trial
Time-limited free trials are possible and will be agreed upon on a case-by-case basis, depending on the specific requirements for each partner. Please get in touch with us to discuss this option further.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at seema@nuggets.life. Tell them what format you need. It will help if you say what assistive technology you use.