Nuggets Ltd

Nuggets Verified Self-Sovereign Decentralised Identity & Payment

Nuggets is a global verified self-sovereign decentralised identity payment platform, certified to the UK Digital Identity and Attributes Trust Framework, GPG 45 and 44, eIDAS, and GDPR. Nuggets merges payments with identity, which means you can trust each and every payment transaction without the fraud or the friction.

Features

• Muti-rail payments - customers can pay anywhere, physically or virtually
• Various payment methods, including credit, debit and direct bank payments
• Strong Customer Authentication, transactions are tied to a verified identity
• No need for one time pass codes or 2FA
• Trusted Transactions, identities are verified on both sides ensuring trust
• Privacy by design, encryption, zero-knowledge proofs, blockchain ensure cryptographic proof
• Zero Trust on anything, anywhere, on any network
• KYC and AML without holding PII data
• W3C Verifiable Credentials, enabling global, private and secure interoperability
• Minimise regulatory, reputational risks, comply with PCI DSS, and PSD2

Benefits

• Individuals and Businesses can pay and authenticate using biometrics
• No usernames or passwords – at any level
• No need to store or pass payment details
• Simple, powerful and frictionless user experiences across all devices
• Reduced cybercrime and privacy and security assured
• Increased operational efficiency
• Users own and control their data for services and applications
• Works alongside existing payment, IAM and CRM Solutions
• Secure, quick, easy integration and white labeling
• Global and cross-platform - Android, iOS, Mobile and Desktop

£0.10 to £0.20 a unit

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at seema@nuggets.life. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

936037473390528

Contact

Seema Khinda Johnson
020 3287 4375
seema@nuggets.life

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: No.; In order to use the verified identity service users need to download the free Nuggets app and create their verified digital identity. This one-time process only takes a few minutes, and consists of a user verifying their biometrics, uploading a government issued ID (eg Passport or Driving Licence) and completing a liveness check. Once their ID is verified their account will be created and they are ready to start using the platform. Nuggets requires connectivity to the internet and a device, such as any modern smartphone.
• System requirements:
  • Nuggets supports iOS 10 and later software
  • Nuggets supports apple iPhone 5 and later
  • Nuggets supports Android 5.0 and later software
  • Requires an internet connection

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We respond to questions within 30 minutes during business hours. Outside of business hours our response time is 60 minutes.; ; Our business hours are as follows:; Mon - Fri 9am - 6pm; Sat - Sun 12pm - 9pm
• User can manage status and priority of support tickets: No
• Phone support: No
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: We offer support throughout the onboarding process and then continued support during the duration of the contract. This covers all of the technical integration process and then general support during the use of the platform. This standard level of support is included within the usage costs laid out in the Pricing document. ; ; We use Zendesk to manage all support enquiries and have the following response times to various levels of enquiry on a 24/7 365 day per year basis:; ; Service Category: 1- First Return Response by 2 hours, acceptable work around within 6 hours, final resolution within 24 hours; ----; Service Category: 2 - First Return Response by 4 hours resolution within 2 Business Days; ----; Service Category: 3 - First Return Response by Same Business Day, resolution within 5 Business Days; ----; Service Category: 4 - First Return Response by 2 Business Days, resolution on next scheduled maintenance; ----; ; In addition to Zendesk support, we make all of our developer documentation available, alongside instructional videos on how to get started and an FAQ page on our website.; ; We can offer clients a dedicated account manager at an additional cost.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: For businesses we provide an API and integration documentation that explains how our integration process works. We have an SDK and our support team are on hand to help guide companies through the integration process.; ; Users simply need to download the free app and run through our two step onboarding process. Once they have scanned a government issued ID and completed a liveness test, they will have generated a Nuggets account. The app is intuitive and user-friendly, however should a user encounter any issues, they can visit the FAQs section of our website for further information or contact our support team.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: Users are able to permanently delete their Nuggets account, which means all data associated with that account is also deleted.
• End-of-contract process: Users are able to permanently delete their Nuggets account before the contract expires, which means all data associated with that account is also deleted. This account deletion function is available throughout the length of the contract and is included in the pricing.

Using the service

• Web browser interface: No
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: All features are multi-platform and there are no differences.
• Service interface: No
• User support accessibility: WCAG 2.1 A
• API: Yes
• What users can and can't do using the API: They can connect using open standards of W3C Verifiable Credentials (VCs), Decentralised Identifiers (DIDs), and DIDComm Messaging (DIDComm).
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Nuggets is modular and can be white labelled.

Scaling

• Independence of resources: The Nuggets platform has been built to process millions of transactions per day. Our infrastructure has been architectured so that as demand on the platform increases, we can scale to deal with the increased load and capacity.

Analytics

• Service usage metrics: Yes
• Metrics types: - Number of Users (IDs associated to merchant ID); - Number of Logins; - We can also report on events by status (i.e. user cancelled, user approved, merchant declined, merchant approved, etc)
• Reporting types: Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
• Other data at rest protection approach: All storage devices used on the Nuggets Platform have AES256 Encryption enabled by default. Each piece of data is cryptographically signed by AES256 encryption and the keys used to encrypt the data are themselves encrypted by a server-supplied key held within a secure hardware device.
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: N/A
• Data export formats: Other
• Other data export formats: N/A
• Data import formats: Other
• Other data import formats: N/A

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Nuggets Services will be available, based on calculations laid out in our T&Cs, 99.5% of the time on a monthly basis. Available is defined as responding via the internal and external monitoring services and functioning per features described in Schedule B in our T&Cs. If a particular Nuggets Service or Application is not available, the lack of availability will not impact the availability of any other Nuggets Service or Application. Under our standard terms we offer credit equivalent to 5% of the fees payable in the relevant month where there has been a service failure.
• Approach to resilience: Nuggets Platform is housed in a Tier III+ datacentre which offers strict security and runs redundancy for all service offerings. The Nuggets Platform was designed to be highly available and resilient to outages. Its services are stored on multiple servers across different locations. This allows an automated instantaneous failover too should any server become unavailable. In the event of a disaster recovery situation, Nuggets operates a 2hour recovery time objective (RTO) and a 24 hour recovery point objective (RPO).
• Outage reporting: As a first step any service issues are recorded in Nuggets’ Zendesk. Our response times are correlated to the seriousness of the issue and we have implemented a tiered structure for our Service Categories. For any Level 1 incidents, a 1st return response will happen within 2 hours, and we target a resolution within 6 hours and a final resolution within 24 hours. Following this structure a final resolution for Level 2 incidents is 2 Business Days, Level 3 incidents are 5 Business Days and Level 4 incidents are covered in the next scheduled maintenance. We also report these incidents publicly via our website and email notifications. During business hours our partnership team are also available to assist with any service outage enquiries.

Identity and authentication

• User authentication needed: Yes
• User authentication: Public key authentication (including by TLS client certificate)
• Access restrictions in management interfaces and support channels: Senior Management control and monitor access to all management interfaces and support channels. Depending on their role, job requirements and level of seniority, only those members of staff who need access to specific areas are granted such access. This is reviewed every six months. In addition to this approach of limiting access to only those for who it is essential, all logins are protected with 2FA.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BAB Activ
• ISO/IEC 27001 accreditation date: 17/06/2021
• What the ISO/IEC 27001 doesn’t cover: It covers an information security management system (ISMS), using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Nuggets is certified to ISO27001. We have a Business Management System in place to ensure that we maintain the confidentiality, integrity and availability of our information.; The system is designed to be consistent with the requirements of: ; - ISO 27001:2017;; -All information security legal requirements; ; -Any other information security requirements to which Nuggets subscribes;; The system has been authorised by Nuggets’ Senior Management. Support for its implementation and compliance with its procedures and policies is a condition of employment for all employees.; The scope of Nuggets’ Management System encompasses people, processes and all IT and physical infrastructure.; Governance and Reporting: ; Senior Management meets on a monthly basis to cover all risk issues and mitigations including any reported security issues. The CEO is required to report to the Board on a regular basis on the performance of the Group, from a product, operational and a risk management perspective.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: All aspects of configuration and change management are managed under our ISO27001 guidelines, processes and principles. Nuggets use various systems to track and manage all configuration and change programmes and follow industry best practices and guidelines at all times. All changes are approved by senior management who are qualified to assess the security impact of the changes.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: All aspects of vulnerability management are managed under our ISO 27001 guidelines, processes and principles. Nuggets uses various systems to track and manage all potential threats and can respond promptly to address threats and apply patches. Nuggets follow industry best practices and guidelines at all times and work with industry leading partners to keep ahead of all information relevant to threat management.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: All aspects of protective monitoring are managed under our ISO 27001 guidelines, processes and principles. Nuggets uses various systems to track and manage all potential threats and can respond promptly to address threats and apply patches. Nuggets follow industry best practices and guidelines at all times and work with industry leading partners to keep ahead of all information relevant to threat management.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: All aspects of incident management are managed under our ISO27001 guidelines, processes and principles. Nuggets uses an incident management system called Zendesk and follows industry best practices and guidelines including ITIL for service desk management. Users can report incidents by email or using our 24/7 support numbers. Using our support processes we will track and monitor progress and report back to users as necessary.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Covid-19 recovery:

  Covid-19 recovery

  N/A

Pricing

• Price: £0.10 to £0.20 a unit
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Time-limited free trials are possible and will be agreed upon on a case-by-case basis, depending on the specific requirements for each partner. Please get in touch with us to discuss this option further.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at seema@nuggets.life. Tell them what format you need. It will help if you say what assistive technology you use.