GB Group plc

GBG IDscan Core

Harnessing iBeta accredited ISO 30107-3 Level 2 Passive Liveness detection technology, IDscan Core helps our customers quickly and easily authenticate their customers' ID documents. Our ability to layer documents with data gives you 100% decision rate and the most effective solution in the market.

Features

• Global document library
• Liveness Verification - iBeta Level 2 ISO20107-3
• Face Match (facial biometrics) Verification NIST Certified 1:1 facematch
• NFC RFID chip reading
• Utility Bills
• SDK & API
• Mobile and Web components

Benefits

• SaaS service with no data storage
• Reads 4000+ IDs and passports & utility bills
• Supports RFID chip reading with NFC compatible devices
• Accessible and user friendly SDKs
• Biometric-chip authentication
• a quick, fast, efficient method of filling Advanced Passenger Information
• Highly available scalable identity platform
• Extract contact data from ID documents including text & photo
• Liveness
• SDKs, APIs, Webhook

£75,000 a licence a year

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Bid.Management@gbgplc.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

988137625614581

Contact

Rhys Davies
01244 657333
Bid.Management@gbgplc.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: No.
• System requirements:
  • Windows License (2012 and above)
  • Database License - MS SQL Server or Oracle
  • Virtual Machine
  • Aurora D8

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Priority 1 - 30 minutes; Priority 2 - 30 minutes; Priority 3 - 24 hours; Priority 4 - 48 hours
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: 24x7 help desk, named account manager and named technical account manager.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Support provided, onsite, online and via documentation.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Data can be extracted at any time whilst contract is in place. Client can watch GBG destroy data at end of contract and also remove the data from GBG if there want to keep a copy.
• End-of-contract process: No data is returned.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Browser based access on mobile devices can access Photo Library as well as invoke the camera
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: Solution provides RESTful APIs with JSON response for integration and retrieval of information.
• Accessibility standards: None or don’t know
• Description of accessibility: JavaScript Library / WebApp for browser based integration, Native iOS/Android SDK for MobileApp integration and RESTful APIs for integration with backend systems.
• Accessibility testing: NA
• API: Yes
• What users can and can't do using the API: REST API. No limitations.
• API documentation: Yes
• API documentation formats: PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: The core components have default configurations and provide raw data response back to the service requesting the checks. Strictness of checks can be customised.

Scaling

• Independence of resources: The service has been load tested to ensure that this will not become an issue. Peak period for the service is driven by existing customer demand and this tested every six months.

Analytics

• Service usage metrics: Yes
• Metrics types: All data regarding usage and results is available online and to download.
• Reporting types: Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
• Other data at rest protection approach: FIPS-assured encryption, assured by independent validation of assertion
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Via API call
• Data export formats: Other
• Other data export formats:
  • Excel
  • JSON
• Data import formats: Other
• Other data import formats:
  • Rest API upload of document image
  • JPEG/JPG
  • PNG
  • PDF
  • TIF

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection between networks: PSN assured service; PSN protected service; Assured by independent testing of implementation
• Data protection within supplier network: IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Service up-time is typically 99.9%.; SLA's are referenced in the terms and conditions.; For a priority 1 fault, where the Service is not operational or is inaccessible, we aim to clear 80% of faults within 4 hours of GBG’s acknowledgement of the fault.
• Approach to resilience: This is information is available upon request. In practical terms we run a process where we fall-over to a back-up data centre if the primary data centre goes off-line.
• Outage reporting: Email alerts to users and technical contacts.

Identity and authentication

• User authentication needed: Yes
• User authentication: Username or password
• Access restrictions in management interfaces and support channels: Access is based on user type. Only administrators can have access to management interfaces.
• Access restriction testing frequency: At least every 6 months
• Management access authentication: Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 07/05/2022
• What the ISO/IEC 27001 doesn’t cover: Nothing available to Clients.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: The GBG Information Security Policy combines the development, delivery, management and maintenance of secure infrastructure and applications, in support of GBG Identity Management offerings, and specifically Identity Verification and Assurance. Within GBG, the Chief Information Security Officer (CISO) has overall accountability for Information Security and it is the responsibility of the CISO to make the appropriate provisions for establishing controls to ensure adherence to the GBG Information Security Management System. The CISO also provides the Senior Leadership Team and GBG Board with an Information Security review at the end of the financial year. The Chief regulation Officer (CRO) chairs the quarterly Internal Controls Board, and is the main document signatory for GBG. The CRO is also head of GBG’s Legal team, who are responsible for ensuring compliance to all relevant legislation.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: All changes to the service must be delivered under the governance of the GBG Change Management Process. No change will be approved without clear remediation or back-out plan, properly identified, documented, tested and approved. There are three levels of configuration and change management: Standard Change, Emergency Change and Reviewed Change. The latter is not a routine or standard change and no documented process exists for the change. If there is uncertainty as to whether or not further review is required. It is better to request further review than to press forward with the change and have it fail.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: The Vulnerability Management Process will involve assessing the extent to which the assets are vulnerable to the identified threat. Once the Vulnerability assessments have been conducted, the level of riskwill then need to be determined. Risk’s with a risk rating that falls below the Risk Appetite for the business are ‘tolerated’. The Risk Appetite for GBG is Cautious. ; ; Risk’s that fall within the Risk Appetite will require the risk owner to create a treatment plan to reduce the level of risk. Treatment plans are proposed ideas or controls that can be implemented that would reduce the level of risk.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: This is ongoing process. The response is immediate.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: The process is defined as part of the Information Security policy.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Equal opportunity

  Equal opportunity

  At GBG our Environmental, Social and Governance Strategy (ESG) – Environment, Everyone and Ethics – reinforces our commitment to embed a sustainable and ethical approach in everything we do. It represents what makes us unique and provides the framework to drive action on the most impactful and important areas.; As part of GBG’s participation on the G-Cloud14 Framework, we have a Social Value Action Plan that is updated annually, demonstrating our commitments to meeting PPN06/20. ; GBG commits to offering equal opportunities across our global workforce, achieved through our employment, training, and career development policies and practices, promoting equality of opportunity regardless of gender, sexual orientation, age, marital status, education, disability, race, religion or other beliefs including ethnic or national origin.; Everyone in our team has access to opportunities to learn, develop skills, grow their careers and progress. Through our training platform ‘be/developed’, we offer a broad range of power skills and job specific learning opportunities, updated regularly, promoting an inclusive and diverse culture. The platform is available to all GBG team members, including part-time and contractors, who are required to complete mandated training courses. We partner with different training providers globally to provide a mix of specialist and professional development for our team.; Influencing the behaviour of our staff and the communities we work in is imperative to GBG’s mission as an organisation. Examples include:; 1. Demonstrating our commitment to Equality and Diversity.; 2. Support LGBTQ+ team members, encouraging a culture of belonging and acceptance.; 3. Tackle barriers to entry that many people experience, especially women in the technology sector.; 4. GBG is a gold sponsor of Women in Identity’s flagship research, the ID Code of Conduct.; GBG’s ESG commitments can be found here: Environmental, Social and Governance | Investors | GBG (gbgplc.com)

Pricing

• Price: £75,000 a licence a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Trial will deliver full access for up to a month.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Bid.Management@gbgplc.com. Tell them what format you need. It will help if you say what assistive technology you use.