Skip to main content

Help us improve the Digital Marketplace - send your feedback


Condatis Credential Gateway – simplifying decentralized identity orchestration

The Condatis Credential Gateway © (CCG) is a decentralized identity platform that simplifies the orchestration of decentralized identity user journeys. The gateway provides verifiable credential capabilities using industry standards, supporting integration with existing data sources, verifiable credential and identity verification service providers, eliminating vendor lock-in and future proofing deployed solutions.


  • Decentralized Identity Service
  • Allows customers to easily issue and verify credentials
  • Enables passwordless sign-in journeys
  • Integrates with existing systems
  • Custom credentials and proof/presentation requests
  • Integrates with other services, such as identity verification services


  • Simplifies credential issuance and verification
  • System-neutral solution
  • Supports easy integration with verifiable credential services
  • Trusted data exchange
  • Supports multiple user journeys via the same architecture
  • Privacy preserving (minimum data is required)
  • Providing identity technology future proofing, extensibility and reusability
  • Extends identity across organisational boundaries


£500 to £10,000 a licence a month

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 13

Service ID

9 9 3 4 9 2 7 6 7 9 5 7 9 9 8


Telephone: 0800 538 5533

Service scope

Software add-on or extension
What software services is the service an extension to
Verifiable Credential providers: such as Microsoft - Evernym - Mattr - Others

Identification Verification Service providers: such as Yoti - Onfido - Others
Cloud deployment model
Public cloud
Service constraints
No - Condatis Credential Gateway is delivered via public cloud services, with constraints per that cloud and cloud service(s).
System requirements
  • Access to cloud services (at an organisational and procurement level)
  • Appropriate connectivity (internet access)

User support

Email or online ticketing support
Email or online ticketing
Support response times
Dependent on customer requirements, notification, logging and responses can be immediate.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
1)Very High: A security breach whereby a third party gains access to personal data or an individual’s account may be compromised. A security alert that is categorised as being critical to data security. In the event of a security breach, the technician will take immediate action to limit further unauthorised access to the Infrastructure Applications. Investigative work to provide a resolution will then commence during Service Hours • Response: 30 minutes • Resolution: 8 service hours 2)High - An error that renders the software inoperative or causes the software to fail catastrophically. • Response: 1 service hour • Resolution: 16 service hours 3)Normal - An error that affects performance of the software and significantly degrades the use of the software. A security alert that is categorised as being medium severity. • Response: 1 service hour • Resolution: Best efforts to obtain resolution in 40 service hours 4)Low - An error that affects performance of the Infrastructure Applications but does not significantly degrade the use of the service. A security alert that is categorised as being low severity. • Response: 1 service hour • Resolution: Best efforts to put resolution in the next software release Fees as per pricing doc
Support available to third parties

Onboarding and offboarding

Getting started
Combination of online training, user documentation and workshops.
Service documentation
Documentation formats
  • HTML
  • ODF
  • PDF
End-of-contract data extraction
Configuration, Audit and Billing data stored in the system can be extracted for the purposes of migration / deletion. This work could be undertaken by the authority with required support from Condatis.

No PII data is persisted within the service.
End-of-contract process
All data is extracted and deleted. The customer's instance of the Credential Gateway is deactivated and access removed.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
The service supports mobile device deeplinking and QR code display for both mobile and desktop devices.

Web experience is via adaptive templates. Experience is ultimately dependant on user's device, operating system and browser of choice.
Service interface
User support accessibility
Description of service interface
QR code display screen.
Accessibility standards
Accessibility testing
Baseline accessibility testing has been performed.
What users can and can't do using the API
- Create new credentials
- Verify credentials
- Configure identity journeys
- Configuration of trust framework
- Credential management, including revocation
API documentation
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • PDF
API sandbox or test environment
Customisation available
Description of customisation
Users can add custom credentials and create custom verification requests - this can be done via the API.

Users can use the API to configure when an issuance, verification or Identity verification check happens within a custom flow.

Nominated users can be given access to the API (secured access).


Independence of resources
System autoscales according to load through the public cloud architecture.


Service usage metrics
Metrics types
Metrics include: Number of credential issuances - Number of credential verifications - Number of identity verification checks - Service uptime (downtime) - User traffic over a specific period - Any failed requests
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Reseller providing extra features and support
Organisation whose services are being resold
Microsoft, Evernym, Mattr, Yoti, Onfido and others

Staff security

Staff security clearance
Conforms to BS7858:2019
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Data stored in the system can be extracted for the purposes of migration / deletion. This work could be undertaken by the authority with required support from Condatis.
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats
  • Directory schema
  • Database schema
Data import formats
  • CSV
  • ODF
  • Other
Other data import formats
  • Directory schema
  • Database schema

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
Encryption (AES 256) of data at rest.
Message level security through signing and verifying requests.

Availability and resilience

Guaranteed availability
Condatis SLA(s) indicate service availability. This is backed by cloud provider's own SLA(s). Condatis and cloud vendor offer service credits where SLA availability is not met.
Approach to resilience
Azure resilience from a cloud provisioning perspective can be enhanced by configuring some elements to be geo redundant or manually configuring fail over duplicates in other regions or datacenters.

Customisation based on client needs possible.
Outage reporting
Outage reporting per SLA and can include: - dashboard - email alerting - telephone alerting

Identity and authentication

User authentication needed
User authentication
Public key authentication (including by TLS client certificate)
Access restrictions in management interfaces and support channels
Access to system interfaces is restricted by username and password, and additional factors as may be required, or authority's own access technology (e.g., if access is federated).
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
Centre for Assessment Limited
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Condatis' ISO 27001 statement of applicability covers all the controls defined by ISO 27001 with the exception of 14.2.7 Outsourced development and 11.1.6 Delivery and Loading Areas because they do not apply to Condatis.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Cyber essentials
Cyber essentials plus
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
Regular internal and external audit and management review meeting ensure the following are followed. Information security manager reports to CEO Information Security Objectives Information Classification Policy Information Handling Policy Document Control Policy Clear Desk and Clear Screen Policy Secure Development Policy Mobile Computing and Remote Working Policy Access Control Policy Acceptable Use Policy Cryptographic Policy Anti-virus and anti-malware policy Software Installation Policy Supplier Security & Quality Policy Business Continuity Management Policy Network Security Policy Secure Systems Engineering Policy Media Destruction Policy Communications Policy Password Policy Security Updates policy Capacity Management Policy Hardware Disposal Policy Data Retention Policy Privileged Utility Programs Policy IPR Management Policy Guest Control Policy Condatis Backup Policy Sustainability Policy Security incident management procedure Employees departure and arrival processes Change management procedure Risk assessment methodology

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
We run an agile development lifecycle where feature changes are defined by PBIs (product backlog items). Developed code is version controlled as is passed through a gated release process that is an intrinsic part of the develop, build & deploy DevOps cycle. Release builds (software components deployed to Azure assets) are strictly controlled within the Azure DevOps platform and cascade from development to test and pre-production environments before final deployment to production. Changes at organisational level undergo an ITIL change management process, where the CAB (change authority board) evaluates impact and implications for proposed changes before they are authorised.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Computing endpoints are regularly scanned for vulnerable software, Windows updates are regularly applied, malware protection software is installed. Security advisories are regularly monitored and actioned accordingly. The solution deployment will typically include within the build pipeline processes for checking for vulnerabilities in code (Secure Code Scan) and in external software components used (Dependency Checker). Once the solution is deployed within the Azure cloud infrastructure, the use of Defender For Cloud will continually assess the security posture and be monitored for any relevant risk mitigation actions.
Protective monitoring type
Protective monitoring approach
Alert monitoring based on transactional volumes processed by the Credential Gateway.

Add-on monitoring possible using 3rd party partner services, such as ITC Secure.
Incident management type
Supplier-defined controls
Incident management approach
We operate an ITIL-aligned support desk ticketing solution that is able to track the incident lifecycle stages of logging, triage, categorisation, prioritisation, analysis, resolution and post-incident review. Incidents are reported via alerts or by users through email, phone or portal channels. Incidents can transition to problem tickets where root cause and subsequent full resolution can be established. An incident playbook is maintained for common incident types with respective responses, along with knowledge base accessible via customer portal. Incident reports with timelines, impact and root cause analysis will be provided as part of post-incident engagement with customer.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks

Social Value

Fighting climate change

Fighting climate change

As with most companies over the Covid lock-down period our engagements, workshops and on-boarding now are standardised around teams or zoom calls including demos, white boarding and retrospectives. For the period covered by G cloud 13 we will continue this practice even though the restrictions have been removed. This will reduce our travel company wide by 95% and thus our carbon footprint. We will also use any Gcloud contracts to assist us in achieving ISO 14001 the environmental standard which will in turn involve us vetting our suppliers and partners over their environmental impact. As some the of technologies that we are involved in use distributed ledgers, this will have a significant influence on suppliers, partners and customers.
Covid-19 recovery

Covid-19 recovery

During COVID-19, we moved to a fully remote office, allowing all staff to continue in employment from their own home while still being able to fulfil all the obligations to our customers and complete contracts on time and to standard. We now work in a hybrid model where staff chose to work from home or the office.

Condatis is able to support those shielding or impacted by Covid by continuing to provide full time remote working for those that want/require it. We will also continue to provide a home office set up. This will allow Condatis to provide valuable employment for those affected or shielding from Covid while still being able to deliver services as per the contract and customer requirements.

Condatis offer physical and mental health courses to staff, including Mental Health First Aid, Mental Health Awareness for Manager, Resilience Training and First Aid at Work. In having well trained and aware staff working on a contract, this will enable a proactive approach to Mental Health and a quick response on Physical Health. In turn this currently reduces and will continue to reduce the demand on the health and care services.
Tackling economic inequality

Tackling economic inequality

Condatis is an employer that advocates and educates other employers to support apprentice programmes. We have presented to over 100 companies about the benefits of having apprentices as part of the Scottish Apprenticeship week.

Condatis was the first company in Scotland to provide a fully virtual Foundation Apprenticeship programme in Software Development, targeting remote high schools based in the Highlands and Islands. We want all young adults to receive an equal opportunity to become an apprentice regardless of their location and we currently have six Foundation Apprentices.

We also support Modern Apprentices, of which two apprentices continue to be employed by us today.

Our Apprenticeship programmes create employment and training opportunities. For those in the Software Development programme, we are providing training opportunities within an industry with a skills shortage. For one of the Modern Apprentices, this was an opportunity for employment within a deprived area.

In the delivery of a project, we anticipate including apprentices on projects with their mentors. We support providing further training for individuals on a project to close a skills gaps or attain relevant qualifications.
Equal opportunity

Equal opportunity

Condatis treats people equally and individuals are not disadvantaged by prejudices or bias. We ensure that recruitment, selection, training, development and promotion procedures result in no job applicant or employee receiving less favourable treatment because of a protected characteristic. Our objective is to ensure that individuals are treated on the basis of their relevant aptitudes, skills and abilities.

We invest in women in technology by supporting female Apprentices in Software Development and Human Resources. We support employees in deprived areas to attain relevant professional qualifications in their field, to enable them to have a successful career. We have attended, and had key note speakers, at recruitment events for individuals that identify as a woman.

We will continue to provide training and promotion opportunities to all staff, regardless of a protected characteristic. We will continue to offer the living wage as a minimum. If time and funding permits Condatis plan to champion women in technology by presenting at Edinburgh, and ideally wider, based sessions


At Condatis, we have a team of Mental Health First Aiders, who are available to support staff in need and support various initiatives through a Well-being Hub. The Hub provides suggestions to promote better well-being, such as helping others and staying active. We offer fitness classes to employees to promote their physical health.

We promote well being in the workplace for all staff to inspire positive working environments and prevent stress. This allows for the individual, the organisation and the project to thrive.

As part of our own supplier assessments and we ensure that any third party supplier need to meet our own ethical standard which includes their treatment of their workforce. We do the same for prospective customers


£500 to £10,000 a licence a month
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.