ReadID - Innovalor Software B.V.

ReadID - Mobile identity document verification

ReadID verifies the authenticity of identity documents using a mobile phone. It uses the NFC capability to read the RFID chip present in passports and similar identity documents.

ReadID is provided as SaaS backend, with a mobile SDK or a white-label ready-to-use app.

ReadID is simple and secure.

Features

  • Mobile verification of passport and ID/residence cards using NFC
  • Unequivocal confirmation of the authenticity of chipped identity documents
  • Straight-through processing
  • No manual input or OCR mistakes
  • High-resolution face image from the chip
  • Digital signature verification and cloning detection at server side
  • Powerful APIs/SDK available to built own app
  • Or alternatively: a ready-to-use white-label ready-to-use app
  • Server-side (REST) APIs to get access to verification results
  • Machine Readable Zone scanning/OCR optimised for smartphones

Benefits

  • Enabling verification of identity documents, anywhere and anytime
  • Easy to use, by end users or own staff
  • Secure and safe to use
  • Reduce look-a-like fraud because of high-resolution face image
  • Full control over customer journey
  • Reading chips with NFC technology delivers WOW experience
  • Server-side verification allows for self-service verification

Pricing

£1 per transaction per month

Service documents

Framework

G-Cloud 11

Service ID

1 4 1 4 0 6 9 9 2 3 2 8 5 1 2

Contact

ReadID - Innovalor Software B.V.

Maarten Wegdam

+31 6 51993485

readid@innovalor.nl

Service scope

Software add-on or extension
No
Cloud deployment model
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
Service constraints
At this point the service is available to NFC equipped Android based phones/tablets.

Service will become available on iOS once Apple opens up the NFC antenna (for ISO 14443) to be used by third-party software providers. We currently use external readers on iOS (already in beta, not detailed in the service description and pricing yet).
System requirements
  • Android mobile phones/tablets with NFC
  • Android version 5 and up (currently)
  • IPhone's with NFC (depending on Apple)
  • IPhone/iPad with suitable external NFC reader

User support

Email or online ticketing support
Email or online ticketing
Support response times
The response time depends on the priority, see T&C for details.
The is 24x7 support for highest priority issues, for other office hours apply.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
None or don’t know
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
There are generic support channels (email, phone).
Support is included in the price.
Additional professional services are available at a day rate,
Each customer will get a primary technical contact during the implementation phase, if desired, this can continue after the implementation phase.
Extended support hours are possible at additional costs.
For major incidents there is 24x7 support.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
If the SDK is used, the buyer has full control on the functionality and UX of the app, and thus has to provide own user documentation.

For the white label app there is user documentation.

We can provide online and onsite user training if needed.

Of course, we provide developer documentation to explain our APIs.
Service documentation
Yes
Documentation formats
PDF
End-of-contract data extraction
The ReadID server API allow extracting of all identity document data.

The ReadID servers only cache the identity document information, i.e. , we do not provide long-term storage since we do not want to have access to this very privacy sensitive information for a longer period. This data is also extracted during the contract.

Audit information can be extracted at the end of the contract at an additional cost.
End-of-contract process
There are no additional costs.

Access to the API is removed. Buyer will have to stop using the SDK/libraries at the date the contract ends.

Using the service

Web browser interface
No
Application to install
Yes
Compatible operating systems
  • Android
  • IOS
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
Only mobile version of the service is available as the solution is mobile. No desktop solution is available nor planned as it does not fit the service's purpose.

There is a desktop (browser) based management portal for the service, but this is only for the buyer to manage the service, not to use the service.
Service interface
No
API
Yes
What users can and can't do using the API
There is a client-side API, i.e., to implement into a mobile app. This can call the Machine Readable Zone scanning functionality and the NFC functionality.

There is server-side API, to get the results of the identity document verification.
API documentation
Yes
API documentation formats
  • HTML
  • PDF
  • Other
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
ReadID can be considered a toolbox, the buyer can determine how to use it and integrate this in the mobile app. For example, how to implement the UX and what security mechanisms to use.

The are two levels of client-side APIs: low-level with full UX customisation options, and high-level including UX screens. In addition, there is a white-label ready-to-use app.

Scaling

Independence of resources
ReadID can process many transactions simultaneously, and is built to scale horizontally and vertically, i.e., we can use more or faster computing resources to scale the service. ReadID does auto-scaling.

If desired, we can create a separate environment for a buyer with relatively little effort. There is an additional costs for this, which depends on the sizing for this environment.

Analytics

Service usage metrics
Yes
Metrics types
Metrics on ReadID's operations are supplied via an online management portal in which the buyer can see the following information such as the number of transactions executed per period of time (hour, day, month, year, etc.) and audit logs.
Reporting types
Real-time dashboards

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Yes
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least every 6 months
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process
Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Identity document data is exported via de provided API.
Alternatively, the management portal allows manual export (JSON, XML or PDF). Exported data can be signed.

Billing data is exported via the management portal, as CSV.
Data export formats
  • CSV
  • Other
Other data export formats
  • JSON
  • XML
  • PDF
Data import formats
Other
Other data import formats
Not applicable

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
We offer a 99.5% availability in our default SLA.
Approach to resilience
We use a combination of 1) several servers that are stateless and automatically restart if unhealthy, 2) redundant database and 3) several availability zones.
Outage reporting
We monitor the service via different means, including automated end-to-end tests. If there is an outage, the customer is notified via email.

We are working on an API and dashboard.

Identity and authentication

User authentication needed
Yes
User authentication
Other
Other user authentication
How/if the end-users authenticate in the app is up to the buyer if the SDK is used. For the ready-to-use app they need a token, e.g., provided as a QR code.

The apps/SDK need to use a password-like authentication mechanism (static or dynamic), this is hidden from the end-users.
Access restrictions in management interfaces and support channels
For the management interface two-factor authentication is used.

For the support channel one-factor authentication is used.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
Dekra Certification B.V.
ISO/IEC 27001 accreditation date
20/02/2018
What the ISO/IEC 27001 doesn’t cover
In the Statement of Applicability we only excluded A.14.2.7 on outsourcing of software development, since we do not do this.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
Important roles for the security polices are a CISO and DPO.

Our ISO27001 I ISMS and Security documentation details the information security policies and processes, including internal and external audits if they are properly followed. Details are available upon request.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
We use a state of the art source code repository system, including issue tracking. We combine this with a processes such as manual code reviews and automated source code scans.
Vulnerability management type
Undisclosed
Vulnerability management approach
We have very strict processes for this, including monitoring public sources for known vulnerabilities and frequent patching.

Details are available to customers.
Protective monitoring type
Undisclosed
Protective monitoring approach
We use a combination of an intrusion detection system, centralized logging on different layers and a 24x7 team to respond on potential compromises.

Details are available to customers.
Incident management type
Undisclosed
Incident management approach
This is part of our ISO27001 decertified ISMS, and includes a formalised data breach policy.

Details are available to customers.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
No

Pricing

Price
£1 per transaction per month
Discount for educational organisations
No
Free trial available
Yes
Description of free trial
A demo app is available in the Play Store. For iOS a demo app is (at time of writing) only available via the App Store TestFlight method.

Contact us for access to other Android or for iOS demo app.

Access to the APIs is not included in the free trial.
Link to free trial
https://play.google.com/store/apps/details?id=nl.innovalor.nfciddocshowcase

Service documents

Return to top ↑