ProofID Ltd

ProofID IGA (Identity Governance and Administration)

ProofID IGA is an Identity and Access Management solution built specifically for managing the identity lifecycle of the various user communities, both internal and external, which interact with the modern business. IGA is optimised to deal with external users, across multiple use cases including customer, contractor and B2B.


  • Inbound SCIM API
  • Outbound SCIM provisioning module
  • SCIM Bridge to interface with source/target applications
  • OAuth 2 support
  • Integrated with PingFeederate and PingOne
  • Integrated with Okta
  • Integrated with Microsoft MIM
  • Integrated with NetIQ Identity Manager


  • Manage lifecycle of internal and external users from first contact
  • Synchronisation of identities from authoritative sources to target applications
  • Manage workforce, B2B, B2C and contractor scenarios in common platform
  • Authoritative source and source of authentication for external identities
  • Devolved administration model
  • Out of the box delegated approval and certification workflows
  • Role-based architecture
  • Flexible resource model allowing for coarse and fine grained authorisation
  • Detailed audit trail, capturing attribute level changes to identities
  • Self-service features including self-registration form and secure forgotten password reset


£15000 per instance per year

Service documents

G-Cloud 9


ProofID Ltd

Lorraine Worrall

07788 153467

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to IGA features modules for integration with the following commercial Identity and Access Management products.

Microsoft FIM/MIM
NetIQ Identity Manager
Cloud deployment model Public cloud
Service constraints N/A
System requirements SCIM Bridge may need to hosted on-premise

User support

User support
Email or online ticketing support Email or online ticketing
Support response times 1 hour for a Priority 1 incident
08:00 to 18:00 Mon-Fri
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Telephone and email support is provided as part of the subscription license fee.

Solution specific support can be provided via ProofID's Identity Management Technical Support and Managed Service services, listed separately on GCloud 9. Please review relevant Service Descriptions for details and pricing.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started ProofID provides 'starter pack' consultancy to assist customers with initial configuration of the system. This is provide as a block of 40 hours of remote consultancy on a T&M basis, to be consumed within three months of purchase.
ProofID provides a workbook to assist customers with collecting core information to underpin the configuration of the system.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Configuration data can be exported from the administrative console.
User data can be extracted via the API or via CSV export.
Customers may request a copy of their database at any time.
End-of-contract process ProofID will assist the customer with exporting their data at the end of the contract.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10+
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Application is designed responsively, and can be run in a browser on a mobile device.
Accessibility standards WCAG 2.0 AA or EN 301 549
Accessibility testing Screen reader testing.
What users can and can't do using the API IGA has a REST API based on SCIM (System for Cross-Domain Identity Management) version 1.1.14 which helps integrate IGA with other applications or cloud based services.

The API uses JSON as a data format and the schema used is as per the SCIM core schema 15. The SCIM Enterprise User Schema Extension is also used. While the SCIM core and Enterprise User schema provide a fixed set of default attributes for the user object, IGA has its own Schema Extension which defines attributes that IGA supports that are not covered in either SCIM Schema.

The API requires mod_rewrite to be loaded within Apache to function.

The API requires HTTP Basic authentication using a local IGA administrative user, which must be created in advance. The user should be a member of the 'API' group. See the section on Local Administrative Users.

The REST API can support a tenancy ID in the URL, this is not enabled by default, but can be enabled as required via a configuration setting.
API documentation Yes
API documentation formats
  • HTML
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation IGA has a private SDK which allows per-tenancy customisations. ProofID can build customisations according to customer requirements, at additional cost (see SFIA rate card for developer fees).


Independence of resources ProofID carefully monitor usage of the service and onboarding of new customers to ensure sufficient capacity to handle expected user loads and scaling requirements which feed into capacity planning for the platforms.


Service usage metrics No


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach In-house
Protecting data at rest Physical access control, complying with CSA CCM v3.0
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Data can be export the results of any screen or search from within the system to a CVS file.
Data can be extracted in JSON format via the SCIM API.
Configuration data can be exported from the administrative console.
Data export formats
  • CSV
  • Other
Other data export formats JSON
Data import formats
  • CSV
  • Other
Other data import formats JSON (Via SCIM API)

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability ProofID offer a service availability of 99.5%
Approach to resilience The service is operated across multiple geographically located data centres in an active/active fashion. Data centre centre includes full local resilience with multiple resilient at all tiers of the infrastructure including perimeter, application and data layers.

The data centres provide full resilience including
N+1 Redundant air conditioning units to
guarantee stable temperature and humidity
• Redundant UPS conditioned power @ N+1
• Dual HV redundant power supplies from
physically diverse paths
• Dual 1700 KVA auto generator back-up sets
• Dual HV sub stations.
* Multiple internet providers through diverse links and risers to the data floor.
Outage reporting Email alerts are distributed to customers to inform of any outage within the platform that affects their service. Customers are notified in advance of any planned changes that may affect availability

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels IGA has a fine grained Role based access control system, governing all administrative actions available within the system. Customers can use out of the box administration roles, or create their own according to their requirements.
Access restriction testing frequency At least every 6 months
Management access authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Alcumus ISOQAR
ISO/IEC 27001 accreditation date 09/09/2016
What the ISO/IEC 27001 doesn’t cover N/A ProofID's ISO27001:2013 certification covers the entire business, staff, processes and assets in the provision of Identity and Access Management facilities at ProofID's Old Trafford office, remote staff and 3rd Party Hosted cloud provision in accordance with statement of applicability v13
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards ISO/IEC 27001
Information security policies and processes ProofID operate a comprehensive Information Security Manual which is aligned and certified as ISO27001:2013 as part of our ISO certification. This certification covers all areas of the business and services provided to customers.

ProofID have an information security committee which meets quarterly to review the organisations ISMS and associated policies, this committee is comprised of individuals from across the business and chaired by the Technical Director which is part of the ProofID board of directors. Information Security status, updates and events are reported as part of the regular management meetings and also covered as part of the board meetings (every 2 months).

All line managers within the business are responsible for ensuring the adherence to the organisations information security policies within their area of the business and where relevant drafting and owning policies relevant to their business areas under the supervision of the Technical Director. Information Security is a key part of ProofID and is included in employees induction and are brief on the policies, event reporting etc. Breaching of the information security policies is covered as part of the organisations employment and disciplinary procedures.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach As part of ProofID's ISMS and ISO27001:2013 certification change and configuration management procedure is followed.

All components of the service are covered through the procedure including servers, network links, applications, security components etc.

When a change is required a change request is created detailing the assets impacted, change, backout plan, details of relevant testing, any security implications are flagged by the requestor. The change board then reviews the requested change to ensure sufficient details and also compliance with the organisations information security policies and associated risks, as required a risk assessment will be performed is a security risk is identified.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Vulnerabilities are assesses using the following criteria which drives the patching approach

Is the vulnerability exploitable outside of the network?
How complex must an attack be to exploit the vulnerability?
Is authentication required to attack?
Does the vulnerability expose confidential data?

The Organization has established the following timeline requirements for reacting to notifications of relevant vulnerabilities:

Remote, unauthenticated, non-complex attacks: < 1 day
Remote, authenticated, non-complex attacks: 1 day
Remote, complex attacks exposing confidential information: 1 day
All others: 1 week

Notifications are received through subscribing to the applications vulnerability notification systems (emails, RSS feeds etc)
Protective monitoring type Supplier-defined controls
Protective monitoring approach Potential compromises are identified through system monitoring and log file analysis looking for unusual patterns of activity and configuration changes

Should a security breach (physical and systems) be identified or suspected which directly or indirectly involves customer data then the Information Security Manager is responsible for immediately notifying the relevant customer(s).

Incidents involving high-value or business critical systems (as identified under section 8.1 of the Manual) are immediately reported to the Information Security Manager.
Incident management type Supplier-defined controls
Incident management approach All information security events and weaknesses are, immediately upon receipt, recorded by Support team in WebTrack, then assessed and categorized by the Information Security Manager (whom automatically receives confirmation by email of a new recorded incident/event or update).

ProofID have a standard process of handling events, vulnerabilities, incidents and unknown events with associated process and priorities.

Root cause analysis and corrective actions are recorded and where relevant feed back to the affected individuals, these are reviewed at the quarterly information security committee meetings.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £15000 per instance per year
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Free demo instance of IGA available here:

Free to use for testing and development purposes. Tenancy deleted after 7 days of inactivity.
Link to free trial


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑