MyLife Digital Limited

Consentric by MyLife Digital

Consentric by MyLife Digital is a cloud-based permissions and consent management system which enables organisations to manage permissions of the consumers and citizens who they interact with. It helps organisations demonstrate compliance with personal-data legislation. Fully-configurable, easy-to-integrate with user interfaces which show what personal data is held and its purpose.

Features

  • Consent and Permissions management with CRM and other organisational systems
  • Pre-configured connector for Salesforce Installations
  • Bulk import of existing citizen consent and permission datasets
  • Self-Service Preference management via email web or custom application
  • Full audit trail of consent and permissions for GDPR compliance
  • Pre-configured consent matrices for ease of implementation
  • Granular Level consent and permissions capabilties
  • Supports population-scale citizen volumes
  • Security risk reduced as has Privacy by Design built-in
  • Data security assured delivered by an ISO 27001 compliant provider

Benefits

  • Demonstrates compliance in providing an auditable record for GDPR
  • Handles all GDPR's 6 lawful bases for personal data processing
  • Provides a single source of data permissions across your organisation
  • Reduced costs and overhead for processing consent and permission changes
  • Ease of integration with all organisational systems using open APIs
  • Allows organisations to re-connect with non-consented consumers
  • To ensure GDPR compliance, all changes are logged and auditable
  • Connects to email and other platforms that look up consent
  • Cloud platform with customer user interfaces that are highly configurable
  • Manage privacy information across all digital touch-points

Pricing

£0.002 to £0.008 per user per month

Service documents

Framework

G-Cloud 11

Service ID

4 1 4 8 6 5 3 3 6 8 1 0 6 0 0

Contact

MyLife Digital Limited

Katie Bates

01225 636280

kbates@mylifedigital.co.uk

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints Whilst using our platform you must not use the Consentric services in any way that may cause either damage to the service or make it unavailable.
Any use of the Consentric platform must by lawful, legal and not fraudulent or harmful in any way.
System requirements
  • HTTP 1.1
  • TLS v1.2
  • Content type application/json
  • Authorisation with Bearer Token

User support

User support
Email or online ticketing support Email or online ticketing
Support response times The Service Desk provides 1st and 2nd Line Support between the hours of 09:00 and 17:30 Monday to Friday, with an out of hours on call number for emergency P1 issues. 3rd Line support is provided by Engineering teams and service providers who provide the same service commitment.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels User support is provided by a Technical Service Desk providing 1st and 2nd line support with a high first time fix rate. It provides a single point of contact for all support requests, logging each one in a service desk tool, adhering to SLAs based on a priority matrix and response/resolution times. It manages all contacts on behalf of the requestor, escalating and liaising with the relevant 3rd line teams, ensuring a timely response that meets user expectations. They coordinate all Service communications i.e. downtime, feature releases, ensuring concise and easily understood messages are conveyed to users.

In addition, a dedicated Service Manager, ensures all Clients receive the agreed service package and commitment, following reactive, preventive and proactive maintenance to ensure outstanding quality of services, using service reporting on Availability, Maintainability, Reliability, Stability, Performance and Security to drive a continuous service improvement programme.

All support teams are governed by an ITILv3 framework which is will adopted ensuring a consistent and guaranteed level is support is provided. This includes a comprehensive Major Incident and Security Incident procedure, which is not only designed to be quick to respond, but ensures any resource across the entire business, is available to support the resolution.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started MyLife Digital (MLD) work with the following training approaches and can tailor this depending on what is most appropriate to client users and business processes:

Train the trainer – 1 on 1 training for Super Users can be delivered at customer offices or from MLD's HQ in Bath.​

Role based end user training – specific training courses tailored to individual teams, which can be delivered face-to-face or via webinars.​

Documentation – end user guides and developer documentation are provided for reference.

Floor walking – MLD can provide a trainer onsite during ‘go live’ to help users during initial few days.

Staff induction – MLD can provide materials to be used for training new staff members.

E-learning modules – MLD can create E-learning modules specifically for use cases.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction If the contract is terminated, MyLife Digital (MLD) will return all data and there will be a defined period (for example, three months) within which copies shall be maintained to provide a backup of the data transferred to the customer, after which all data will be destroyed with certification of destruction provided to the customer.
MLD also maintains a Register of Records for internal information asset management purposes, that specifies the retention periods applicable to each data type. The retention periods take into consideration whether there is an ongoing legitimate purpose for holding the data; personal data shall not be kept for longer than is necessary for the agreed specified purpose. An appropriate data retention time limit will be agreed as part of a contractual agreement.
End-of-contract process If the contract is terminated, MyLife Digital (MLD) will return all data and there will be a defined period (for example, three months) within which copies shall be maintained to provide a backup of the data transferred to the customer, after which all data will be destroyed with certification of destruction provided to the customer
MLD also maintains a Register of Records for internal information asset, that specifies the retention periods applicable to each type. The retention periods take into consideration whether there is an ongoing legitimate purpose for holding the data; personal data shall not be kept for longer than is necessary for the agreed specified purpose. An appropriate data retention time limit will be agreed as part of a contractual agreement.

At the point of termination the customer can extract their data over the API. The data stored on the Permissions platform will then be deleted.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Our Citizen user interface is optimised for viewing on a mobile device browser. The Citizen user interface allows customers/Citizens to self-manage their consents and permissions and other data rights under the GDPR which are stored in our Consentric platform.
Service interface No
API Yes
What users can and can't do using the API The Consentric API is updated on a daily basis. It allows customers access to their own application within Consentric where they can interrogate the endpoints to retrieve consent and permissions data on their customers. This can then be passed to other downstream applications for a variety of business processes to then utilise. Marketing, CRM, CMS, etc.
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The permissions matrix itself can be customised to fit a client's needs for capturing consents and permissions. The available user interfaces can also be customised to ensure a seamless customer journey is preserved when integrating with existing systems. Privacy information which needs to be displayed at data capture points can also be customised and maintained via the Consentric administration portal and pushed out to all digital touch points via a widget.

Scaling

Scaling
Independence of resources Our microservice architecture efficiently distributes loads over horizontally scaled, cloud hosted VMs, with monitoring and resource orchestration to ensure quality of service for multi-tenant users.

Analytics

Analytics
Service usage metrics Yes
Metrics types Service reporting is based on the following metrics, based on a monthly frequency (although this will be discussed and agreed with the client) availability and service uptime levels
Reporting types Regular reports

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Other
Other data at rest protection approach MLD is a UK company operating entirely within the jurisdiction of UK law, therefore all customer data is processed in compliance with all applicable UK law including the Data Protection Act 1998. MLD is also prepared for legislation changes and the Consentric Platform conforms to GDPR ahead of the introduction in 2018.
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Customers are able to export the data stored in their applications in a number of ways.

- Over the API
- CSV file download.
Data export formats CSV
Data import formats Other
Other data import formats JSON

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability MyLife Digital (MLD) will aim to provide at least a 99.9% uptime service availability level (Uptime Service Level) to all services within the agreed Service Level Grouping.
MLD will publish service availability compared to the service level. This will ensure availability monitoring is accurate and reflective of the client experience. MLD deploy measures to ensure sufficient resilience i.e. a service may be available but a service component is unavailable.
Approach to resilience MLD services are hosted in two highly secure UK data centres and adjacent UK operations centres, separated by more than 100 km for excellent geo-resilience while maintaining UK sovereignty.
Outage reporting As part of the Technical Service Desk function, all service communications are sent to users reporting any outages, the action taken and the resolution applied. Throughout an outage, regular updates will be sent ensuring the user is aware of the situation.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels JWT based authentication is used following OAuth-2.0 flows, which is used to authorise access to all data. Citizen data is partitioned in our databases by application. Our APIs validate that applications that a client or user is allowed to access prior to servicing a request. An HTTP 403 (forbidden) response is returned if access is attempted to a resource that the user is not allowed access to. As our user interfaces use our own APIs they have the same protections. TLS (version 1.2) or SSL-encrypted sessions protect MLD services
Access restriction testing frequency At least every 6 months
Management access authentication Other
Description of management access authentication We use the Auth0 service for our authentication, which can support connections to enterprise systems with SAML2.0, LDAP, Database and social connections

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 LRQA
ISO/IEC 27001 accreditation date 09/02/2017
What the ISO/IEC 27001 doesn’t cover Nothing. The scope of the MyLife Digital Information Security Management System is the whole company, with no exclusions.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes MLD is ISO/IEC 27001:2013 (ISO 27001) certified and holds the Cyber Essentials certification.

MLD has a highly effective ISMS in place, with a documented set of policies, procedures, security controls and risk assessments for all MLD information assets. The MLD Information Security Policy, at the highest level, sets out how MLD manages the design, implementation and management of the ISMS, ensuring that all information assets are properly identified, recorded and managed, and afforded suitable Confidentiality, Integrity and Availability protection at all times.

All employees receive Information Security induction training upon induction and annual refresher training thereafter, of which attendance is tracked along with completion of a test of their understanding of the key elements.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach MyLife Digital has documented configuration and change management processes, these have been implemented in accordance with the guidance from ITIL v.3 and the current ISO20000 standard. Formal configuration management and asset reporting is validated every day, and a robust process for change requests .leads to formal Change Advisory Board assessments.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach MyLife Digital (MLD) has a documented vulnerability management policy and process that have been implemented, maintained and assessed in accordance with the guidance from ITIL v.3 and ISO27001 standards. Real-time updates and status reports are identified and sourced from credible vendor sources that cover a significant proportion of MLD's asset population. For example, scanning of all derived artefacts for known CVE's via automated processes in the continuous delivery pipeline. We work with external security companies to provide us a feed of known and zero day exploits that are pertinent to our software and infrastructure.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Building upon the foundation of UK Clouds enhanced protective monitoring services (SIEM), the Consentric Permissions platform utilises both proactive real-time monitoring and retention of log files via an isolated immutable data lake. GPG-13 PMC1-9 controls are used on various touch points and boundaries to provide real-time information and then alerting (immediately via a number of channels) if suspicious activity outside the defined scope of normal behaviour is breached . For further analytics into a potential issue, an isolated immutable data lake can be interrogated. This stores data from all operations tiers of the architecture in a fast searchable format.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach All incidents are reported to the Technical Service Desk and as such are logged in the Service Desk tool with a unique reference. Email and telephone support is available depending on the Incident agreed service package. All contacts are verified for authenticate to ensure the individual reporting the incident is genuine. Incident assessment, categorisation and diagnosis will then follow, ensuring all actions are tracked within the ticket, and within the desired response and
resolution time. Categorisation will ensure the reported incident is (a) actually an incident, (b) its correct priority and (c) some assessment of the ease of resolution.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £0.002 to £0.008 per user per month
Discount for educational organisations Yes
Free trial available Yes
Description of free trial 30 day free trial with pre-configured consent matrix and form for GDPR compliant consent recording.
Link to free trial Www.consentric.io

Service documents

Return to top ↑