Consentric by MyLife Digital
Consentric by MyLife Digital is a cloud-based permissions and consent management system which enables organisations to manage permissions of the consumers and citizens who they interact with. It helps organisations demonstrate compliance with personal-data legislation. Fully-configurable, easy-to-integrate with user interfaces which show what personal data is held and its purpose.
- Consent and Permissions management with CRM and other organisational systems
- Pre-configured connector for Salesforce Installations
- Bulk import of existing citizen consent and permission datasets
- Self-Service Preference management via email web or custom application
- Full audit trail of consent and permissions for GDPR compliance
- Pre-configured consent matrices for ease of implementation
- Granular Level consent and permissions capabilties
- Supports population-scale citizen volumes
- Security risk reduced as has Privacy by Design built-in
- Data security assured delivered by an ISO 27001 compliant provider
- Demonstrates compliance in providing an auditable record for GDPR
- Handles all GDPR's 6 lawful bases for personal data processing
- Provides a single source of data permissions across your organisation
- Reduced costs and overhead for processing consent and permission changes
- Ease of integration with all organisational systems using open APIs
- Allows organisations to re-connect with non-consented consumers
- To ensure GDPR compliance, all changes are logged and auditable
- Connects to email and other platforms that look up consent
- Cloud platform with customer user interfaces that are highly configurable
- Manage privacy information across all digital touch-points
|Software add-on or extension||No|
|Cloud deployment model||Public cloud|
Whilst using our platform you must not use the Consentric services in any way that may cause either damage to the service or make it unavailable.
Any use of the Consentric platform must by lawful, legal and not fraudulent or harmful in any way.
|Email or online ticketing support||Email or online ticketing|
|Support response times||The Service Desk provides 1st and 2nd Line Support between the hours of 09:00 and 17:30 Monday to Friday, with an out of hours on call number for emergency P1 issues. 3rd Line support is provided by Engineering teams and service providers who provide the same service commitment.|
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
User support is provided by a Technical Service Desk providing 1st and 2nd line support with a high first time fix rate. It provides a single point of contact for all support requests, logging each one in a service desk tool, adhering to SLAs based on a priority matrix and response/resolution times. It manages all contacts on behalf of the requestor, escalating and liaising with the relevant 3rd line teams, ensuring a timely response that meets user expectations. They coordinate all Service communications i.e. downtime, feature releases, ensuring concise and easily understood messages are conveyed to users.
In addition, a dedicated Service Manager, ensures all Clients receive the agreed service package and commitment, following reactive, preventive and proactive maintenance to ensure outstanding quality of services, using service reporting on Availability, Maintainability, Reliability, Stability, Performance and Security to drive a continuous service improvement programme.
All support teams are governed by an ITILv3 framework which is will adopted ensuring a consistent and guaranteed level is support is provided. This includes a comprehensive Major Incident and Security Incident procedure, which is not only designed to be quick to respond, but ensures any resource across the entire business, is available to support the resolution.
|Support available to third parties||Yes|
Onboarding and offboarding
MyLife Digital (MLD) work with the following training approaches and can tailor this depending on what is most appropriate to client users and business processes:
Train the trainer – 1 on 1 training for Super Users can be delivered at customer offices or from MLD's HQ in Bath.
Role based end user training – specific training courses tailored to individual teams, which can be delivered face-to-face or via webinars.
Documentation – end user guides and developer documentation are provided for reference.
Floor walking – MLD can provide a trainer onsite during ‘go live’ to help users during initial few days.
Staff induction – MLD can provide materials to be used for training new staff members.
E-learning modules – MLD can create E-learning modules specifically for use cases.
|End-of-contract data extraction||
If the contract is terminated, MyLife Digital (MLD) will return all data and there will be a defined period (for example, three months) within which copies shall be maintained to provide a backup of the data transferred to the customer, after which all data will be destroyed with certification of destruction provided to the customer.
MLD also maintains a Register of Records for internal information asset management purposes, that specifies the retention periods applicable to each data type. The retention periods take into consideration whether there is an ongoing legitimate purpose for holding the data; personal data shall not be kept for longer than is necessary for the agreed specified purpose. An appropriate data retention time limit will be agreed as part of a contractual agreement.
If the contract is terminated, MyLife Digital (MLD) will return all data and there will be a defined period (for example, three months) within which copies shall be maintained to provide a backup of the data transferred to the customer, after which all data will be destroyed with certification of destruction provided to the customer
MLD also maintains a Register of Records for internal information asset, that specifies the retention periods applicable to each type. The retention periods take into consideration whether there is an ongoing legitimate purpose for holding the data; personal data shall not be kept for longer than is necessary for the agreed specified purpose. An appropriate data retention time limit will be agreed as part of a contractual agreement.
At the point of termination the customer can extract their data over the API. The data stored on the Permissions platform will then be deleted.
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||Our Citizen user interface is optimised for viewing on a mobile device browser. The Citizen user interface allows customers/Citizens to self-manage their consents and permissions and other data rights under the GDPR which are stored in our Consentric platform.|
|What users can and can't do using the API||The Consentric API is updated on a daily basis. It allows customers access to their own application within Consentric where they can interrogate the endpoints to retrieve consent and permissions data on their customers. This can then be passed to other downstream applications for a variety of business processes to then utilise. Marketing, CRM, CMS, etc.|
|API documentation formats||
|API sandbox or test environment||Yes|
|Description of customisation||The permissions matrix itself can be customised to fit a client's needs for capturing consents and permissions. The available user interfaces can also be customised to ensure a seamless customer journey is preserved when integrating with existing systems. Privacy information which needs to be displayed at data capture points can also be customised and maintained via the Consentric administration portal and pushed out to all digital touch points via a widget.|
|Independence of resources||Our microservice architecture efficiently distributes loads over horizontally scaled, cloud hosted VMs, with monitoring and resource orchestration to ensure quality of service for multi-tenant users.|
|Service usage metrics||Yes|
|Metrics types||Service reporting is based on the following metrics, based on a monthly frequency (although this will be discussed and agreed with the client) availability and service uptime levels|
|Reporting types||Regular reports|
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Baseline Personnel Security Standard (BPSS)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||No|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least every 6 months|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||
|Other data at rest protection approach||MLD is a UK company operating entirely within the jurisdiction of UK law, therefore all customer data is processed in compliance with all applicable UK law including the Data Protection Act 1998. MLD is also prepared for legislation changes and the Consentric Platform conforms to GDPR ahead of the introduction in 2018.|
|Data sanitisation process||Yes|
|Data sanitisation type||
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||
Customers are able to export the data stored in their applications in a number of ways.
- Over the API
- CSV file download.
|Data export formats||CSV|
|Data import formats||Other|
|Other data import formats||JSON|
|Data protection between buyer and supplier networks||TLS (version 1.2 or above)|
|Data protection within supplier network||TLS (version 1.2 or above)|
Availability and resilience
MyLife Digital (MLD) will aim to provide at least a 99.9% uptime service availability level (Uptime Service Level) to all services within the agreed Service Level Grouping.
MLD will publish service availability compared to the service level. This will ensure availability monitoring is accurate and reflective of the client experience. MLD deploy measures to ensure sufficient resilience i.e. a service may be available but a service component is unavailable.
|Approach to resilience||MLD services are hosted in two highly secure UK data centres and adjacent UK operations centres, separated by more than 100 km for excellent geo-resilience while maintaining UK sovereignty.|
|Outage reporting||As part of the Technical Service Desk function, all service communications are sent to users reporting any outages, the action taken and the resolution applied. Throughout an outage, regular updates will be sent ensuring the user is aware of the situation.|
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||JWT based authentication is used following OAuth-2.0 flows, which is used to authorise access to all data. Citizen data is partitioned in our databases by application. Our APIs validate that applications that a client or user is allowed to access prior to servicing a request. An HTTP 403 (forbidden) response is returned if access is attempted to a resource that the user is not allowed access to. As our user interfaces use our own APIs they have the same protections. TLS (version 1.2) or SSL-encrypted sessions protect MLD services|
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||Other|
|Description of management access authentication||We use the Auth0 service for our authentication, which can support connections to enterprise systems with SAML2.0, LDAP, Database and social connections|
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users have access to real-time audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||LRQA|
|ISO/IEC 27001 accreditation date||09/02/2017|
|What the ISO/IEC 27001 doesn’t cover||Nothing. The scope of the MyLife Digital Information Security Management System is the whole company, with no exclusions.|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||No|
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||
MLD is ISO/IEC 27001:2013 (ISO 27001) certified and holds the Cyber Essentials certification.
MLD has a highly effective ISMS in place, with a documented set of policies, procedures, security controls and risk assessments for all MLD information assets. The MLD Information Security Policy, at the highest level, sets out how MLD manages the design, implementation and management of the ISMS, ensuring that all information assets are properly identified, recorded and managed, and afforded suitable Confidentiality, Integrity and Availability protection at all times.
All employees receive Information Security induction training upon induction and annual refresher training thereafter, of which attendance is tracked along with completion of a test of their understanding of the key elements.
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||MyLife Digital has documented configuration and change management processes, these have been implemented in accordance with the guidance from ITIL v.3 and the current ISO20000 standard. Formal configuration management and asset reporting is validated every day, and a robust process for change requests .leads to formal Change Advisory Board assessments.|
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||MyLife Digital (MLD) has a documented vulnerability management policy and process that have been implemented, maintained and assessed in accordance with the guidance from ITIL v.3 and ISO27001 standards. Real-time updates and status reports are identified and sourced from credible vendor sources that cover a significant proportion of MLD's asset population. For example, scanning of all derived artefacts for known CVE's via automated processes in the continuous delivery pipeline. We work with external security companies to provide us a feed of known and zero day exploits that are pertinent to our software and infrastructure.|
|Protective monitoring type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Protective monitoring approach||Building upon the foundation of UK Clouds enhanced protective monitoring services (SIEM), the Consentric Permissions platform utilises both proactive real-time monitoring and retention of log files via an isolated immutable data lake. GPG-13 PMC1-9 controls are used on various touch points and boundaries to provide real-time information and then alerting (immediately via a number of channels) if suspicious activity outside the defined scope of normal behaviour is breached . For further analytics into a potential issue, an isolated immutable data lake can be interrogated. This stores data from all operations tiers of the architecture in a fast searchable format.|
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||
All incidents are reported to the Technical Service Desk and as such are logged in the Service Desk tool with a unique reference. Email and telephone support is available depending on the Incident agreed service package. All contacts are verified for authenticate to ensure the individual reporting the incident is genuine. Incident assessment, categorisation and diagnosis will then follow, ensuring all actions are tracked within the ticket, and within the desired response and
resolution time. Categorisation will ensure the reported incident is (a) actually an incident, (b) its correct priority and (c) some assessment of the ease of resolution.
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||No|
|Price||£0.002 to £0.008 per user per month|
|Discount for educational organisations||Yes|
|Free trial available||Yes|
|Description of free trial||30 day free trial with pre-configured consent matrix and form for GDPR compliant consent recording.|
|Link to free trial||Www.consentric.io|