Identity as a service

Citizen grows customer engagement and combat frauds by frictionlessly validating identity.

We leverage mobile biometric technology to provide safer, seamless online experiences, ensuring strong cyber security and reducing abandonment.

Our consent platform ensures that the GDPR regulation drives business value, whilst helping customers gain control over their personal data universe.


  • Identity as a service
  • Fraud reduction
  • Passwordless login
  • Biometric authentication
  • Consent framework for GDPR compliance
  • Geo-fencing for mobile proximity checking
  • Cryptographic exchange for personal identity & documents


  • Regulatory compliance for GDPR
  • Identity validation for deeper consumer insight
  • Biometric validation of consumer identity
  • Frictionless access to services - one click registration
  • Secure exchange of personal information and documents
  • Legitimate, qualified consumer information
  • Portable identity that can be reused across services
  • Modern API & developer tools for deep integration


£100 per user per month

  • Free trial available

Service documents

G-Cloud 9



James Neville

+44 13 1322 0999

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Citizen can be integrated with any system that provides or consumes personal identity.

We are currently integrating our service to e-commerce and HR providers.
Cloud deployment model Public cloud
Service constraints Use of our services and APIs require nothing more than standard browsers & smart phones.

Our biometric services depend on the end user device containing a camera and fingerprint reader.
System requirements No sharing of API keys across services

User support

User support
Email or online ticketing support Email or online ticketing
Support response times 9-6 UK business hours within 2 hours
Outside of business hours best endeavours

OOH Enterprise support is available under separate contracts.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels 9-6 UK business hours within 2 hours
Outside of business hours best endeavours.

Enterprise support is available under separate contracts (TBD).
This typically includes a direct engineering contact for the purpose of resolution.

Customers on the pay plan (£100/m+) get 2 hours/month direct access to our engineering teams, more with higher tiers.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We provide contextual help in both our web and mobile platforms.
Enterprise support hours may include group training sessions.

Our technical documentation is here, which describes how to access the service programatically:
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction All of the data in service can be extracted as JSON using our API.
We provide open access to our customers data at all times.
End-of-contract process Data for the service will be automatically removed after 28 days, unless the business requests immediate removal.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10+
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install Yes
Compatible operating systems
  • Android
  • IOS
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Our platform is entirely web based.

The B2B web service is a dashboard for GDPR and consensually granted cryptographic tokens. This also works across devices.

Mobile apps are consumer focussed, allowing the update and management of personal information.
Accessibility standards WCAG 2.0 AAA
Accessibility testing Our mobile apps leverage existing WCAG standards across the Android and iOS operating systems.
What users can and can't do using the API Users - manage user accounts
Persons - manage personal information
Documents - manage documents
Tokens - exchange & consent to identity exchanges
Sessions - authenticate with the service via password, bio or oauth

A full description is available via our developer site:-
API documentation Yes
API documentation formats
  • HTML
  • PDF
  • Other
API sandbox or test environment Yes
Customisation available Yes
Description of customisation We provide SDKs and plugins for most major software languages (web and mobile) to provide an open eco-system to developers, integrators and third parties.


Independence of resources We autoscale our services to provide a stable, repeatable service response for all of our customers on the live API.


Service usage metrics Yes
Metrics types Identity token stored
Tokens by status
Tokens by date granted
Tokens by remaining time/data
Token access by consumer/entire business, over time
API calls/month
Reporting types
  • API access
  • Real-time dashboards


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach JSON over an API call.
Data export formats Other
Other data export formats JSON
Data import formats
  • CSV
  • Other
Other data import formats JSON

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network All data on the Citizen network is encrypted from consumer to endpoint, with all services connected via SSL.

We only store encrypted data on our repositories, and are do no store key copies. This means that we cannot decrypt or view any data on our own network.

Availability and resilience

Availability and resilience
Guaranteed availability 99.5% SLA over our API, excluding scheduled downtime (24 hours notice, OOH). Each 0.1% lower than our SLA receives a 10% rebate on monthly fee.
Approach to resilience We provide internal DDOS protection, using multiple horizontally scaled servers that autoscale on demand. Additionally, our service runs across two countries, across three data centres in each.

More information is available on request.
Outage reporting We provide a service status dashboard.
Severe events may also be communicated via email & twitter.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels Mobile and biometric 3 factor authentication.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Pending
ISO/IEC 27001 accreditation date Pending
What the ISO/IEC 27001 doesn’t cover Pending
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards ISO/IEC 27001
Information security policies and processes All configuration and change management integrated via DevOps and PaaS management infrastructure.

We restrict access to environments based on role. All changes to these environments are signed off by the acting CSO & technology lead.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach All configuration and change management integrated via DevOps and operational change management.

We run security tests across all deployments, which are promoted through 4 environments before production.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach We are using external services for vulnerability assessments.

Our goals are to provide patches on a severity case basis, with critical patches deployed with hours of awareness.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach We use a combination of WAF and network scanning tools.
Our centralised log collection and monitoring provides escalation workflows to technical leadership for prioritisation.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Incidents are tracked as tickets in incident management system and escalated to problem tickets as appropriate.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £100 per user per month
Discount for educational organisations No
Free trial available Yes
Description of free trial Free API access
One business user
Up to 10 users stored
28 day trial period


Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑