Citizen grows customer engagement and combat frauds by frictionlessly validating identity.
We leverage mobile biometric technology to provide safer, seamless online experiences, ensuring strong cyber security and reducing abandonment.
Our consent platform ensures that the GDPR regulation drives business value, whilst helping customers gain control over their personal data universe.
- Identity as a service
- Fraud reduction
- Passwordless login
- Biometric authentication
- Consent framework for GDPR compliance
- Geo-fencing for mobile proximity checking
- Cryptographic exchange for personal identity & documents
- Regulatory compliance for GDPR
- Identity validation for deeper consumer insight
- Biometric validation of consumer identity
- Frictionless access to services - one click registration
- Secure exchange of personal information and documents
- Legitimate, qualified consumer information
- Portable identity that can be reused across services
- Modern API & developer tools for deep integration
£100 per user per month
- Free trial available
+44 13 1322 0999
|Software add-on or extension||Yes, but can also be used as a standalone service|
|What software services is the service an extension to||
Citizen can be integrated with any system that provides or consumes personal identity.
We are currently integrating our service to e-commerce and HR providers.
|Cloud deployment model||Public cloud|
Use of our services and APIs require nothing more than standard browsers & smart phones.
Our biometric services depend on the end user device containing a camera and fingerprint reader.
|System requirements||No sharing of API keys across services|
|Email or online ticketing support||Email or online ticketing|
|Support response times||
9-6 UK business hours within 2 hours
Outside of business hours best endeavours
OOH Enterprise support is available under separate contracts.
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||None or don’t know|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
9-6 UK business hours within 2 hours
Outside of business hours best endeavours.
Enterprise support is available under separate contracts (TBD).
This typically includes a direct engineering contact for the purpose of resolution.
Customers on the pay plan (£100/m+) get 2 hours/month direct access to our engineering teams, more with higher tiers.
|Support available to third parties||Yes|
Onboarding and offboarding
We provide contextual help in both our web and mobile platforms.
Enterprise support hours may include group training sessions.
Our technical documentation is here, which describes how to access the service programatically:
|End-of-contract data extraction||
All of the data in service can be extracted as JSON using our API.
We provide open access to our customers data at all times.
|End-of-contract process||Data for the service will be automatically removed after 28 days, unless the business requests immediate removal.|
Using the service
|Web browser interface||Yes|
|Application to install||Yes|
|Compatible operating systems||
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||
Our platform is entirely web based.
The B2B web service is a dashboard for GDPR and consensually granted cryptographic tokens. This also works across devices.
Mobile apps are consumer focussed, allowing the update and management of personal information.
|Accessibility standards||WCAG 2.0 AAA|
|Accessibility testing||Our mobile apps leverage existing WCAG standards across the Android and iOS operating systems.|
|What users can and can't do using the API||
Users - manage user accounts
Persons - manage personal information
Documents - manage documents
Tokens - exchange & consent to identity exchanges
Sessions - authenticate with the service via password, bio or oauth
A full description is available via our developer site:-
|API documentation formats||
|API sandbox or test environment||Yes|
|Description of customisation||We provide SDKs and plugins for most major software languages (web and mobile) to provide an open eco-system to developers, integrators and third parties.|
|Independence of resources||We autoscale our services to provide a stable, repeatable service response for all of our customers on the live API.|
|Service usage metrics||Yes|
Identity token stored
Tokens by status
Tokens by date granted
Tokens by remaining time/data
Token access by consumer/entire business, over time
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Security Clearance (SC)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least every 6 months|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||
|Data sanitisation process||Yes|
|Data sanitisation type||Deleted data can’t be directly accessed|
|Equipment disposal approach||A third-party destruction service|
Data importing and exporting
|Data export approach||JSON over an API call.|
|Data export formats||Other|
|Other data export formats||JSON|
|Data import formats||
|Other data import formats||JSON|
|Data protection between buyer and supplier networks||
|Data protection within supplier network||
|Other protection within supplier network||
All data on the Citizen network is encrypted from consumer to endpoint, with all services connected via SSL.
We only store encrypted data on our repositories, and are do no store key copies. This means that we cannot decrypt or view any data on our own network.
Availability and resilience
|Guaranteed availability||99.5% SLA over our API, excluding scheduled downtime (24 hours notice, OOH). Each 0.1% lower than our SLA receives a 10% rebate on monthly fee.|
|Approach to resilience||
We provide internal DDOS protection, using multiple horizontally scaled servers that autoscale on demand. Additionally, our service runs across two countries, across three data centres in each.
More information is available on request.
We provide a service status dashboard.
Severe events may also be communicated via email & twitter.
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||Mobile and biometric 3 factor authentication.|
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||User-defined|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||User-defined|
|How long system logs are stored for||Between 1 month and 6 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||Pending|
|ISO/IEC 27001 accreditation date||Pending|
|What the ISO/IEC 27001 doesn’t cover||Pending|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security accreditations||No|
|Named board-level person responsible for service security||Yes|
|Security governance accreditation||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||
All configuration and change management integrated via DevOps and PaaS management infrastructure.
We restrict access to environments based on role. All changes to these environments are signed off by the acting CSO & technology lead.
|Configuration and change management standard||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Configuration and change management approach||
All configuration and change management integrated via DevOps and operational change management.
We run security tests across all deployments, which are promoted through 4 environments before production.
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||
We are using external services for vulnerability assessments.
Our goals are to provide patches on a severity case basis, with critical patches deployed with hours of awareness.
|Protective monitoring type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Protective monitoring approach||
We use a combination of WAF and network scanning tools.
Our centralised log collection and monitoring provides escalation workflows to technical leadership for prioritisation.
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||Incidents are tracked as tickets in incident management system and escalated to problem tickets as appropriate.|
|Approach to secure software development best practice||Conforms to a recognised standard, but self-assessed|
Public sector networks
|Connection to public sector networks||No|
|Price||£100 per user per month|
|Discount for educational organisations||No|
|Free trial available||Yes|
|Description of free trial||
Free API access
One business user
Up to 10 users stored
28 day trial period
|Pricing document||View uploaded document|
|Terms and conditions document||View uploaded document|