ReadID - Innovalor Software B.V.

ReadID - Identity Document verification

ReadID makes it possible to verify the authenticity of identity documents using a mobile phone. ReadID uses the NFC capability to read the RFID chip present in passports and similar identity documents.

ReadID is simple and secure. ReadID is provided as a mobile SDK or as a white-label app.


  • Mobile verification of passport, ID cards and similar identification documents
  • Unequivocal confirmation of the authenticity of identification documents
  • Straight through processing
  • No manual input mistakes
  • High-resolution face image from the chip
  • Used by a.o. banks and police organizations
  • Powerful APIs/SDK available to built own app
  • Or alternatively: a ready-to-use white-label app
  • Server-side (REST) APIs to get access to verification results


  • Verification of identification documents can take place anywhere and anytime
  • Easy and quick to use
  • Secure and safe to use
  • Reduce look-a-like fraud because of high-resolution face image
  • Full control over customer journey


£1 per transaction per month

  • Free trial available

Service documents

G-Cloud 10


ReadID - Innovalor Software B.V.

Maarten Wegdam

+31 6 51993485

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints At this point the service is available to NFC equipped Android based phones/tablets only.

Service will become available on iOS once Apple opens up the NFC antenna (for ISO 14443) to be used by third party software providers. We can use external readers on iOS (in beta, not detailed in the service description and pricing yet).
System requirements
  • Android mobile phones/tablets with NFC
  • Android version 5 and up

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Depends on priority.

There is 24x7 response for high-priority incidents.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support No
Support levels There are generic support channels (email, phone).
Support is included in the price. Additional professional services is available at a day rate,
Each customer will get a primary technical contact during the implementation phase, if desired, this can continue after the implementation phase.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started If the SDK is used, the buyer has full control on the functionality and UX of the app, and thus has to provide own user documentation.

For the white label app there is user documentation.

We can provide online and onsite user training if needed.

Of course, provide developer documentation to explain our APIs.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
  • Other
Other documentation formats Sample code in several programming languages
End-of-contract data extraction The ReadID server API allow extracting of all identity document data.

The ReadID servers only cache the identity document information, i.e. , we do not provide long-term storage since we do not want to have access to this very privacy sensitive information for a longer period. The data is this also extracted during the contract.

Audit information can be extracted at the end of the contract at an additional cost.
End-of-contract process There are no additional costs.

Access to the API is removed. Buyer will have to stop using the SDK/libraries at date the contract ends.

Using the service

Using the service
Web browser interface No
Application to install Yes
Compatible operating systems Android
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Only mobile version of the service is available as solution is mobile. No desktop solution is available nor planned as it does not fit the service's purpose.

There is a desktop (browser) based management portal for the service, but this is only for the buyer to manage the service, not to use the service.
Accessibility standards None or don’t know
Description of accessibility The service provides a mobile SDK (APIs) that allow the buyer to built their own app. Thus the buyer has control over the accessibility.
Accessibility testing Not applicable.
What users can and can't do using the API There is a client-side API, i.e., to implement a mobile app. This can call the Machine Readable Zone scanning functionality and the NFC functionality.

There is server-side API, to get the results of the identity document verification.
API documentation Yes
API documentation formats
  • HTML
  • PDF
  • Other
API sandbox or test environment Yes
Customisation available Yes
Description of customisation ReadID can be considered a toolbox, the buyer can determine how to use it. E.g., for the implement the UX and what security mechanisms to use.


Independence of resources ReadID can process many transaction simultaneously, and is built to scale horizontally and vertically, i.e., we can use more or faster computing resources to scale the service. ReadID does auto-scaling.

If desired, we can create a separate environment for a buyer with relatively little effort. There is an additional costs for this, which depends on the sizing for this environment.


Service usage metrics Yes
Metrics types Metrics on ReadID's operations are supplied via an online management portal in which the buyer can see the following information such as the number of transactions executed per period of time (hour, day, month, year, etc.) and audit logs.
Reporting types Real-time dashboards


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Identity document data is exported via de provided API.
Alternatively, the management portal allows manual export (JSON, XML or signed PDF).

Billing data is exported via the management portal, as CSV.
Data export formats
  • CSV
  • Other
Other data export formats
  • JSON
  • XML
  • PDF
Data import formats Other
Other data import formats Not applicable

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability We offer a 99.5% availability in our default SLA.
Approach to resilience We use a combination of
- Several servers that are stateless and automatically restart if unhealthy
- Redundant database
- Several availability zones
Outage reporting We monitor the service via different means, including automated end-to-end tests. If there is an outage, the customer is notified via email.

We working on an API and dashboard.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels For the management interface two-factor authentication is used.

For the support channel one-factor authentication is used.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Dekra Certification B.V.
ISO/IEC 27001 accreditation date 20/02/2018
What the ISO/IEC 27001 doesn’t cover In the Statement of Applicability we only excluded A.14.2.7 on outsourcing of software development, since we do not do this.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Important roles for the security polices are a CISO and DPO.

Our ISO27001 I ISMS and Security documentation details the information security policies and processes, including internal and external audits if they are properly followed. Details are available upon request.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach We use a state of the art source code repository system, including issue tracking. We combine this with a processes such as manual code reviews and automated source code scans.
Vulnerability management type Undisclosed
Vulnerability management approach We have very strict processes for this, including monitoring public sources for known vulnerabilities and frequent patching.

Details are available to customers.
Protective monitoring type Undisclosed
Protective monitoring approach We use a combination of an intrusion detection system, centralized logging on different layers and a 24x7 team to respond on potential compromises.

Details are available to customers.
Incident management type Undisclosed
Incident management approach This is part of our ISO27001 decertified ISMS, and includes a formalised data breach policy.

Details are available to customers.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £1 per transaction per month
Discount for educational organisations No
Free trial available Yes
Description of free trial Demo app as part of the Google playstore beta program.

Access to the APIs is not included.

The time period can agreed per potential buyer.


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑