VCode® represents the next generation of code scanning technology – an evolutionary leap past traditional barcodes .
Utilised to authenticate and deliver bespoke, permission based content and to protect against fraud in many sectors, from document veriﬁcation, identity, end-to-end supply chain management, interactive charitable giving transactions and content delivery.
- Closed Loop Security. Only VSTE scanners can authenticate a VCode
- Custom Content Delivery - Direct content delivered from one scan
- VPlatform portal allows users to create, manage and analyse VCodes
- Scan from up 100 metres and down to 225 Microns
- Dynamic Content: Update content at anytime without changing the VCode
- Full Scan Analytics - Track who, what, when and where
- Permission Based Content Access - Who, What, Where and When
- Full Swagger API Toolset available for system integrations
- Collision Free System - VCode duplication can never happen
- Virtually Unlimited Supply of VCode futureproofs your solution
- End-to-end tracability and content delivery throughout the supply chain
- Real Time Tracking; Track, trace and verify authenticity of goods.
- Bespoke end user content delivery - Links, documents, videos, content
- ID, qualification, certification, training and membership verification
- VCodes Successfully tested & scanned down to 225 Microns
- Accept Instant, secure and transparent Digital & charity payments.
- Full API stack for system integration
- Analyse user behaviour patterns, traffic and workflows
- Scan user data capture metrics for compliance and evidentiary outputs
- Video and FMCG traceablility, preventing counterfeit and piracy
£0.001 to £5 per unit per year
- Education pricing available
VST Enterprises Limited
|Software add-on or extension||Yes, but can also be used as a standalone service|
|What software services is the service an extension to||The VPlatform API & VCode SDK can be used as an extension to current online software and mobile applications to implement any of the applicable use cases the solution offers as a stand-alone service.|
|Cloud deployment model||Private cloud|
|Service constraints||To use as a stand-alone service, users must download the free VCode® app from the Google Play or Apple App Store to be able to scan a VCode. If the development tools (API & SDK) are used, the user can use the service in the software environment of the purchasing business.|
|Email or online ticketing support||Email or online ticketing|
|Support response times||
Priority 1 - Whole service is down - Within two Business Hours.
Priority 2 - Whole service is down - Within four Business Hours.
Priority 3 - non-essential features are impaired - Within 12 Business Hours
Priority 4 - Errors that are, non disabling or cosmetic - Within 24 Business Hours.
|User can manage status and priority of support tickets||No|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
VST offer a full email / web based support for all VPortal users. Users can raise a support request via their account 24/7 to access technical support or via their account manager within UK business hours.
Additional support and escalation levels and access types can be offered and supported under contract.
|Support available to third parties||Yes|
Onboarding and offboarding
Access to the VPlatform is served by creating an account or logging in via the Portal homepage. The intuitive portal guides users to create codes, create, assign or edit packages and rules and view all scan data analytics. Users are assigned 10 free credits upon account creation for testing purposes.
App users can download the free App from the Google Play or Apple App Store to scan VCodes, create codes including utilising their personal VCode.
|End-of-contract data extraction||By contacting VSTE Support.|
|End-of-contract process||Depending on the contract type, contracts either terminate upon an agreed date or will auto-renew for the agreed service period.|
Using the service
|Web browser interface||Yes|
|Application to install||Yes|
|Compatible operating systems||
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||
There is no difference when accessing the VPortal to create, configure and analyse performance of a VCode.
Scanning a VCode can only be performed via the Android or IOS application on a mobile device (unless using the api and/or SDK).
|Accessibility standards||WCAG 2.1 A|
|Accessibility testing||Functional testing, in field testing & interface testing|
|What users can and can't do using the API||
Using an issued partner token and a session token, API access is available to undertake all VPlatform functionality; Create VCodes, Configure VCode endpoints and service types (Packages), assign and change permissions, review analytics; (The Who, What, When and Where behind every scan).
API documentation is available via Swagger.
|API documentation formats||Open API (also known as Swagger)|
|API sandbox or test environment||Yes|
|Description of customisation||The VST SDK can be utilised to allow the VCode scanner (the element that authenticates the VCode scan) to be embedded within users existing IOS or Android apps.|
|Independence of resources||VSTE operates its network in line with estimated system demands, utilising Amazon Web Services (AWS) Elastic Compute Cloud (Amazon EC2) to host the VPortal platform and services. Amazon EC2 ensures the availability, scalability and reliability of the platform for unpredictable and unplanned traffic triggering AWS auto-scaling.|
|Service usage metrics||Yes|
|Metrics types||Every VCode® interaction is tracked, with real-time analytics retrieved on the Who, What, When and Where behind every scan.|
|Reporting types||Reports on request|
|Supplier type||Not a reseller|
|Staff security clearance||Conforms to BS7858:2012|
|Government security clearance||Up to Developed Vetting (DV)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||‘IT Health Check’ performed by a CHECK service provider|
|Protecting data at rest||Physical access control, complying with CSA CCM v3.0|
|Data sanitisation process||Yes|
|Data sanitisation type||Deleted data can’t be directly accessed|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||All analytics can be accessed via APi and in CSV format via the portal.|
|Data export formats||CSV|
|Data import formats||CSV|
|Data protection between buyer and supplier networks||TLS (version 1.2 or above)|
|Data protection within supplier network||TLS (version 1.2 or above)|
Availability and resilience
|Guaranteed availability||SLA uptime of 99.9%. Service Credits apply for any month where SLAs are not met as specified within service contract.|
|Approach to resilience||VST operates its network in line with estimated system demands, utilising Amazon Web Services (AWS) Amazon Elastic Compute Cloud (Amazon EC2) to host the VPlatform and manage user data. Amazon EC2 ensures system demands, such as Increasing or decreasing the number of instances running, CPU usage and network Bandwidth, alongside other custom metrics, are met without the need for manual intervention by utilising automated network fail-over and expansion to support peak traffic demands and returning once normal traffic load commences. All of which ensures the availability, scalability and reliability of the VPlatform and VCode services.|
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||All access is granted on a need to know basis and is dependent upon role and responsibilities. All access permissions are documented and reviewed at least every 6 month or upon change of role, responsibility or user. Segregation of platforms and access exists in all network architecture and management systems.|
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||2-factor authentication|
Audit information for users
|Access to user activity audit information||Users contact the support team to get audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||No|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Who accredited the PCI DSS certification||Self-Assessment Questionnaire A-EP and Attestation of Compliance|
|PCI DSS accreditation date||2018|
|What the PCI DSS doesn’t cover||All services are covered by the Self-Assessment Questionnaire A-EP and Attestation of Compliance|
|Other security certifications||No|
|Named board-level person responsible for service security||Yes|
|Security governance certified||No|
|Security governance approach||
Compliant to ISO 27001:2013 currently preparing for audit. Internal ISMS and Policy set.
ICO guidelines followed regarding information security and data protection.
|Information security policies and processes||
VSTE's appointed CIO is responsible for ensuring all systems, platforms and processes are developed and managed with a security first approach utilising security by design methodology.
VST have a fully integrated and underpinned ISMS including defined security policies and documented risk management approach.
|Configuration and change management standard||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Configuration and change management approach||
The VSTE Change Advisory Board review changes in line with the VST Change Management Policy, assessing the
• Operational Requirements
• Security Considerations
• Customer / stakeholder communication requirements
• Resources Required
1. Identified requirement
2. RFC ceated
4. Approval / Sign-Off
5. Schedule Change & Notifications
6. Implement Change
7. Test & Validate
8. Assess & Evaluate
9. Confirm Roll-out or initiate Rollback procedure Document Change
10. Initiate change confirmation Notifications.
Changes are made out of standard business hours and are communicated under the agreed SLA and an 'At Risk' notification period announced.
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||
VST subscribe to several security bulletins, including the NCSC feed and the AWS Security Bulletin. Regular Vulnerability Scans of the Network after every change to the Network Architecture are made or at least every 12 months. Any Patches required are made within 24 hours using the following process:
1. Review Patch
3. Perform vulnerability Scan
4. Define Remediating Actions (if any)
5. Implement Remediating Actions (if any)
7. Document Findings
|Protective monitoring type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Protective monitoring approach||
VSTE has a defined and implemented Security Information & Event Management Solution (SIEMS) for Log Management, to undertake forensic audits and Event Management for 24/7 system notifications.
Monitoring parameters for system and security alerts will notify the Network Management Team, 24/7, by SMS who will immediately investigate the notification and begin any remediation required.
Incidents are responded to, in-line with published SLAs
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||
VSTE adopt the ITIL v3 IT Service Desk Lifecycle Management for the provision and delivery of Incident Management, operating a web & e-mail based support system powered by ZenDesk® to operate a support model with a defined escalation path.
Users can access the support System by logging into their account and logging an incident from within the VPlatform. The ZenDesk® portal is managed both in and out of office hours and allows for two-way communication and report updates.
|Approach to secure software development best practice||Conforms to a recognised standard, but self-assessed|
Public sector networks
|Connection to public sector networks||No|
|Price||£0.001 to £5 per unit per year|
|Discount for educational organisations||Yes|
|Free trial available||Yes|
|Description of free trial||All accounts come loaded with 10 free credits for configuration testing, valid for 12 months from account opening.|
|Link to free trial||https://portal.vplatform.io/login|