VST Enterprises Limited

VPlatform & VCode by VST Enterprises Limited

VCode® represents the next generation of code scanning technology – an evolutionary leap past traditional barcodes .

Utilised to authenticate and deliver bespoke, permission based content and to protect against fraud in many sectors, from document verification, identity, end-to-end supply chain management, interactive charitable giving transactions and content delivery.


  • Closed Loop Security. Only VSTE scanners can authenticate a VCode
  • Custom Content Delivery - Direct content delivered from one scan
  • VPlatform portal allows users to create, manage and analyse VCodes
  • Scan from up 100 metres and down to 225 Microns
  • Dynamic Content: Update content at anytime without changing the VCode
  • Full Scan Analytics - Track who, what, when and where
  • Permission Based Content Access - Who, What, Where and When
  • Full Swagger API Toolset available for system integrations
  • Collision Free System - VCode duplication can never happen
  • Virtually Unlimited Supply of VCode futureproofs your solution


  • End-to-end tracability and content delivery throughout the supply chain
  • Real Time Tracking; Track, trace and verify authenticity of goods.
  • Bespoke end user content delivery - Links, documents, videos, content
  • ID, qualification, certification, training and membership verification
  • VCodes Successfully tested & scanned down to 225 Microns
  • Accept Instant, secure and transparent Digital & charity payments.
  • Full API stack for system integration
  • Analyse user behaviour patterns, traffic and workflows
  • Scan user data capture metrics for compliance and evidentiary outputs
  • Video and FMCG traceablility, preventing counterfeit and piracy


£0.001 to £5 per unit per year

Service documents

G-Cloud 11


VST Enterprises Limited

Louis-James Davis



Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to The VPlatform API & VCode SDK can be used as an extension to current online software and mobile applications to implement any of the applicable use cases the solution offers as a stand-alone service.
Cloud deployment model Private cloud
Service constraints To use as a stand-alone service, users must download the free VCode® app from the Google Play or Apple App Store to be able to scan a VCode. If the development tools (API & SDK) are used, the user can use the service in the software environment of the purchasing business.
System requirements
  • Requires API, desktop, portable or mobile device to create codes
  • Requires free VCode app unless the VCode SDK is utilised
  • Requires an internet connection to serve mobile accessed content

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Priority 1 - Whole service is down - Within two Business Hours.
Priority 2 - Whole service is down - Within four Business Hours.
Priority 3 - non-essential features are impaired - Within 12 Business Hours
Priority 4 - Errors that are, non disabling or cosmetic - Within 24 Business Hours.
User can manage status and priority of support tickets No
Phone support No
Web chat support No
Onsite support Yes, at extra cost
Support levels VST offer a full email / web based support for all VPortal users. Users can raise a support request via their account 24/7 to access technical support or via their account manager within UK business hours.

Additional support and escalation levels and access types can be offered and supported under contract.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Access to the VPlatform is served by creating an account or logging in via the Portal homepage. The intuitive portal guides users to create codes, create, assign or edit packages and rules and view all scan data analytics. Users are assigned 10 free credits upon account creation for testing purposes.

App users can download the free App from the Google Play or Apple App Store to scan VCodes, create codes including utilising their personal VCode.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction By contacting VSTE Support.
End-of-contract process Depending on the contract type, contracts either terminate upon an agreed date or will auto-renew for the agreed service period.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install Yes
Compatible operating systems
  • Android
  • IOS
  • MacOS
Designed for use on mobile devices Yes
Differences between the mobile and desktop service There is no difference when accessing the VPortal to create, configure and analyse performance of a VCode.

Scanning a VCode can only be performed via the Android or IOS application on a mobile device (unless using the api and/or SDK).
Accessibility standards WCAG 2.1 A
Accessibility testing Functional testing, in field testing & interface testing
What users can and can't do using the API Using an issued partner token and a session token, API access is available to undertake all VPlatform functionality; Create VCodes, Configure VCode endpoints and service types (Packages), assign and change permissions, review analytics; (The Who, What, When and Where behind every scan).

API documentation is available via Swagger.
API documentation Yes
API documentation formats Open API (also known as Swagger)
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The VST SDK can be utilised to allow the VCode scanner (the element that authenticates the VCode scan) to be embedded within users existing IOS or Android apps.


Independence of resources VSTE operates its network in line with estimated system demands, utilising Amazon Web Services (AWS) Elastic Compute Cloud (Amazon EC2) to host the VPortal platform and services. Amazon EC2 ensures the availability, scalability and reliability of the platform for unpredictable and unplanned traffic triggering AWS auto-scaling.


Service usage metrics Yes
Metrics types Every VCode® interaction is tracked, with real-time analytics retrieved on the Who, What, When and Where behind every scan.
Reporting types Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest Physical access control, complying with CSA CCM v3.0
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach All analytics can be accessed via APi and in CSV format via the portal.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability SLA uptime of 99.9%. Service Credits apply for any month where SLAs are not met as specified within service contract.
Approach to resilience VST operates its network in line with estimated system demands, utilising Amazon Web Services (AWS) Amazon Elastic Compute Cloud (Amazon EC2) to host the VPlatform and manage user data. Amazon EC2 ensures system demands, such as Increasing or decreasing the number of instances running, CPU usage and network Bandwidth, alongside other custom metrics, are met without the need for manual intervention by utilising automated network fail-over and expansion to support peak traffic demands and returning once normal traffic load commences. All of which ensures the availability, scalability and reliability of the VPlatform and VCode services.
Outage reporting Public dashboard
Email alerts

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels All access is granted on a need to know basis and is dependent upon role and responsibilities. All access permissions are documented and reviewed at least every 6 month or upon change of role, responsibility or user. Segregation of platforms and access exists in all network architecture and management systems.
Access restriction testing frequency At least every 6 months
Management access authentication 2-factor authentication

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Self-Assessment Questionnaire A-EP and Attestation of Compliance
PCI DSS accreditation date 2018
What the PCI DSS doesn’t cover All services are covered by the Self-Assessment Questionnaire A-EP and Attestation of Compliance
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach Compliant to ISO 27001:2013 currently preparing for audit. Internal ISMS and Policy set.

ICO guidelines followed regarding information security and data protection.
Information security policies and processes VSTE's appointed CIO is responsible for ensuring all systems, platforms and processes are developed and managed with a security first approach utilising security by design methodology.

VST have a fully integrated and underpinned ISMS including defined security policies and documented risk management approach.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach The VSTE Change Advisory Board review changes in line with the VST Change Management Policy, assessing the
• Urgency
• Operational Requirements
• Security Considerations
• Customer / stakeholder communication requirements
• Resources Required

Process includes:

1. Identified requirement
2. RFC ceated
3. Review
4. Approval / Sign-Off
5. Schedule Change & Notifications
6. Implement Change
7. Test & Validate
8. Assess & Evaluate
9. Confirm Roll-out or initiate Rollback procedure Document Change
10. Initiate change confirmation Notifications.

Changes are made out of standard business hours and are communicated under the agreed SLA and an 'At Risk' notification period announced.
Vulnerability management type Supplier-defined controls
Vulnerability management approach VST subscribe to several security bulletins, including the NCSC feed and the AWS Security Bulletin. Regular Vulnerability Scans of the Network after every change to the Network Architecture are made or at least every 12 months. Any Patches required are made within 24 hours using the following process:

1. Review Patch
2. Preparation
3. Perform vulnerability Scan
4. Define Remediating Actions (if any)
5. Implement Remediating Actions (if any)
6. Re-scan
7. Document Findings
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach VSTE has a defined and implemented Security Information & Event Management Solution (SIEMS) for Log Management, to undertake forensic audits and Event Management for 24/7 system notifications.

Monitoring parameters for system and security alerts will notify the Network Management Team, 24/7, by SMS who will immediately investigate the notification and begin any remediation required.

Incidents are responded to, in-line with published SLAs
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach VSTE adopt the ITIL v3 IT Service Desk Lifecycle Management for the provision and delivery of Incident Management, operating a web & e-mail based support system powered by ZenDesk® to operate a support model with a defined escalation path.

Users can access the support System by logging into their account and logging an incident from within the VPlatform. The ZenDesk® portal is managed both in and out of office hours and allows for two-way communication and report updates.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £0.001 to £5 per unit per year
Discount for educational organisations Yes
Free trial available Yes
Description of free trial All accounts come loaded with 10 free credits for configuration testing, valid for 12 months from account opening.
Link to free trial https://portal.vplatform.io/login

Service documents

pdf document: Pricing document pdf document: Service definition document pdf document: Terms and conditions
Service documents
Return to top ↑