Masabi Limited


Justride is a cloud-hosted Software-as-a-Service (SaaS) fare collection solution enabling local authorities to deploy mobile ticketing to improve customer satisfaction and reduce the cost of fare media issuance. Fares are validated electronically or visually.


  • Smart mobile ticketing application
  • Secure electronic and visual validation
  • Back office reporting, fare management and customer support
  • SDK for Mobility as a Service and 3rd part integrations
  • Web portal with print at home PDF tickets
  • AFC, stored value, cash digitisation
  • Optional low cost electronic validator
  • Cloud hosted software as a Service
  • Contactless cEMV upgrade path
  • Comprehensive Datawarehouse with Datamart API for extract


  • 'Pay as you go' SaaS model
  • Cloud hosted shared platform with evolving upgrades
  • Simple fare and tariff management
  • Reduced CAPEX cost
  • Reduced operational cost
  • Advanced fraud prevention
  • Future upgrade path with extensive roadmap
  • Mobility as a Service


£15000 to £1000000000 per instance per year

Service documents


G-Cloud 11

Service ID

5 9 1 2 4 5 8 8 8 2 8 6 9 1 9


Masabi Limited

+44 207 089 8882

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints Masabi is not currently aware of any constraints that buyers should know about that would not be expected from a service of its kind.
System requirements
  • Internet Access
  • Up-to date browser
  • Android or iOS mobile device

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Response time during the week are: within 1 hour.
For critical issues, this is: 15 minutes
Response times at weekends will be: Response on the next working day.
Unless the issue is critical in which case, it will be: 15 minutes.

Masabi will provide upon request its full standard support SLAs. These can be varied depending on the agreement with each authority.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels Critical - P1: Resolution: 4 hours Guaranteed Response : <60
Urgent - P2: Resolution: 8 hours Guaranteed Response : <4 hrs
Normal -P3: Resolution: As Defined Guaranteed Response :<12 hrs
Low - P4: Resolution: As planned Guaranteed Response: <24hrs
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Masabi provides comprehensive training to authority staff as well as training documentation for on-going support. Masabi also provided dedicated account management for on-going support.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction Raw data can be extracted via the API's Masabi provides.
End-of-contract process Masabi will allow all customer data to be extracted from the Datawarehouse by the customer before it is permanently deleted.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Opera
Application to install Yes
Compatible operating systems
  • Android
  • IOS
  • Other
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Mobile applications for passengers to operate as standalone apps delivered through the respective app stores.

The web portal is designed for passengers who wish to access ticketing via a browser-based service which follows responsive design practices for good user experience on both desktop and mobile.

The back office management suite is designed for use by staff employed by the client and is also browser-based and follows responsive design practices for good user experience on both desktop and mobile.
Service interface Yes
Description of service interface The back office management suite is a browser-based interface that allows agencies to manage riders, fares, customer service and all aspects of the Justride system.

The web portal and mobile applications provide the ability for riders to interact with Justride to buy tickets, use their tickets and manage their account.
Accessibility standards WCAG 2.1 AA or EN 301 549
Accessibility testing The Justride Hub UI meets WCAG 2.0 Level AA standards. We audit WCAG 2.0 compliance on a 6 month cycle to identify any areas of non-compliance which are then addressed.
What users can and can't do using the API The Justride platform offers several APIs to facilitate a variety of capabilities in the platform. These range from the ability to provision tickets to Rider accounts, issue tickets to delivered on other fae media formats, manage the lifecycle to tickets and access system event data for the purpose of reporting and reconciliation.

Justride as a platform is modular in design and so has been architected with an API centric approach. As such most functions of the platform are surfaced through an API interface.

Full documentation for all APIs is available on request.
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • PDF
  • Other
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Two key items can be configured as part of a deployment to meet the needs of our customers - 1. Branding and 2. Tariff/Fare Structure.

As part of the deployment of each authority, Masabi will configure the retail applications to be fully compliant with the desired branding guidelines for the customer.

Masabi will then assist the authority with onboarding staff responsible for managing the back office and configuring functions such as the tariff and fare structures.


Independence of resources Masabi is a cloud-hosted platform which is load tested above the maximum load experienced with any current deployment. Cloud hosting also allows the ability to scale the Justride servers elastically to support increasing demand. Furthermore, Masabi is able to manage the allocation of server resource between clients' traffic to prevent any from overpowering others causing impaired performance.


Service usage metrics Yes
Metrics types The Justride reporting and analytics suite empowers agencies to access and use their data to their advantage. Masabi appreciates that there is a wide range of ways in which data access and analysis can be useful, and provides a range of tools that can be easily applied depending on the task at hand and experience of the user.
Reporting types
  • API access
  • Real-time dashboards


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach As well as CSV download, the Justride Data Warehouse is used to access the data through simple RESTful APIs (the Justride Data Mart APIs). Data is returned using industry standard CSV and JSON formats. Data is available as soon as it is recorded in the system providing near real time access to almost all system events (certain types of data are delivered asynchronously). Access credentials for the Data Mart APIs is managed through the Justride Hub Login Management tools.
The Data Mart APIs allow the extraction of data on an automated schedule or ad hoc manual basis.
Data export formats
  • CSV
  • Other
Other data export formats RESTFUL JSON API
Data import formats
  • CSV
  • Other
Other data import formats RESTFUL JSON API

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Masabi maintains a 99.95% uptime.
Approach to resilience Available on request.
Outage reporting Available upon request.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels Access control is granular, with the ability to create users who can only access certain modules.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Teamwork IMS
PCI DSS accreditation date 14/10/2018
What the PCI DSS doesn’t cover NA
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards PCI DSS and appropriate GDPR legislation.
Information security policies and processes Masabi's information security policies are aligned with PCI and GDPR compliance, including documentation and governance processes in line with industry best practices.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All of the software components are deployed on AWS infrastructure that is SSAE-16 / ISAE 3402 compliant. The software components flow through a PCI/GDPR process that includes both code, data protection and operational security vulnerability testing and continuous scanning.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Masabi uses industry standard tools, including those provided globally by Amazon AWS, to continuously assess the threats - both to code and operation - of the existing and to-be-deployed systems. These use internationally recognised sources of threat such as CVE.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Per previous answer, we use deployed tools which are linked to live threat databases.

We have a fully defined security response process, as required by PCI and GDPR.
Incident management type Supplier-defined controls
Incident management approach There are defined processes for incidents and issues, which can be sourced from internal monitoring, clients or end-users. Incident reports are circulated to effected parties via electronic distribution.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £15000 to £1000000000 per instance per year
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑