Mosaic, Customer Segmentation and Engagement Services from Experian

The Mosaic family of segmentation tools means you can treat citizens as individuals. It gives the intelligence you need to send the right message to the right person at the right time. You can see who your citizens are, how they live and what services they are likely to need.


  • Available at postcode, household and person levels.
  • Access via online directory file or through online data matching.
  • Segmentation portal provides ability to understand each segment in detail.
  • Includes Mosaic Grand Index, Audience and Profiler (public sector only).
  • Account management support provided at no extra cost.
  • Over 30 years experience in the development of segmentation data.
  • Unique geo-socio-demographic insight to build innovative segmentation.


  • Understanding of people and local areas to support decision-making.
  • Insight to organise resources and target them more effectively.
  • Creates a picture of customers’ propensity and ability to pay.
  • Enables effective communication through demographics, lifestyles and channel preferences.
  • Optimises public resources to save money and deliver economic resilience.
  • Combines with individual and area data to understand health needs.
  • Links to citizen and neighbourhood data to improve public safety.
  • Risk-averse approach to data management


£4050 to £42250 per licence per year

  • Education pricing available

Service documents


G-Cloud 11

Service ID

6 0 7 8 7 8 4 4 0 0 1 3 7 0 6



Damian Kenny

+44 (0) 7976 702247


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints No
System requirements None

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Responses to questions are within office hours and as soon as is practically possible, and generally within twenty four hours.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Onsite support
Support levels Support is provided through an account manager and a helpdesk, using email, telephone and face-to-face communication. The account manager and helpdesk have further access to technicians and engineers.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Initial training will be provided by the account manager, along with user documentation.
Service documentation Yes
Documentation formats
  • HTML
  • ODF
  • PDF
End-of-contract data extraction A data extraction/removal plan will be put in place and agreed to ensure that data is deleted.
End-of-contract process Prices are based on an annual licence fee by variables taken. Discounts are applied for multi-variable licences and are volume dependent.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Firefox
  • Chrome
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service None
Service interface No
Customisation available No


Independence of resources In capacity planning, consideration is given to increased demand over time and fluctuating peaks and troughs in demand, identified through understanding concurrent users, types of users, types of activity undertaken, seasonal activity, etc. In this way, it is be possible to plan for capacity management rather than having to react, when unanticipated situations arise. In addition, database administrators continually monitor activity and performance and will take the steps necessary to ensure that the service received is of the highest possible quality.


Service usage metrics No


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Physical access control, complying with another standard
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach This is included within the functionality of the solution, with input records subsequently output, as specified by the user, once appending has taken place.
Data export formats
  • CSV
  • Other
Other data export formats Other delimiters and fixed length.
Data import formats
  • CSV
  • Other
Other data import formats Other delimeters and fixed length.

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability Experian does not have a standard service level agreement and this is reflected in our pricing. If a client requires an SLA, then Experian would need to scope the specific requirements to be covered, and then amend pricing appropriately
Approach to resilience This information is available on request.
Outage reporting Email alerts.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Not applicable
Access restriction testing frequency At least once a year
Management access authentication Other
Description of management access authentication Available on request

Audit information for users

Audit information for users
Access to user activity audit information No audit information available
Access to supplier activity audit information No audit information available
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 DNV GL
ISO/IEC 27001 accreditation date 20/12/2016
What the ISO/IEC 27001 doesn’t cover Everything is covered
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Trustwave
PCI DSS accreditation date 28/10/2016
What the PCI DSS doesn’t cover Everything is covered
Other security certifications Yes
Any other security certifications Cyber Essentials

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Experian have a comprehensive Global Security Policy based on the ISO27001 standard which covers: Organisation and Management; Information Security; Asset Classification; Physical and Environmental Security; Communications and Operations Management; System Access; Systems Development and Maintenance; Compliance; Personnel and Provisioning; Business Continuity Management; Third Party Management. The policy is owned by Experian's Executive Risk Management Committee which is an executive level body, and which assumes ultimate responsibility for Experian's risk position. Information security is a key component of the risk management framework. Experian management supports security through leadership statements, actions and endorsement of the security policy and implementing / improving the controls specified in the policy. The policy is available to all Experian employees and contractors on the intranet. Changes to the policy are announced on the company's intranet and followed up with training and awareness programmes. New hires are required to undertake computer-based information security and data protection training, and this is repeated on at least an annual basis. Compliance to policy is overseen by internal audit.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Experian have a change management policy which is underpinned by processes and procedures based on ITIL best practice. This is a mature process. We use a service management tool that integrates change management, incident management, problem management, configuration management and knowledge management. Our change management policy, process and procedures are regularly audited by independent auditors. Formal risk analysis is employed using an approved information risk analysis methodology as a part of the project analysis phase for developments/changes. Security requirements for the system are identified and continue to be considered throughout the life of the product.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Servers and PCs are built to a documented secure standard, which includes anti-virus and malware defences. Information assets have a defined patching schedule, determined by the system's criticality and the level of threat the patch is mitigating. Experian actively monitors the threat environment and checks the effectiveness of security controls by reviewing both free and paid for sources of threat information, including; public information, major vendor feeds and also receiving information from specialist closed group mailing lists. The overall process is also plugged into an automated patch and fix strategy, underpinned with a technology infrastructure to deliver corrective updates.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Monitoring processes and tools are in place to manage alarms generated by security related alerts and these are fed into the incident management process. Experian has a formally documented risk based incident management process to respond to security violations, unusual or suspicious events and incidents. In the event an incident occurs a team of experts from all relevant areas of Experian are gathered to form an incident response team, who manage activities until resolution. The incident response team are available 24/7 to resolve any incident. Out of core hours the dedicated incident hotline is routed to the command centre.
Incident management type Supplier-defined controls
Incident management approach The incident management process incorporates a number of participants and contributors, including: Global Security Office - who facilitate and coordinate activities under the business security coordinator's guidance; Business Security Coordinator - a representative of the impacted business area, responsible for coordinating resolution activities; Incident Response Team (IRT) - IRT is made up of a membership that are empowered to make key decisions surrounding the actions to be taken to reduce impact, control actions, and impose corrective activities. A client report would be created, including: high level overview; facts; overview of events; actions taken.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £4050 to £42250 per licence per year
Discount for educational organisations Yes
Free trial available No

Service documents

Return to top ↑