MIRACL Technologies Limited

MIRACL Trust® Proof

Use MIRACL Trust® Proof to digitally sign any transaction (payment), user action, data transfer or Machine-Machine interaction to make it irrefutable. Authenticity of action can be proven due to the immutable, non-repudiable nature of the signatures. The solution meets the requirements of PSD2 for Dynamic Linking and Strong Customer Authentication.


  • Sign Transactions (payments), User Actions and any Digital Media
  • Sign arbitrary programmatic data like API requests machine-machine & IoT
  • Inexpensive PAYG SaaS contract with no termination notice
  • Standards based API/SDK allows cross platform, OS independent deployment
  • Supports P.A.I.N. = Privacy, Authenticity, Integrity and Non-Repudiation
  • User-Device has cryptographic secret allowing dynamic linking, signing & authentication
  • Signatures are immutable, non-repudiable and verifiable at any time
  • Python, Django, NodeJS, Ruby, PHP, Java, .NET and more supported


  • Reduces fraudulent transactions whilst reducing false declines
  • Meet the Strong Customer Authentication (SCA) requirements of PSD2
  • Unique signature meets the “dynamic linking” requirement of PSD2
  • Prevent transaction disputes and charge-backs. Facilitate their handling
  • Make Card-Not-Present (CNP) transactions as safe as real-world transactions
  • Replace expensive, theft/loss prone hardware-based token generators
  • Reduce cart abandonment from complex check-out
  • No know practical/theoretical attacks against identity-based elliptic curve cryptography
  • Replace transaction methods such as Transaction Authentication Number (TAN) codes.
  • No reliance on Public Key Infrastructure (PKI)


£0.005 to £0.05 per transaction

Service documents

G-Cloud 11


MIRACL Technologies Limited

Michael Tanaka



Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Although the MIRACL Trust ID service can operate independently, it can also be integrated to Identity Access Management (IAM) platforms and link to many Single Sign On (SSO) systems.
Cloud deployment model
  • Public cloud
  • Private cloud
  • Hybrid cloud
Service constraints No constraints in regards to cloud Authentication and Digital Signing, which is provisioned as a service with better than 99.95% up-time. Private Cloud, Hybrid Cloud or On-Premise installations subject to final specification of customer. Federation of user authentication should be done via established standards such as OIDC.
System requirements
  • Subject to integrating the APIs and SDKs
  • Mobile app minimum version requirements: iOS 8 and Android 4.1
  • Supports all major browsers with a consistent user interface
  • Software-only solution requiring neither a dongle nor a smartphone

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Will vary depending on the service level a client qualifies for/opts for.
The basic service offers core business hours and limited out of hours whilst the premium plus service offers a 24/7 service.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels We offer 3 levels of support:

1) A basic free service - core business hours and limited out of hours
2) A premium service - 24/7 standard service and shared account manager
3) A premium + service - 24/7 customer defined service and dedicated account manager

The level of service offered will depend on size of client (number of transactions). Clients can opt to upgrade service for a cost.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started User documentation is provided and onsite training depending on client size/whether required,

The MIRACL Trust Platform utilizes a distributed cryptography scheme to ensure high security for its key-generation and authentication services. The scheme incorporates two or more Distributed Trusted Authority (D-TA) servers, which are the core of MIRACL’s distributed cryptosystem. For a typical hosted service, MIRACL provides two physically and geographically separated D-TAs for each partner. In some cases though, it is a requirement for a partner to self-host one of the D-TAs, in which case MIRACL provides an On-Premise D-TA which can be installed on the partner’s premises and hooked up to the MIRACL Trust Platform. MIRACL provides documentation to describe how to setup such an On-Premise D-TA on Windows-based servers.
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction N/A Service engineered to avoid GDPR risk associated with client data. No data stored of any value to customer or end-client.
End-of-contract process SaaS offering based on PAYG invoicing with no contract notice period.

On Premise, Hybrid Cloud and Private Cloud usually 12 -36 month contract 30 day notice prior to automatic contract rollover.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Service Provider as Customer - all functions are customised from a browser. As an enterprise service we do not recommend configuring service from a mobile device.

End-User as Customer - MIRACL's M-Pin is cross platform and almost all primary functions are identical. Mobile apps can support additional functions such as daisy-chaining enrolment of devices and remotely authenticating an unsecure desktop
Service interface Yes
Description of service interface Service Provider as Customer - all functions are customised from a browser. Users can monitor authentication/signing activity and set up new points of authentication on websites and mobile apps.

End-User as Customer - MIRACL's M-Pin authentication is as easy as entering a 4-6 digit PIN code to gain access to the protected service. Setting up new users is default by email verification but can be any process the service provider requires. All functions and features are managed on one page.
Accessibility standards None or don’t know
Description of accessibility Service Provider as Customer - service accessed via a browser based portal with limited graphics, no visual or audio media, use of colour or animations.

End-User as Customer - service providers have a great deal of flexibility how they integrate the service and expose it to the end clients. So they can determine the accessibility of the system taking into account platform and form of delivery.
Accessibility testing Service Provider as Customer - we have tested with various screen readers, screen magnifiers, speech input, alternative input devices and text to speech. As a browser based portal, most assistive technologies are of some use.

End-User as Customer - service providers have a great deal of flexibility how they integrate the service and expose it to the end clients. So they can determine the accessibility of the system taking into account platform and form of delivery.
What users can and can't do using the API APIs and SDKs can be used to enrol users, authenticate users to controlled services, authenticate users to multiple services (Single Sign On), irrefutably sign actions/transactions/documents and monitor all actions taken by the end-user, all services are cross-platform and delivered to the End-User via browsers or custom-built applications.

Our APIs and SDKs support open standards such as (but not limited to) SAML, OIDC, ADFS and RADIUS. We support Python, Django, NodeJS, Ruby, PHP, Go, Java, .NET and many other languages with our own SDKs and numerous additional languages using open source clients.
API documentation Yes
API documentation formats Other
API sandbox or test environment No
Customisation available Yes
Description of customisation Users have a high degree of customisation capability given service is provisioned via APIs and SDKs. Customer has full control over User Flows for Authentication, Enrolment and Digital Signing, any service provisioned screens such M-Pin (pin entry screen) can be customised to include customer branding. Private Cloud, Hybrid Cloud and on-premise installation subject to final specification of customer and gives even more detailed control over the operation of the underlying service such as the distribution and revocation of cryptographic secrets.


Independence of resources Predictive auto-scaling


Service usage metrics Yes
Metrics types We track all events and the metrics we provide are number of authentications by day, month, year, geographic region etc.
Reporting types
  • API access
  • Real-time dashboards


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations European Economic Area (EEA)
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach Data can be fetched trough the API or in CSV from the portal.
Data export formats
  • CSV
  • Other
Data import formats Other

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks Other
Other protection between networks We don't access buyers' data! It comes down to portal access, web login access and API access - via TLS 1.3.
Data protection within supplier network Other
Other protection within supplier network We have implemented Googles BeyondCorp which means we don't have an internal network that gives you access to everything. We have strong authentication to each service and VPN for sensitive infrastructure used only for administrative actions - not day to day work. Those VPNs are also protected with two factor authentication through our own MIRACL Trust service.

Availability and resilience

Availability and resilience
Guaranteed availability If the availability of MIRACL Services for a given month is less than the applicable Uptime Commitment, Licensor will provide Partner with a credit of the Fees paid for the affected MIRACL Services for such month as follows:

4.1.1. Availability less than Uptime Commitment but at least 99.5%: 5% credit
4.1.2. Availability less than 99.5% but at least 99%: 10% credit
4.1.3. Availability less than 99% but at least 97.5%: 35% credit
4.1.4. Availability less than 97.5%: 100% credit
4.2. In the event Partner is not current in its payment obligations when an outage occurs, remedies will accrue, but credits will not be issued until payment obligations are up to date.
4.3. To receive service credits, Partner must submit a written request to billing@MIRACL.com, within 30 days after the end of the month in which the MIRACL Services failed to meet the Uptime Commitment, or the right to receive credits with respect to such unavailability will be waived.
Approach to resilience Multiple interchangeable nodes distributed in multiple zones in single data-center.
Outage reporting We have a metrics service which provides alerts.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication 2-factor authentication
Access restrictions in management interfaces and support channels All access secured by strong 2 Factor Authentication (2FA) associated to each unique User-AccessPoint combination. Where an AccessPoint is a specific Browser-Device, Mobile etc. 

Full, real time, configuration of user roles determined on a per-user basis by admin user. Ability to inactive users or enable/disable access to individual functions and groups of functions.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Other
Description of management access authentication 2-Factor Authentication tied to each User-AccessPoint combination.  Where an AccessPoint is a specific Browser-Device, Mobile etc. This enables customer to know who initiated and how they inititated access.

Service provided with  MIRACL Trust ID meaning there are no additional charges associated with adding management users or access points.

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards We are Cyber Essentials certified and take a risk based approach to security governance. Currently we are implementing further policies and procedures that align with ISO27001/CSA CCM with a view to obtaining the respective certification.
Information security policies and processes We have a Security Policy and carry out regular risk assessment to then manage the identified risks. We also carry out internal audits that lead to continual improvement with corrective and preventative actions. Internal audits help in ensuring policies are followed. Information Security is a priority of the Company Board with regular reports being produced to keep it up to date. All reporting is done to the Information Security Officer who then reports to Company Leadership.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach We follow best practice both for software development and for infrastructure. We aim for everything as code (software, infrastructure, policies) approach which provides very important features of the process:
- Each change is reviewed by at least 2 people before it is accepted.
- Audit logs of all changes, both code or infrastructure (infrastructure is built with code).
- We can version state change any of the system and revert if needed.
- We can do proper Continuous Integration and Continuous Delivery (CI/CD).
Vulnerability management type Supplier-defined controls
Vulnerability management approach We confine to a bare minimum the potential attack surface that is managed by us and could be potentially vulnerable. In this way, assessment monitoring is simplified. We have a proven ability to respond with appropriate patches in a matter of hours.
Protective monitoring type Undisclosed
Protective monitoring approach The system generates reporting information on a daily basis. Any unusual activity will result in a SAR (suspicious activity report) going to the COO.

An investigation (typically within hours) will occur.

User ID's, if a compromise is suspected, will be blocked pending further investigation.
Incident management type Supplier-defined controls
Incident management approach The user will report the service issue via email, or on the user portal. The incident will be logged in our incident management system.

The user will be notified by email of actions or progress made towards resolution of the incident.

Priority will be given to :
- Ensuring the service is not compromised
- Then ensuring the user is capable of accessing the service
- Finally determining the root cause analysis of the incident

No pre-determined processes exist at present, as production incidents are negligible. We will monitor for patterns and create process as appropriate.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £0.005 to £0.05 per transaction
Discount for educational organisations Yes
Free trial available Yes
Description of free trial The first 100 transactions a month are free
Link to free trial https://trust.miracl.cloud/get-started

Service documents

pdf document: Pricing document pdf document: Terms and conditions
Service documents
Return to top ↑