Software Box Limited (SBL)

SBL Freja ID: Identity & Secure Access Management

Freja eID provides a strong identity solution to allow secure access to systems for customers and users. Multi Factor Authentication (MFA) and 2 Factor Authentication (2FA) improves user experience and removes fixed passwords. Enables compliance with GDPR and CoCo amongst other Cyber Security requirements. Supports Tokens and Soft Tokens.


  • Cloud based security solution
  • Open APIs to link with single and multiple applications
  • OATH and OCRA compliant solutions
  • Licence covers internal and external users
  • Accredited European e-Identity
  • Compatible with Android and IOS apps
  • 24 hour support
  • Enables use of corporate credentials for cloud applications
  • PSD2 compliant MFA service
  • Validated cloud identity service


  • Simple sign on for end users
  • Reduces cost of service desk support
  • Unlimited user licence available
  • Supports Know Your Customer and GDPR compliance
  • One solution can be used across multiple applications and services
  • Integrates with all major applications
  • Identity managed by the end user supporting GDPR
  • Simple application install and registration
  • Use can be shared across organisations
  • Enhances cyber security


£0.10 per user per month

  • Free trial available

Service documents


G-Cloud 11

Service ID

8 6 1 8 9 5 9 9 4 0 5 3 5 1 1


Software Box Limited (SBL)

Danielle Connor

01347 812100

Service scope

Software add-on or extension
Cloud deployment model
Private cloud
Service constraints
There are no foreseeable constraints to this service.
System requirements

User support

Email or online ticketing support
Email or online ticketing
Support response times
Within 4 hours, 24x7
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Web chat
Web chat support availability
24 hours, 7 days a week
Web chat support accessibility standard
None or don’t know
How the web chat support is accessible
As the web chat functionality is currently in design, the features are yet to finalised.
Web chat accessibility testing
As the web chat functionality is currently in design, the features are yet to finalised.
Onsite support
Yes, at extra cost
Support levels
Two services are currently offered:
1. Standard office hours support Monday to Friday 9-5.
2. Premium 24/7. Support calls are prioritised according to ITIL standards and actioned appropriately.
Support available to third parties

Onboarding and offboarding

Getting started
We can provide on-site and remote support as well as training for administrators and installers
Service documentation
Documentation formats
  • HTML
  • Other
Other documentation formats
In application instructions
End-of-contract data extraction
The Freja solution does not store any data to extract.
End-of-contract process
Any configuration no longer required is deleted and the service stops working. This is included within the price.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Compatible operating systems
  • Android
  • IOS
  • Linux or Unix
  • MacOS
  • Windows
  • Windows Phone
  • Other
Designed for use on mobile devices
Differences between the mobile and desktop service
The secure nature of the product is that the end user installs in on a mobile device or hard token. The desktop management platform can be accessed on a mobile device with the same experience.
Service interface
What users can and can't do using the API
The API is available for authentication integration and another API is available for the token provisioning service, Freja Self Service Portal. The Authentication API - allows developers to authenticate users according to currently configured mechanisms and query when Freja eID last authenticated a user.
API documentation
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • PDF
API sandbox or test environment
Customisation available
Description of customisation
Users can decide on the level of security required and appropriate for each service request


Independence of resources
The standard Freja service with 10 million tokens in a single servers database has been tested to produce 1000 authentications per second. We are confident our solution has the ability to scale should a users environment require.


Service usage metrics
Metrics types
SBL provide detailed analytics relating to the:
- system uptime
- availability
- consumption
- support requests
- service maintenance

SBL will work with the customer to agree on the necessary format, content and schedule of these reports
Reporting types
Regular reports


Supplier type
Reseller providing extra features and support
Organisation whose services are being resold
Verisec Limited

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Data cannot be exported as it is not stored within the solution
Data export formats
Other data export formats
Data import formats
Other data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection between networks
PSN assured and protected service, assured by CESG assured components. All communications with connections infrastructure can be configured to be secure and depending on the requirements will dictate the level of security applied.
Data protection within supplier network
Other protection within supplier network
The token database is encrpyted using AES256. Each Freja component has a built in firewall. Each Freja component is only built with the services it needs to function. Further permieter firewalls and IPS are also utilised.

Availability and resilience

Guaranteed availability
The service availability is 99.5%; guaranteed by contractual commitment
Approach to resilience
We run multiple secure data centres with the capacity to serve 100m users worldwide 24x7.
Outage reporting
Yes, email alerts can be configured and combined with appropriate SNMP monitoring allow the system to be suitably monitored.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
Dedicated devices on a segregated network
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Access to supplier activity audit information
You control when users can access audit information
How long supplier audit data is stored for
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
November 2016
What the ISO/IEC 27001 doesn’t cover
N/A full scope is covered
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
  • ISO9001
  • RLi & SLi connected datacentre

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance approach
The system's security governance is managed in a way that is analogous to ISO27001:2015; the organisation is looking to be accredited to this in the medium term
Information security policies and processes
The organisation operates in a manner that is analogous to ISO27001:2015; due to the sensitive nature of these processes, further details cannot be provided but will be upon request.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Once a vulnerability is identified customers affected are contacted to discuss. If requiring a workaround, this is applied whilst the vulnerability fix is written and tested before being applied to affected customers. Work arounds are available as soon as possible. Hot fixes are generally applied in 3 month cycles.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Once a vulnerability is identified customers affected are contacted to discuss. If requiring a workaround, this is applied whilst the vulnerability fix is written and tested before being applied to affected customers. Work arounds are available as soon as possible. Hot fixes are generally applied in 3 month cycles.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Incident management processes follow the industry standard ITIL model, ISO27001 and industry best practice. SBL deploy a number of tools and processes to identify potential compromises, utilising market leading technologies and solutions.

Upon discover of a potential compromise mitigation steps are immediately taken to isolate the incident, minimise any risk and return normal status as soon as practicable. Due to the security sensitive nature of these processes and procedures, further information cannot be given at this time. Further details will be provided upon request.
Incident management type
Supplier-defined controls
Incident management approach
Reported compromises are monitored and if any compromises are found, they are assessed, and if considered severe enough then a fix is typically made available within 24-48hrs

Further details cannot be provided due to the security sensitive nature of these processes, at this stage; however, SBL will provide necessary details upon request.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks


£0.10 per user per month
Discount for educational organisations
Free trial available
Description of free trial
SBL can provide a proof of concept trial for 30 for evaluation purposes

Service documents

Return to top ↑