In order to ensure that any citizen data employed is of the highest quality, accurate, contactable and complete, TransUnion's solution will deliver data cleanse suppression and deceased services that can be flagged against all citizen data and compliantly retained on client databases.
- UK-wide coverage of the highest numbers of movers.
- Data sources include Royal Mail, registrars, hospitals and charities.
- Movers, deceased and opted-in new addresses.
- Information can be retained on site, via batch.
- 500,000 mover updates per month.
- Deceased data endorsed by government organisations e.g. NHS.
- Identify movers to maintain data accuracy.
- Identify deceased to maintain data accuracy.
- Identify new consented contact information on citizens.
- Enables a GDPR-compliant approach to service provision.
£1000 per licence
- Free trial available
8 9 4 7 2 0 3 9 5 1 9 8 7 5 2
0777 321 2093
|Software add-on or extension||No|
|Cloud deployment model||Private cloud|
|System requirements||Not applicable as a data solution.|
|Email or online ticketing support||Email or online ticketing|
|Support response times||Our response times depend on the priority level of the question. All tickets - whether via email or phone - are logged and assigned within 30 minutes, with progress updates provided (if applicable) within two hours, depending on business hours and severity. We aim to resolve the highest priority tickets within four hours (eight hours outside standard business hours) or within five working days for lower priority queries.|
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Onsite support|
|Support levels||As agreed in the contract at the time of purchase.|
|Support available to third parties||Yes|
Onboarding and offboarding
|Getting started||Documentation and training will be provided on the Data Cleansing service.|
|Other documentation formats||
|End-of-contract data extraction||N/A|
|End-of-contract process||Data Cleansing Flags can be retained by the end user; new refreshes or updates will cease to be provided.|
Using the service
|Web browser interface||No|
|Application to install||No|
|Designed for use on mobile devices||No|
|Independence of resources||N/A|
|Service usage metrics||No|
|Supplier type||Not a reseller|
|Staff security clearance||Conforms to BS7858:2012|
|Government security clearance||Up to Developed Vetting (DV)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider|
|Protecting data at rest||
|Other data at rest protection approach||
• Strong logical access control. Access is given based on least privilege and a need to know basis.
• Protective monitoring and event management using LogRhythm as a SIEM.
• Sourcefire and Palo Alto IDS.
• Checkpoint firewalls.
• Monthly vulnerability scanning programme of work.
• ISO27001 and PCI DSS compliant.
|Data sanitisation process||Yes|
|Data sanitisation type||Explicit overwriting of storage before reallocation|
|Equipment disposal approach||A third-party destruction service|
Data importing and exporting
|Data export approach||N/A|
|Data export formats||
|Other data export formats||
|Data import formats||
|Other data import formats||
|Data protection between buyer and supplier networks||Other|
|Other protection between networks||N/A|
|Data protection within supplier network||Other|
|Other protection within supplier network||• Strong logical access control. Access is given based on least privilege and a need to know basis. • Protective monitoring and event management using LogRhythm as a SIEM. • Sourcefire and Palo Alto IDS. • Checkpoint firewalls. • Monthly vulnerability scanning programme of work. • ISO27001 and PCI DSS compliant.|
Availability and resilience
|Approach to resilience||N/A|
Identity and authentication
|User authentication needed||Yes|
|Other user authentication||Each user will have a unique username and password provided, along with company name. TransUnion also utilises the control of IP white listing and 24/7 security monitoring.|
|Access restrictions in management interfaces and support channels||A policy of least privilege access is applied across the group to ensure employees only have access to what is required - this is regularly reviewed. Any privileged accounts are rigorously checked both prior to granting access, during use and on termination of permissions. Users come under multiple levels of policy regarding accounts and device usage. Networks are highly segmented with monitoring for inter-segment violations. Any sensitive systems are housed in dedicated, secure environments.|
|Access restriction testing frequency||At least once a year|
|Management access authentication||2-factor authentication|
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||User-defined|
|Access to supplier activity audit information||Users have access to real-time audit information|
|How long supplier audit data is stored for||User-defined|
|How long system logs are stored for||User-defined|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||BSI|
|ISO/IEC 27001 accreditation date||01/06/2018|
|What the ISO/IEC 27001 doesn’t cover||Nothing is out of scope.|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Who accredited the PCI DSS certification||One Compliance Cyber Limited|
|PCI DSS accreditation date||09/11/2018|
|What the PCI DSS doesn’t cover||Any area that does not have card data going through it.|
|Other security certifications||Yes|
|Any other security certifications||
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||
|Other security governance standards||Security governance is driven top down, from the COO to the group security director, following industry standards such as ISO27001 and PCI DSS.|
|Information security policies and processes||All policies and processes required for ISO27001.|
|Configuration and change management standard||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Configuration and change management approach||Designated Change Management team in place and certified to ISO20000.|
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||Monthly vulnerability scanning and remediation process.|
|Protective monitoring type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Protective monitoring approach||24/7 monitoring by SoC team using LogRhythm SIEM technology.|
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||Aligned to ISO27001 and ISO2000.|
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||No|
|Price||£1000 per licence|
|Discount for educational organisations||No|
|Free trial available||Yes|
|Description of free trial||A data cleanse audit can be conducted as a proof of concept|