MyLife Digital Limited

MyLife Digital: The Consentric Platform

Permissions is a cloud based offering providing machine readable APIs and human interfaces to manage consents for individuals and organisations. Designed to be the single source of truth for consent it captures, stores and updates individual citizens’ data consents, based on what (data), who (has access) and why (purpose).

Features

  • Configurable data sets
  • Organisation or call centre portal
  • Consent Management
  • Open API
  • Bulk imports of existing data relating to consents
  • Audit Trail
  • Salesforce Connector
  • CRM Integration

Benefits

  • Risk is reduced as Permissions helps you meet GDPR
  • Single source of truth for consented data usage
  • Ease of integration with all systems using open APIs
  • Support agents can complete the consent process remotely
  • To ensure GDPR compliance, all changes are logged and traceable.
  • Personal information stored in a sovereign, assured cloud platform

Pricing

£0.0074 per person per month

Service documents

G-Cloud 9

911824080513785

MyLife Digital Limited

Debbie Betteridge

01225 636 280

dbetteridge@mylifedigital.co.uk

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Permissions can be used either as a connector with or an extension to CRM systems and as an extension to existing CRM systems
Cloud deployment model Public cloud
Service constraints All users will keep their password confidential, secure and change it at reasonable intervals
Whilst using our platform you must not use the Consentric services in any way that may cause either damage to the service or make it unavailable.
Any use of the Consentric platform must by lawful, legal and not fraudulent or harmful in any way.
System requirements
  • HTTP 1.1
  • TLSv1.2+
  • Content Type: application/json
  • Authorization with Bearer tokens

User support

User support
Email or online ticketing support Email or online ticketing
Support response times All requests receive email confirmation on raising a ticket detailing unique reference number, whilst providing an easy mechanism for the user to provide subsequent updates and information by simply replying to it. More detailed responses will be based on ticket priorities and associated SLA times within the agreed hours of service e.g. all Critical events will receive a response within 15 minutes and updates every hour thereafter, with an expected solution within 12 working hours of the response
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels User support is provided by a Technical Service Desk providing 1st and 2nd line support with a high first time fix rate. It provides a single point of contact for all support requests, logging each one in a service desk tool, adhering to SLAs based on a priority matrix and response/resolution times. It manages all contacts on behalf of the requestor, escalating and liaising with the relevant 3rd line teams, ensuring a timely response that meets user expectations. They coordinate all Service communications i.e. downtime, feature releases, ensuring concise and easily understood messages are conveyed to users. In addition, a dedicated Service Manager, ensures all Clients receive the agreed service package and commitment, following reactive, preventive and proactive maintenance to ensure outstanding quality of services, using service reporting on Availability, Maintainability, Reliability, Stability, Performance and Security to drive a continuous service improvement programme. All support teams are governed by an ITILv3 framework which is will adopted ensuring a consistent and guaranteed level is support is provided. This includes a comprehensive Major Incident and Security Incident procedure, which is not only designed to be quick to respond, but ensures any resource across the entire business, is available to support the resolution.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We provide API documentation for users to set up their application.
Onsite training and online training guides will be provided in accordance with the buyers needs
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction We can provide a full download of data at the end of the contract including an export of consent amend history
End-of-contract process Our approach is tailored as much as possible by the clients requirements but will typically involve:
An audit of the organisation’s data relating to citizens, and its current consent status for use by the organisation.
Creation of a customised consents matrix (what, why, where, when, who) for the organisation. Alternatively, our pre-configured, sector-specific consent matrices can be used.
The ingestion, onto the Consentric platform, of a customer data file containing the citizen records and any historical consents.
The setting of policy rules within the platform to reflect the organisation’s data protection policies.
The creation and set up of organisation portal user accounts, with the correct system privileges and settings.
Full training for organisational portal users, and other admin users (e.g. the IT department).
Full integration and user acceptance testing with other (e.g. CRM) systems.
At the point of termination the customer can extract their data over the API. The data stored on the Permissions platform will then be deleted.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10+
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service There are no feature differences between the mobile and desktop service but the service is optimised for desktop use
Accessibility standards None or don’t know
Description of accessibility N/A
Accessibility testing N/A
API Yes
What users can and can't do using the API API users can configure the Consent Matrix and data controller details for their application. They can populate citizen records and their consents, individually and in bulk. Query citizens consents and export history of consents. API users cannot initiate creation of new applications without contacting support.
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation API can be used to configure the Consent Matrix

Scaling

Scaling
Independence of resources Our microservice architecture efficiently distributes load over horizontally scaled, cloud hosted VMs, with monitoring and resource orchestration to ensure quality of service for multi tenant users.

Analytics

Analytics
Service usage metrics Yes
Metrics types Service reporting is based on the following metrics, based on a monthly frequency (although this will be discussed and agreed with the Client)
Availability and service uptime levels
Performance and Capacity levels
New Tickets Raised and Closed categorised by Priority including response and resolution times
Maintainability and mean time to repair, no of problems
Reporting types Regular reports

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Other
Other data at rest protection approach • MLD is a UK company operating entirely within the jurisdiction of UK law, therefore all customer data is processed in compliance with all applicable UK law including the Data Protection Act 1998. MLD is also prepared for legislation changes and the Consentric Platform conforms to GDPR ahead of the introduction in 2018.

• Independent IT Security Health Check tests validate the physical security of the compute, storage and networking infrastructure, and that data is securely and irrevocably deleted

This includes laptop hard disk encryption and a number of specific ISO 27001 technical controls
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Users can export their data using the API
Alternatively a full structured data download can be available to port across to other services
Data export formats
  • CSV
  • Other
Other data export formats JSON
Data import formats
  • CSV
  • Other
Other data import formats JSON

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Other
Other protection between networks TLS (version 1.2) or SSL-encrypted sessions protect MLD services.
SSL/TLS, or similar, to protect their application over the internet.
Traffic between MLD’s data centres is protected using CESG-assured (CAS(T)) dedicated fibre circuits.
Secure API proxy service protects exposed vendor APIs
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network MLD is prepared for legislation changes and the Consentric Platform conforms to GDPR ahead of the introduction in 2018.
Independent IT Security Health Check tests validate the physical security of the compute, storage and networking infrastructure, and that data is securely and irrevocably deleted.

Availability and resilience

Availability and resilience
Guaranteed availability MLD will aim to provide at least a 99.9% uptime service availability level (Uptime Service Level) to all services within the agree Service Level Grouping
MLD will express service availability at the service level. This will ensure service availability monitoring is accurate and reflective of customer experience. MLD deploy measures to ensure sufficient resilience i.e. a service may be available but a service component is unavailable.

All measurements are performed at five-minute intervals. Availability measurement is based on the monthly average percentage availability, calculated at the end of each calendar month as the total actual uptime minutes divided by total possible uptime minutes in the month.
Where availability falls below SLA, the customer organisation must request within 10 business days of the event. Where this has been followed, credits will be applied to the customer organisation at the agreed rate based on the availability level
Approach to resilience MLD services are hosted in two highly secure UK data centres and adjacent UK operations centres, separated by more than 100 km for excellent geo-resilience while maintaining UK sovereignty.

Both secure UK data centres are subject to rigorous periodic inspection and independent validation of their security controls (e.g. physical perimeter, manned guarding, CCTV, access control systems, etc.,) by CESG and Government Department Accreditors.

MLD is a UK company operating entirely within the jurisdiction of UK law, therefore all customer data is processed in compliance with all applicable UK law including the Data Protection Act 1998.
Outage reporting As part of the Technical Service Desk function, all service communications are sent to users reporting any outages, the action taken and the resolution applied. Throughout an outage, regular updates will be sent ensuring the user feels constantly updated and aware of the situation.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels Access control is managed by the Technical Service Desk, ensuring all new or changes to existing access are firstly approved by Line Manager and if required functional leads. Once the appropriate approval has been received, access is given and documented. Any such access is role based, ensuring the correct level of permission is given relevant to the requirement. For all production systems, additional levels of authentication is required on top of the default username and complex passwords.
Access restriction testing frequency At least every 6 months
Management access authentication Other

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Lloyd's Register Quality Assurance Ltd.
ISO/IEC 27001 accreditation date 09/02/2017
What the ISO/IEC 27001 doesn’t cover Nothing. The scope of the MyLife Digital Information Security Management System is the whole company, with no exclusions.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards Cyber Essentials (IASME)
Information security policies and processes MyLife Digital is governed by an integrated suite of information security policies. Under the top-level Information Security Policy itself are second-level documents for Acceptable Use, Antivirus Protection, Asset Management, Business Continuity, Data Protection, Password Management, Personnel Management, Supply Chain Management and many others.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach MyLife Digital has documented configuration and change management processes, these have been implemented in accordance with the guidance from ITIL v.3 and the current ISO20000 standard. Formal configuration management and asset reporting is validated every day, and a robust process for change requests .leads to formal Change Advisory Board assessments.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach MLD has a documented vulnerability management policy and process that have been implemented, maintained and assessed in accordance with the guidance from ITIL v.3 and ISO27001 standards. Real-time updates and status reports are identified and sourced from credible vendor sources that cover a significant proportion of MLD's asset population. For example, scanning of all derived artefacts for known CVE's via automated processes in the continuous delivery pipeline. We work with external security companies to provide us a feed of known and zero day exploits that are pertinent to our software and infrastructure.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Building upon the foundation of UK Clouds enhanced protective monitoring services (SIEM), the Consentric Permissions platform utilises both proactive real-time monitoring and retention of log files via an isolated immutable data lake. GPG-13 PMC1-9 controls are used on various touch points and boundaries to provide real-time information and then alerting (immediately via a number of channels) if suspicious activity outside the defined scope of normal behaviour is breached . For further analytics into a potential issue, an isolated immutable data lake can be interrogated. This stores data from all operations tiers of the architecture in a fast searchable format.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach All incidents are reported to the Technical Service Desk and as such are logged in the Service Desk tool with a unique reference. Email and telephone support is available depending on the agreed service package. All contacts are verified for authenticate to ensure the individual reporting the incident is genuine. Incident assessment, categorisation and diagnosis will then follow, ensuring all actions are tracked within the ticket, and within the desired response and resolution time. Categorisation will ensure the reported incident is (a) actually an incident, (b) its correct priority and (c) some assessment of the ease of resolution.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £0.0074 per person per month
Discount for educational organisations No
Free trial available No

Documents

Documents
Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑