Permissions is a cloud based offering providing machine readable APIs and human interfaces to manage consents for individuals and organisations. Designed to be the single source of truth for consent it captures, stores and updates individual citizens’ data consents, based on what (data), who (has access) and why (purpose).
- Configurable data sets
- Organisation or call centre portal
- Consent Management
- Open API
- Bulk imports of existing data relating to consents
- Audit Trail
- Salesforce Connector
- CRM Integration
- Risk is reduced as Permissions helps you meet GDPR
- Single source of truth for consented data usage
- Ease of integration with all systems using open APIs
- Support agents can complete the consent process remotely
- To ensure GDPR compliance, all changes are logged and traceable.
- Personal information stored in a sovereign, assured cloud platform
£0.0074 per person per month
MyLife Digital Limited
01225 636 280
|Software add-on or extension||Yes, but can also be used as a standalone service|
|What software services is the service an extension to||Permissions can be used either as a connector with or an extension to CRM systems and as an extension to existing CRM systems|
|Cloud deployment model||Public cloud|
All users will keep their password confidential, secure and change it at reasonable intervals
Whilst using our platform you must not use the Consentric services in any way that may cause either damage to the service or make it unavailable.
Any use of the Consentric platform must by lawful, legal and not fraudulent or harmful in any way.
|Email or online ticketing support||Email or online ticketing|
|Support response times||All requests receive email confirmation on raising a ticket detailing unique reference number, whilst providing an easy mechanism for the user to provide subsequent updates and information by simply replying to it. More detailed responses will be based on ticket priorities and associated SLA times within the agreed hours of service e.g. all Critical events will receive a response within 15 minutes and updates every hour thereafter, with an expected solution within 12 working hours of the response|
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
|Support levels||User support is provided by a Technical Service Desk providing 1st and 2nd line support with a high first time fix rate. It provides a single point of contact for all support requests, logging each one in a service desk tool, adhering to SLAs based on a priority matrix and response/resolution times. It manages all contacts on behalf of the requestor, escalating and liaising with the relevant 3rd line teams, ensuring a timely response that meets user expectations. They coordinate all Service communications i.e. downtime, feature releases, ensuring concise and easily understood messages are conveyed to users. In addition, a dedicated Service Manager, ensures all Clients receive the agreed service package and commitment, following reactive, preventive and proactive maintenance to ensure outstanding quality of services, using service reporting on Availability, Maintainability, Reliability, Stability, Performance and Security to drive a continuous service improvement programme. All support teams are governed by an ITILv3 framework which is will adopted ensuring a consistent and guaranteed level is support is provided. This includes a comprehensive Major Incident and Security Incident procedure, which is not only designed to be quick to respond, but ensures any resource across the entire business, is available to support the resolution.|
|Support available to third parties||Yes|
Onboarding and offboarding
We provide API documentation for users to set up their application.
Onsite training and online training guides will be provided in accordance with the buyers needs
|End-of-contract data extraction||We can provide a full download of data at the end of the contract including an export of consent amend history|
Our approach is tailored as much as possible by the clients requirements but will typically involve:
An audit of the organisation’s data relating to citizens, and its current consent status for use by the organisation.
Creation of a customised consents matrix (what, why, where, when, who) for the organisation. Alternatively, our pre-configured, sector-specific consent matrices can be used.
The ingestion, onto the Consentric platform, of a customer data file containing the citizen records and any historical consents.
The setting of policy rules within the platform to reflect the organisation’s data protection policies.
The creation and set up of organisation portal user accounts, with the correct system privileges and settings.
Full training for organisational portal users, and other admin users (e.g. the IT department).
Full integration and user acceptance testing with other (e.g. CRM) systems.
At the point of termination the customer can extract their data over the API. The data stored on the Permissions platform will then be deleted.
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||There are no feature differences between the mobile and desktop service but the service is optimised for desktop use|
|Accessibility standards||None or don’t know|
|Description of accessibility||N/A|
|What users can and can't do using the API||API users can configure the Consent Matrix and data controller details for their application. They can populate citizen records and their consents, individually and in bulk. Query citizens consents and export history of consents. API users cannot initiate creation of new applications without contacting support.|
|API documentation formats||
|API sandbox or test environment||Yes|
|Description of customisation||API can be used to configure the Consent Matrix|
|Independence of resources||Our microservice architecture efficiently distributes load over horizontally scaled, cloud hosted VMs, with monitoring and resource orchestration to ensure quality of service for multi tenant users.|
|Service usage metrics||Yes|
Service reporting is based on the following metrics, based on a monthly frequency (although this will be discussed and agreed with the Client)
Availability and service uptime levels
Performance and Capacity levels
New Tickets Raised and Closed categorised by Priority including response and resolution times
Maintainability and mean time to repair, no of problems
|Reporting types||Regular reports|
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Baseline Personnel Security Standard (BPSS)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||No|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least every 6 months|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||
|Other data at rest protection approach||
• MLD is a UK company operating entirely within the jurisdiction of UK law, therefore all customer data is processed in compliance with all applicable UK law including the Data Protection Act 1998. MLD is also prepared for legislation changes and the Consentric Platform conforms to GDPR ahead of the introduction in 2018.
• Independent IT Security Health Check tests validate the physical security of the compute, storage and networking infrastructure, and that data is securely and irrevocably deleted
This includes laptop hard disk encryption and a number of specific ISO 27001 technical controls
|Data sanitisation process||Yes|
|Data sanitisation type||
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||
Users can export their data using the API
Alternatively a full structured data download can be available to port across to other services
|Data export formats||
|Other data export formats||JSON|
|Data import formats||
|Other data import formats||JSON|
|Data protection between buyer and supplier networks||
|Other protection between networks||
TLS (version 1.2) or SSL-encrypted sessions protect MLD services.
SSL/TLS, or similar, to protect their application over the internet.
Traffic between MLD’s data centres is protected using CESG-assured (CAS(T)) dedicated fibre circuits.
Secure API proxy service protects exposed vendor APIs
|Data protection within supplier network||
|Other protection within supplier network||
MLD is prepared for legislation changes and the Consentric Platform conforms to GDPR ahead of the introduction in 2018.
Independent IT Security Health Check tests validate the physical security of the compute, storage and networking infrastructure, and that data is securely and irrevocably deleted.
Availability and resilience
MLD will aim to provide at least a 99.9% uptime service availability level (Uptime Service Level) to all services within the agree Service Level Grouping
MLD will express service availability at the service level. This will ensure service availability monitoring is accurate and reflective of customer experience. MLD deploy measures to ensure sufficient resilience i.e. a service may be available but a service component is unavailable.
All measurements are performed at five-minute intervals. Availability measurement is based on the monthly average percentage availability, calculated at the end of each calendar month as the total actual uptime minutes divided by total possible uptime minutes in the month.
Where availability falls below SLA, the customer organisation must request within 10 business days of the event. Where this has been followed, credits will be applied to the customer organisation at the agreed rate based on the availability level
|Approach to resilience||
MLD services are hosted in two highly secure UK data centres and adjacent UK operations centres, separated by more than 100 km for excellent geo-resilience while maintaining UK sovereignty.
Both secure UK data centres are subject to rigorous periodic inspection and independent validation of their security controls (e.g. physical perimeter, manned guarding, CCTV, access control systems, etc.,) by CESG and Government Department Accreditors.
MLD is a UK company operating entirely within the jurisdiction of UK law, therefore all customer data is processed in compliance with all applicable UK law including the Data Protection Act 1998.
|Outage reporting||As part of the Technical Service Desk function, all service communications are sent to users reporting any outages, the action taken and the resolution applied. Throughout an outage, regular updates will be sent ensuring the user feels constantly updated and aware of the situation.|
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||Access control is managed by the Technical Service Desk, ensuring all new or changes to existing access are firstly approved by Line Manager and if required functional leads. Once the appropriate approval has been received, access is given and documented. Any such access is role based, ensuring the correct level of permission is given relevant to the requirement. For all production systems, additional levels of authentication is required on top of the default username and complex passwords.|
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||Other|
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users have access to real-time audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||Lloyd's Register Quality Assurance Ltd.|
|ISO/IEC 27001 accreditation date||09/02/2017|
|What the ISO/IEC 27001 doesn’t cover||Nothing. The scope of the MyLife Digital Information Security Management System is the whole company, with no exclusions.|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security accreditations||No|
|Named board-level person responsible for service security||Yes|
|Security governance accreditation||Yes|
|Security governance standards||
|Other security governance standards||Cyber Essentials (IASME)|
|Information security policies and processes||MyLife Digital is governed by an integrated suite of information security policies. Under the top-level Information Security Policy itself are second-level documents for Acceptable Use, Antivirus Protection, Asset Management, Business Continuity, Data Protection, Password Management, Personnel Management, Supply Chain Management and many others.|
|Configuration and change management standard||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Configuration and change management approach||MyLife Digital has documented configuration and change management processes, these have been implemented in accordance with the guidance from ITIL v.3 and the current ISO20000 standard. Formal configuration management and asset reporting is validated every day, and a robust process for change requests .leads to formal Change Advisory Board assessments.|
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||MLD has a documented vulnerability management policy and process that have been implemented, maintained and assessed in accordance with the guidance from ITIL v.3 and ISO27001 standards. Real-time updates and status reports are identified and sourced from credible vendor sources that cover a significant proportion of MLD's asset population. For example, scanning of all derived artefacts for known CVE's via automated processes in the continuous delivery pipeline. We work with external security companies to provide us a feed of known and zero day exploits that are pertinent to our software and infrastructure.|
|Protective monitoring type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Protective monitoring approach||Building upon the foundation of UK Clouds enhanced protective monitoring services (SIEM), the Consentric Permissions platform utilises both proactive real-time monitoring and retention of log files via an isolated immutable data lake. GPG-13 PMC1-9 controls are used on various touch points and boundaries to provide real-time information and then alerting (immediately via a number of channels) if suspicious activity outside the defined scope of normal behaviour is breached . For further analytics into a potential issue, an isolated immutable data lake can be interrogated. This stores data from all operations tiers of the architecture in a fast searchable format.|
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||All incidents are reported to the Technical Service Desk and as such are logged in the Service Desk tool with a unique reference. Email and telephone support is available depending on the agreed service package. All contacts are verified for authenticate to ensure the individual reporting the incident is genuine. Incident assessment, categorisation and diagnosis will then follow, ensuring all actions are tracked within the ticket, and within the desired response and resolution time. Categorisation will ensure the reported incident is (a) actually an incident, (b) its correct priority and (c) some assessment of the ease of resolution.|
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||No|
|Price||£0.0074 per person per month|
|Discount for educational organisations||No|
|Free trial available||No|
|Pricing document||View uploaded document|
|Service definition document||View uploaded document|
|Terms and conditions document||View uploaded document|