We have introduced a new certification process for white label services in the gamma (0.4) publication of the UK digital identity and attributes trust framework. This blogpost explains the new approach and what service providers need to do to get and maintain their certified status.
What we mean by white labelling
In the context of the trust framework, we’re referring to end-user facing services that are created by one company, but that are branded to give the appearance that a completely different company provided them.
White labelling only applies to whole services; not to parts of services. Digital identity services – and digital services in general – are made of complex supply chains with lots of different component vendors, like cloud infrastructure providers. We don’t consider this to be white labelling; that’s just a digital supply chain.
Certification relies on an underpinning service
As part of this new approach, we’re introducing some new scopes for certification:
- Underpinning services are the foundational services that ‘underpin’ a white label service. As part of gamma certification, any service provider that wants to allow their product to be white labelled must seek certification as an underpinning service first. This can then be listed on their certificate.
- White label services are the end-user facing services. A white label service can be certified and can appear on the register of digital identity and attribute services, but only if the service it is white labelling is certified as an underpinning service.
Certificates for the gamma trust framework will include whether a service is certified as an underpinning or white label service, so that the relationship between the organisations is made more explicit and transparent to end-users.
To ensure the integrity of the whole ecosystem, if an underpinning service loses its certification for any reason, the white label services relying on that service will also lose their certification by default.
How these services are assessed
For both underpinning services and white label services, Conformity Assessment Bodies (CABs) will be paying particular attention to the contractual relationship between underpinning service provider and the organisation that is applying its brand to the underpinning service.
The CAB will be looking at whether responsibility, accountability and liability for implementing the trust framework’s rules is clearly defined between both parties, and whether the processes for enforcing that are effective.
They will also be looking at the potential for misleading end-users about whether a white label service is certified or not. The certification process will assess whether an underpinning service provider has effective processes in place to prevent this from happening. It will also look for evidence of whether misleading claims are made about white label services in marketing materials. Similar checks are also being introduced for services that are co-branded, rather than white labelled.
More frequent evaluation cycle
White label services will be subject to a slightly different evaluation cycle than other services. Whereas ordinary services are evaluated by a CAB at least once a year, white label services will be subject to at least 2 evaluations – on the anniversary of the certification for the white label service and also on the anniversary of the certification for the underpinning service.
Speak with a CAB to see how this affects you
This new certification approach provides additional assurance – to members of the public and to relying parties – that there is clear accountability for the operation of a service.
This is the first iteration of the process and we will be building upon it for the 1.0 publication of the trust framework. We will be working closely with CABs and service providers to test and iterate this approach over the coming months. Feel free to send us your feedback.
Leave a comment