Identity & access for public sector.

Government identity built to GDS and security assurance standards. Workforce, citizen, and cross-department access on one accredited platform.

Request a private briefing→All identity work→

Overview

Identity & access infrastructure for public sector, built to the standard institutions in this sector are required to operate.

XVICA designs, builds, and operates this layer for public sector clients in the UK, US, Canada, and Australia. The work is specified against the regulatory regime, the operational profile, and the examination expectations of this sector before any code is written.

01Why it matters

What public sector cannot get wrong here.

Citizen identity is a trust relationship with government, not a product funnel.
Access to personal data must survive Parliamentary scrutiny.
Machinery-of-government changes move populations of users across departments overnight.
Cross-department federation is a standing problem, not a project.

02Regulatory posture

Named regimes, mapped controls

Regulatory requirements are translated into explicit control requirements, then mapped to tests and evidence collection. Nothing is implied.

UK government frameworks

Service Standard, Technology Code of Practice, Secure by Design, GDS identity assurance principles, and the Government Functional Standard for Security (GovS 007).

Security assurance

OFFICIAL and OFFICIAL-SENSITIVE by default; classified environments via accredited infrastructure and vetted personnel.

Data protection & accessibility

UK GDPR, Data Protection Act 2018, PSN CoCo where applicable, and WCAG 2.2 AA as a minimum for user-facing surfaces.

03Reference architecture

Design decisions distinctive to this intersection

Components and design choices that recur across our work for this sector. Each deployment is specified individually.

Assurance-level aware

IAL/AAL/FAL levels mapped explicitly. A service using citizen identity declares what assurance it needs and enforces it.

Federation across departments

Cross-department access without duplicating identity. Federation contracts expressed as policy-as-code.

Machinery-of-government portability

Populations can move between departments without starting identity from scratch. Sovereignty of the data stays with the new owner.

Accessibility as an assurance property

WCAG 2.2 AA at minimum; accessibility tested as part of the service assessment, not after.

Open standards, documented

OIDC and SAML with published metadata. No hidden contracts. Easier oversight, easier supplier substitution.

04XVICA's approach

How we work in public sector.

Public-sector identity is not principally a technical problem; it is a trust arrangement the citizen has with the state, mediated by software. We build with that in mind. The assurance decisions — how confidently the system knows who is on the other end — are surfaced explicitly rather than assumed, because the service assessment, the Parliamentary question, and the FOI request all eventually ask the same thing in different words. Cross-department federation and the periodic machinery-of-government reshuffle are treated as recurring design constraints rather than emergencies: populations can move without restarting from zero, and the sovereignty of citizen data follows the ownership of the service rather than the convenience of the supplier.

05Engagement