Head Light

Talent Cloud

Talent Cloud® is our award-winning Software as a Service Talent Management suite of products, available in both SaaS and on - premise deployment models. The modular suite includes Performance Appraisals, 360-degree feedback, Engagement, Succession Planning, Career Pathways, Skills Audit & Certification.

Features

  • Continuous Performance Management
  • 360-degree Feedback
  • Succession Planning
  • Employee Engagement
  • Career Pathways & Planning
  • Skills Audit & Management
  • Development Planning

Benefits

  • Enhance employee performance
  • Improve employee retention
  • Improve Succession planning
  • Enable employee career mobility
  • Improve leadership capability
  • Better HR Management Information
  • Better skills management and development planning

Pricing

£3 to £100 a person a year

  • Education pricing available
  • Free trial available

Service documents

Framework

G-Cloud 12

Service ID

1 3 4 8 4 8 3 4 6 7 0 3 2 5 6

Contact

Head Light Ian Lee-Emery
Telephone: 01344 63 63 36
Email: ian.lee-emery@head-light.co.uk

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
HRIS, LMS
Cloud deployment model
Public cloud
Service constraints
None
System requirements
Adobe PDF Reader to open PDFs

User support

Email or online ticketing support
Email or online ticketing
Support response times
Typical response is within 1 hour. Only site outage-related queries are processed during weekends.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
WCAG 2.1 A
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Helpdesk & Support Levels
Support tickets may be raised on a 24x7 basis using the online web-based Helpdesk system. Theses tickets will be responded to between the hours of 9.30am and 4:30pm GMT on Monday through Friday (excluding Bank Holidays and other recognised holiday periods in the UK). Our target response time for tickets is as follows:
Priority Impact Description Target Response Time Target Resolution Time
1 Critical Catastrophic – Overall software access is inoperable, resulting in total or major loss of functionality to users 70%+ of which are affected software unusable without any workaround possible. 1 hours +2 hours
2 Major Severe – limitations to use of software, major dysfunction with only a difficult workaround 30%+ of users affected. 2 hours +4 hours
3 Medium Component module down, loss of functionality, limited user operations. No simple workaround. Could be a “bug”. Where a workaround has been applied no impact on operational environment. 24 hours +24 hours
4 Minor Software functionality intact, assistance required in configuration or use of product. Minor feature is dysfunctional but has workaround or cosmetic defect. Could also be an enhancement request or a request for information. 48 hours +48 hours (if applicable)
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Training requirements will vary according to many factors, including the type of training, role being trained for, and the number of people to be trained.
Several training options are available for Talent®, including both free and paid options:
• On-line training webex training – recorded courses are at no additional charge.
• Classroom training - classroom training is available on a fee basis.
• Course manuals - course manuals for classroom training offerings are available for free download.
• Customised training - customised training based on your customisations are available on a fee basis.
• Ongoing training - available on a fee basis.
Service documentation
Yes
Documentation formats
PDF
End-of-contract data extraction
Through csv exports, or bespoke data synchronisation
End-of-contract process
Nothing additional

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Chrome
  • Safari 9+
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
None other than those imposed by the form factor or mobile browser version and OS
Service interface
No
API
Yes
What users can and can't do using the API
Employee record updates only based on programmatic access. Based on web services.
API documentation
Yes
API documentation formats
HTML
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
The platform and the individual modules are extensively configurable by customer'sAdmins themselves. This includes, but is not limited to:
e-mails, screens, terms, definitions, scales, lookups, competences, questionnaires, skills, qualification, certifications, roles, career paths links, talent categories, locations, divisions, regions, administrators, password properties, branding, colours and images, report introductions, deployed features, tab names, mandatory settings, thresholds, anonymity, analytics, development activities.

End-users can customise language settings and content.

Scaling

Independence of resources
Through capacity planning based on user size, scaling of servers and resources once utilisation rises, designing resource intensive tasks to take place during typically 'quiet' hours and designing services that run asynchronously within defined resource parameters.

Analytics

Service usage metrics
Yes
Metrics types
Through on-demand audit logs, event history logs, on-demand analytics, active user counts, disabled account totals
Reporting types
Real-time dashboards

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
No
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process
Yes
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Csv, excel, custom xml
Data export formats
  • CSV
  • Other
Other data export formats
Xml
Data import formats
CSV

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Other
Other protection between networks
Optional specific IP address authorisation for login access
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Head Light expects the system to be available 99% during business hours. This equates to total unplanned service outages not exceeding 19.5 hours in any one calendar year.
This is calculated as follows:
52 weeks, 5 days per week, 7.5 hours per day = 1,950 hours per year, 1% therefore being 19.5 hours.
Should the total unplanned outage exceed this, then a Service Credit will be offered at a rate of 1% for every 19.5 hours that the service is unavailable. Service Credits are applied as discounts to subsequent Annual Fees for that affected product or products. Should any outage last longer than 3 hours, we will offer a single 1% Service Credit.
For example, in any one year should service outages equal 25 hours, then 1% discount would be applied to the next year’s fees. If a single service outage lasted 4 hours, then an additional 1% discount would be applied. Total Service Credits are limited to 25%.
Approach to resilience
On Request
Outage reporting
E-Mail Alerts and Helpdesk notices. Additionally via Incident Management Procedures.

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
Other user authentication
Password strength and expiry policy is set by Client Admins. Two-factor is achieved through dedicated IP address configuration. ADFS SSO and LDAP supported.
Access restrictions in management interfaces and support channels
Each support user has their own support account on the site that they must activate before they can use it. They request a new password to be generated. It expires after 2 hrs. The support user logs in and it then requested to change the password for the period of the support ticket. The support user then investigates the problem by taking on the persona of the issuer of the ticket. This activity is tracked. Once the problem is resolved, the support account is deactivated until it is required.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
British Assessment Bureau
ISO/IEC 27001 accreditation date
29/10/2018
What the ISO/IEC 27001 doesn’t cover
N/A
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
Our Information Security Policy is designed to comply with the requirements of GDPR and ISO27001. We are registered with the ICO as a data Processor. A designated Security Officer is appointed with responsibility to ensure all employees and contractors are aware of the Data Classification and Data Handling regulations. All employees sign a 'Security Aspects Letter' to ensure they are aware of their individual and collective responsibilities and the rights of Data Subjects. In brief, all Personal data is to be encrypted in transit and not sent via e-mail, passwords are to be 'strong' and not guessable, Administrative accounts are not to be shared. Copies and archives are to be disposed of in the correct manner. Checks are made periodically to ensure compliance. Training/re-training is conducted annually.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
We keep an inventory of the 3rd party components used as part of our service that are in addition to the managed OS platform provided by Rackspace. On each new release of a 3rd party component, we validate its security credentials with the provider and stage it in our operating environment. We then routinely challenge the platform with automated test tools to ensure that no vulnerabilities are created. We then include the new component as part of the next release and update our inventory.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Our managed virtualised environment provided by Rackspace ensures that the hosting environment, OS and IIS are hardened and any vulnerabilities are identified and applied. We monitor Microsoft Developer Network boards and other boards such as Stack Overflow for any additonal suggestions of new threats. We also review communications from Qualys, a provider of penetration test tools.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Our activity logs record items such as login failures, password resets cross-site forgery attacks and so on. We also record any source IP addresses and check those with reputable sites that record suspect activity. The site has automated monitoring to disable user access and take the site off line in the event of a detected Advanced Persistent Threat. Hypervisor deals with attacks such as DDOS. Any events are sent to our support desk.
Incident management type
Supplier-defined controls
Incident management approach
We have an Incident Response Policy for any events that have the potential to affect Service Availability or Security. If users suspect any activity, they can call, e-mail or raise calls on our HelpDesk using the 'Critical' priority. This ensures that it is progressed within 15 minutes of any suspected incident. Any events raised at Critical are updated each 30 minutes on the Helpdesk. Any additional communications targets are added to the Helpdesk so that they received the incident updates. Once a Critical item is closed, a formal response report is created.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks
No

Pricing

Price
£3 to £100 a person a year
Discount for educational organisations
Yes
Free trial available
Yes
Description of free trial
90-day trial, full service.

Service documents