Think Learning

Totara Learn Mobile First

Totara Learn Mobile First combines the functionality of the Totara Learn learning management system (LMS) platform with a native Mobile App (published to the Google and Apple app stores) which can be implemented quickly, to provide a solution which is highly customisable and cost effective.


  • Personalised learning paths
  • Secure and cloud hosted
  • Fully responsive user interface (mobile and desktop)
  • Mandatory training and compliance
  • Blended and elearning
  • Report builder and dashboards
  • Single Sign-On (SSO) and HRMS integration
  • Push notifications to mobiles
  • Social learning
  • Offline learning (with automatic sync)


  • Personalised learning paths for different staff groups and roles
  • Data is 100% secure, cloud hosted, fully maintained and backed-up
  • User interface adjusts seamlessly depending on what device is used
  • Customisable mandatory training refresh periods for real-time compliance data
  • Manage different types of learning within a single course
  • Interactive and colour-coded reports to help users proactively manage compliance
  • Single sign-on creates a streamlined experience to facilitate employee on-boarding
  • Push notifications to supplement standard email notifications
  • Improved staff engagement through social learning and networking
  • Downloading learning activities to mobile device for offline completion


£11670 to £50980 per instance per year

  • Education pricing available
  • Free trial available

Service documents


G-Cloud 11

Service ID

1 6 6 5 8 7 8 2 8 3 1 1 8 7 4


Think Learning

Shaun Wilde

0117 407 0237

Service scope

Software add-on or extension
Cloud deployment model
  • Public cloud
  • Private cloud
Service constraints
Planned downtime for scheduled updates/upgrades, pre-agreed with clients for maximum convenience/efficiency, and minimum disruption to end-users.
System requirements
  • PC or Mac: Windows 7+, Mac OS X 10.5+
  • Client-side Java Script required for administration pages
  • Tablet or Smartphone: Android, iOS

User support

Email or online ticketing support
Email or online ticketing
Support response times
Our standard response time within UK business hours:
- Critical: 1 hour
- High: 4 hours
- Medium: 8 hours
- Low: 16 hours
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Online support (2nd line) = within the support contract;
Technical support (3rd line) and maintenance = within the support contract;
Support (consultancy) = optional within the support contract.
Support available to third parties

Onboarding and offboarding

Getting started
Prior to go live, system administrators are trained onsite and via webinars. After go live, system administrators have access to online training and certification, and an online user documentation portal. In addition, system administrators have ongoing support via the Think Learning Helpdesk, and via optional onsite support from the Client Services team.
Service documentation
Documentation formats
End-of-contract data extraction
If you move from a Totara service with us, to a service with another Totara partner, we will provide you with a copy of all user data so that your new partner can migrate your data to your new service. We will not provide copies of bespoke Totara code developments because each Totara partner is responsible for their own Totara code, and code created by our clients is for use by our client community only. We can provide additional help in migration, either using remaining support budget or for an additional support fee.
We purge all client data from servers and all historic backups.
End-of-contract process
The off-boarding process is included in the price of the contract (provide client/new supplier with all data, purge client data at agreed timescale), any additional actions would be at additional cost.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
This product can be accessed via the native App (available on the Google and Apple app stores) and via the web version, written in-line with industry web standards including XHTML, HTML5, and ECMAScript 5.1 (commonly referred to as JavaScript). The Totara Learn website will display in any browser on any device, that supports these standards, utilising responsive theming (for all site users). The Mobile App interface is written specifically for Android and Apple devices, with specific LMS features being made available to learners (not administrators), including push notifications and offline learning capability.
Service interface
What users can and can't do using the API
AMF, REST, SOAP and XML-RPC can be utilised within Totara and implemented on request by the technical team to integrate external systems such as payroll and HR systems. SCORM, AICC and xAPI can be utilised for elearning and set by the user within external authoring technologies. (elearning accessed via the AICC standard cannot be played offline in the Mobile App)
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
Totara has high configurability built into the system administration menu and this includes the user interface colours and layout. Totara is a permissions-based system so anyone with the appropriate level of permission can make the customisations. Customisation is at the site level, the course level and at the workflow level when designing performance processes such as appraisal reviews. At the course level, there are a range of course creation options and activities that are customisable including the layout of the activities, and the design of online assessments. There is a report builder where the appropriate users can customise reports and dashboards.


Independence of resources
Totara is hosted on scalable cloud servers that are monitored 24/7 using performance monitoring software


Service usage metrics
Metrics types
The report source for service metrics is called 'Site Logs' for site-wide user activity logging. This system logging gives administrators the ability to see which pages a learner has accessed, time/date they accessed, the IP address, and site actions (view, add, update, delete). These logs can be displayed on a page or downloaded in text, ODS, Excel.
We also provide free site activity tracking reports (from a web analytics application) to provide rich data around LMS in-page time spent, bounces, geographical access and device/browser intelligence.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
Physical access control, complying with another standard
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Totara Learn is GDPR compliant and has the ability for an individual user to export all data linked to them. The format of each item of exported data is equivalent to its storage method in the application's database (e.g. course names/completion dates, or numerical values that represent status). Totara Learn also provides capabilities for export in the application (e.g. Report Builder, Record of Learning). This approach can be useful for an individual wanting, for example, to take their completion data (courses, competencies, certifications) with them to a new employer.
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats
Data import formats
  • CSV
  • Other
Other data import formats
External system or database integration

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
We work to make your System available for use over the internet 24 hours per day, 7 days per week. We commit to no more than 0.1% of the year of unscheduled downtime (total inaccessibility to your Totara site), with service credits if we don’t meet this commitment (based on additional free weeks of hosting/maintenance service). Planned maintenance is excluded from the calculation. At least 5 working days of notice will be provided for any maintenance taking place between 5pm and 8am. At least 10 working days of notice will be provided, for any maintenance taking place between 8am and 5pm. Your Totara site will be monitored via health checks at the platform layer.
Approach to resilience
Our data centre partner provides a national network built with resilience in mind. The core and data centre networks benefit from 10Gbps of connectivity and are designed to transparently tolerate the failure of any link or piece of equipment. Our business continuity strategy also includes extra backups, utilising Amazon's UK-based datacentres.
Outage reporting
We report outages through Think Learning Helpdesk notifications, email alerts, and by phone, as relevant.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
Totara utilises role-based access control for named system administrators and managers. The individuals, Totara system administration and management roles, and specific configuration access are specified and agreed as part of the implementation. The named system administrators also have access to technical support via the Think Learning Helpdesk.
This is routinely audited, as part of ISO27001 accreditation.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Between 6 months and 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
Between 6 months and 12 months
How long system logs are stored for
Between 6 months and 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO Quality Services Ltd
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Our data centre partners have separate ISO27001 certification for the UK data centre. Certificate available on request.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Cyber Essentials

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Cyber Essentials
Information security policies and processes
Information Security Management System policies and processes, certificated and audited bi-annually by ISO Quality Services Ltd. Audit reports available on request. The Information Security Manager is a board level Director.
Our Cyber Security and Information Security policies are communicated to, and signed by, all Think Learning employees. Staff training around GDPR is a key element of our onboarding process. We have regular audits of the controls listed above in terms of ensuring that all devices used by staff are fully compliant. All staff are updated at internal company meetings about ongoing cyber and information security requirements of personal devices and internal systems. As consultants, they can also advise on the Infosec capabilities of Totara Learn.
Think Learning also has an ICO registered Data Protection Officer (DPO).

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Code is managed by the Technical Services team utilising GitLab. System configuration and change management is managed initially by the Implementation Services team and then the Client Services team once live. System configuration and change management is documented in SharePoint using a versioned functional and non-functional requirements spreadsheet. All changes and upgrades are tested within a client specific development environment to ensure functionality and security before moving to the live environment.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Vulnerability management is a control within our Information Security Management System (12.6.1). Where vulnerabilities are identified, system asset lists are examined to assess the impact of the vulnerabilities on the security of the system. Where a software update is deemed necessary, then the change control process is initiated.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Totara is monitored 24/7 at the application layer via health checks and performance monitoring. In the event of a compromise the technical team are alerted by text to resolve the issue within the stated SLA.
Incident management type
Supplier-defined controls
Incident management approach
Users report incidents via the Think Learning Helpdesk, which triggers the internal incident management process: - Classification and initial support; - Investigation and analysis; - Resolution recording, closure and reporting via the Helpdesk.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£11670 to £50980 per instance per year
Discount for educational organisations
Free trial available
Description of free trial
The free trial site enables you to explore Totara functionality and try out features such as performance appraisals and course assessments. User roles allow you to decide what level of access a user will have in the system. Site configuration and data is refreshed periodically.

Service documents

Return to top ↑