imin platform: search & booking for physical activity
The imin platform aggregates live physical activity information (about what activities are happening in an area, number of spaces, cost etc), and provides a real-time feed of that data to any resident-facing website, creating powerful, up to date activity finder tools for local authorities to make available to residents.
- Real time Search - live availability for physical activity
- Real time Booking - seamless booking/payment for physical activity
- Data Augmentation and quality enhancement
- Advanced Search - results relevancy, type intolerance etc
- Provider Selection - choose which providers you receive data from
- Secure whitelabel checkout - to host on your website, GDPR-complaint
- Whitelabel live activity Timetable - to add to any webpage
- Deliver real time information to residents about physical activity
- Monitor search and booking trends to improve service investment
- Connect residents to both public and private physical activity providers
- Enhance the search-ability of local physical activity
- Tap into a network of public and private booking partners
- Deliver end-to-end, measureable user journey for public health campaigns
£0 per licence per month
- Education pricing available
- Free trial available
|Software add-on or extension||Yes, but can also be used as a standalone service|
|What software services is the service an extension to||
The imin platform integrates with the booking management solutions of physical activity providers - such as those used by many leisure operators, local authorities and smaller clubs.
Local authority websites - we provide live timetable "plug-ins" for sport & leisure pages for residents to see available activities per venue
|Cloud deployment model||Private cloud|
The power of the platform is dependent on the booking system software in use by the local physical activity providers (such as leisure operators). Whilst imin has integrated with numerous systems (especially those part of the Government funded "OpenActive" initiative to open up more physical activity data), the imin service will be less impactful in areas where systems are in use that we have not yet integrated with.
However, we have shown in other areas that, with a local authority sponsor, we can rapidly integrate with new systems to enhance the service offering for any area.
|Email or online ticketing support||Yes, at extra cost|
|Support response times||
Basic tier includes email support:
9am to 6pm (UK time), Monday to Friday.
Best endeavours at the weekend.
Additional support available as part of SLAs at higher tiers.
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||Yes, at an extra cost|
|Web chat support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support accessibility standard||None or don’t know|
|How the web chat support is accessible||We use a product called "Slack" to interface with our consumers. It is an online chat forum for organisations. We invite customers to join Slack, with a dedicated channel for their questions and support. Users can ask questions, query API documentation, send images / screenshots of issues, and have a history of the conversation.|
|Web chat accessibility testing||None to date.|
|Onsite support||Yes, at extra cost|
Our standard SLA is available for customers on the "Standard Tier" of Service, and includes:
- 99.8% uptime.
- For critical issues, during standard working hours response time of up to 1 hour (generally immediate where possible).
- For all other issues, a response time of 4-8 hours during standard working hours.
- For issues outside of standard working hours, best efforts will be made to respond as soon as possible.
- If there is scheduled system maintenance that might result in a pause in the Service advanced notice will be provided with at least 5 working days’ notice.
- (Standard working hours are defined as 9am-6pm Mon-Fri excluding bank holidays)
A custom SLA (based on specific customer requirements) is available on the "Enterprise Tier" of Service.
Both Standard and Enterprise Tiers include access to a Technical Account Manager.
The cost of Standard Tier (where the standard SLA is bundled within) is from £1,250 / month (ex VAT)
The cost of Enterprise Tier (where the custom SLA is bundled within) is dependent on custom requirements and does not have a standard pricing.
|Support available to third parties||Yes|
Onboarding and offboarding
Over the phone / online developer support is offered initially at docs.imin.co. Specific guidance has been created for starting a project using the APIs, as well as use case specific examples and instructions.
Further onboarding documentation provided over email, or in person / phone if using Standard Tier or above.
|End-of-contract data extraction||
For the Search API part of the Service, imin does not hold any User-owned data so there is no extraction requirement on contract termination.
For the Booking part of the Service, imin will be playing a Data Processor role, so at notice of contract termination we will inform the User to ensure they have retained and stored whatever data they require from the Service, and at contract termination date we will destroy any personal data we hold on behalf of the User.
When contract termination is delivered by either party:
(a) the termination date is agreed by both parties (which is when the API key will become invalid)
(b) the User will be prompted to retrieve and separately store any Service data that they own
(c) at termination date, the API key will be invalidated and any and all personal data held by us on behalf of the User will be destroyed across our systems and sub-processor systems.
The above steps are all included in the price of all Service tiers.
If there is to be any handover to replace the imin Service with a like-for-like Service, we will provide technical resource at a pre-agreed day rate to support this process.
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||
For Search, the Service is delivered through a set of APIs, which provide data to a front-end application - either web or mobile. There is no difference in the Search API output or performance whether on mobile or on desktop.
For Booking, if the whitelabel Checkout is in use (a front-end flow for secure booking and payment of physical activity by a resident), the checkout has been designed to be fully responsive for any size screen device.
The whitelabel Timetable is fully responsive and is optimised for desktop and mobile screen size.
|What users can and can't do using the API||
The core of the Service is itself a Search API:
(1) Users receive API keys to securely access the Search API
(2) Users are helped using online guidance, or through their account manager, to create the right API calls for the end-user journey the user is wishing to create.
(3) Any restrictions within the API (for example, based on Tier of service purchased, or for custom requirements such as only showing data from certain physical activity providers) will be set up by the imin account manager when providing the user specific API key.
Users can then autonomously make specific API calls to the service, within a set of parameters described in the API documentation, in order to best meet their use case.
|API documentation formats||
|API sandbox or test environment||Yes|
|Description of customisation||
- whitelist or blacklist which physical activity providers they would like to access through the Service
- instruct imin to create custom "enhancement rules" based on the user experience being created - e.g. if the resident-facing website is aimed at inactive people, ensuring all images, text etc are suitable for motivating that demographic to engage in physical activity, as well as adding relevant tags such as "suitable for beginners" to enhance searchability by end-users
- whether the secure booking and payment whitelabel checkout is part of the user experience to be delivered
- work with a selection of our partners who have already created whitelabel activity finders integrated with the imin platform (i.e. off-the-shelf brand-able resident facing widgets or whole websites)
Users can choose their customisation during the contracting process - their account manager will present these options to them in order to set up the Service to begin with. Users can liaise with the account manager on-going if requirements change over time and customisations need updating.
The authorised main point of contact between imin and the User will be instructing the account manager about any customisations required.
|Independence of resources||The cloud infrastructure on which our services are built allows for simple and automatic horizontal and vertical scalability, which responds to varying load. We also have regular monitoring our service response time which allows us to proactively identify and respond to infrastructure bottlenecks. See https://imin.statuspage.io/|
|Service usage metrics||Yes|
Search trends - number of searches, when, where.
Booking trend - number of searches, when, where, and for what.
|Supplier type||Not a reseller|
|Staff security clearance||Staff screening not performed|
|Government security clearance||None|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||European Economic Area (EEA)|
|User control over data storage and processing locations||No|
|Datacentre security standards||Managed by a third party|
|Penetration testing frequency||Never|
|Protecting data at rest||
|Other data at rest protection approach||IASME includes provision for Physical and Environmental Protection|
|Data sanitisation process||No|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||The relevant data for export is any booking history related data, which can be accessed via the Service dashboard delivered to the User. They can view booking history data, and can choose to export it via CSV.|
|Data export formats||CSV|
|Data import formats||CSV|
|Data protection between buyer and supplier networks||TLS (version 1.2 or above)|
|Data protection within supplier network||TLS (version 1.2 or above)|
Availability and resilience
The SLA provided with the Standard Tier commits to 99.8% uptime.
There are no contractual refund obligations at present, but if uptime performance is significantly impaired in a given month then we will provide 1 month additional free usage.
|Approach to resilience||We have appropriate SLAs in place with each cloud infrastructure supplier in use. More detailed information is available on request.|
We have a public dashboard at https://imin.statuspage.io/
We will also notify users via email if there is a serious outage that has the scope to effect the delivery of their own service to end-users.
We will also notify users ahead of time if there are any expected service outages due to planned maintenance work. The Standard SLA details any notice of maintenance will be sent at least 5 days before any downtime is expected.
Identity and authentication
|User authentication needed||Yes|
|Other user authentication||Users must supply correct API key credentials when making API calls to the Service.|
|Access restrictions in management interfaces and support channels||Management interfaces / Support Channels are either restricted to email, or for monitoring dashboards a username and password is required.|
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
|Description of management access authentication||
For internal staff, we have a centrally administered 2 factor authentication process - profiles can be denied access remotely.
For clients, they cannot directly access administrative areas of the platform - this is done by communication with their account manager who will set up API options on their behalf accordingly.
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||No audit information available|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||No|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||Other|
|Other security governance standards||IMIN LTD complies with the requirements of the Cyber Essentials Scheme and achieved a Gold Award certificate of assurance confirming for the IASME Governance Standard in 2018, with an independent on-site audit (offers a similar level of assurance to the internationally recognised ISO 27001 standard). We are currently undergoing recertification.|
|Information security policies and processes||
Acceptable Use of Corporate Property (AUCP) Policy
Administrator Access Tracker
Asset Register - Information
Asset Register - Physical
Breaches of Personal Data Protocol
Bring Your Own Device (BYOD) Policy - Laptops
Bring Your Own Device (BYOD) Policy - Mobile Devices
Business Continuity Plan & Disaster Recovery Plan
Computers & Networks Management Information
Data Classification Policy
Data Privacy Approach for B2B Contacts
Data Protection Policy
Information Security Policy (including Incident Reporting Procedure)
Privacy Impact Assessment
Record of Processing Activities (Article 30 GDPR) - imin as a Data Controller
Record of Processing Activities (Article 30 GDPR) - imin as a Data Processor
Subject Access, Data Portability, or Right to Erasure Requests: Process for Response
|Configuration and change management standard||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Configuration and change management approach||
1. A System Change Request Form is filed.
2. The proposed change is described with reason for change given.
3. The impact of the change is evaluated (including priority, environment impact, resource requirement, test plan description and rollback description).
4. The change is approved or denied.
5. The change is implemented and tested.
6. The completed change is communicated.
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||
1. imin uses Nessus Agent to perform vulnerability scans of BYOD and corporate devices, including reporting unsupported applications, and take immediate action to resolve any vulnerabilities detected.
2. The Company uses a combination of Detectify (penetration testing) and Synk (components with known vulnerabilities - A9 of OWASP Top 10) to detect software vulnerabilities.
3. The results of the scans and any changes made shall be reflected in the Company’s risk assessment and security policy as appropriate.
|Protective monitoring type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Protective monitoring approach||
1. Where possible, we aggregate error and event logs from all applications, in addition to Heroku and AWS Cloudwatch native logs. We deal with each incident generated on a case-by-case basis.
2. The Company also has real-time alerts sent to the team to monitor for unacceptable activity and suspicious user behavior.
3. If high volumes, the Company will use cloud-based log analytics service such as AppDynamics.
4. The Company reserves the right to monitor systems or communications activity where it suspects that there has been a breach of policy in accordance with the Regulation of Investigatory Powers Act (2000).
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||
1. All breaches of policy and all other information security incidents are reported to the Security Officer.
2. If required as a result of an incident, data will be isolated to facilitate forensic examination.
3. Information security incidents are recorded in the Security Incident Tracker and investigated by the Security Officer to establish their cause and impact with a view to avoiding similar events. The risk assessment and relevant policies are updated, if required, to reduce the risk of a similar incident re-occurring.
4. A record is kept of all security incident investigations.
|Approach to secure software development best practice||Supplier-defined process|
Public sector networks
|Connection to public sector networks||No|
|Price||£0 per licence per month|
|Discount for educational organisations||Yes|
|Free trial available||Yes|
|Description of free trial||
Everything at the Standard Tier is included - and the trial lasts for 30 days. Typically, organisations use this tier to test out the API, building
an application or adding a Timetable to their webpage, in order to try out the service before committing to a licence.