Curatr Learning Experience Platform (LXP)
Curatr LXP is an award-winning learning platform that allows you to provide content recommendations, activity recommendations and courses to your employees that are intelligently recommended, gamified and social. Make use of your existing content, curate content from around the web or use the thousands of curated items included for free.
- Easy Curation: Use our free content, existing content or curate.
- Social Learning: Learners contribute to discussions about learning resources.
- User Contributions: Learners can upload files and embed external resources.
- Smart recommendations: AI-driven, personal recommendations for learners.
- Easy for you: Easy administration and clear reporting.
- Customisation: Scope for personalised branding, images and terminology.
- Unlimited access to our Support Team and Help Centre.
- For Pro customers: Social Intelligence Dashboard (Machine Learning analysis)
- For Pro customers: Customised recommendation system.
- For Pro customers: SSO, Custom Homepage, Learning Locker included.
- Save time and money with easy curation
- Improve Results; Engaged users, twice as likely to recall training
- Improve Engagement with discussions, contributions and knowledge sharing
- Power your existing or free content with our recommendation engine
- Deliver scalable learning easily and intuitively
- Reduce administration with smart, automatic recommendation
- Turn your existing content into a modern, user-friendly, intelligent experience
£5.25 to £60.00 per user per year
- Education pricing available
|Software add-on or extension||No|
|Cloud deployment model||Public cloud|
|Email or online ticketing support||Email or online ticketing|
|Support response times||
HT2’s SLA is based upon working hours of 9.00am - 5.00pm (BST), Monday to Friday in the UK, excluding public holidays.
The Customer may log new support queries using HT2’s automated email helpdesk system at: firstname.lastname@example.org.
We respond within 4 hours, within 1 hours for Priority 1 issues.
(Priority 1 = An incident that impairs the Customer’s ability to maintain Service operation causing a severe loss of Service. There is no acceptable workaround for the Customer).
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Onsite support|
Support and hosting are included in the licence fees.
The Customer may log new support queries using HT2’s automated email Helpdesk system at: email@example.com.
Alternatively, the Customer may contact the HT2 Account Manager.
We also have a dedicated Customer Success Manager to help companies get started, and as needed throughout the contract. Where technical integration in required, an Implementation Manager will also be assigned to the client.
|Support available to third parties||Yes|
Onboarding and offboarding
Customers are generally able to start using Curatr LXP without any help, but we make Customer Success Manager available to any organisation starting with us to provide training, support and best practice guidance as required.
Larger organisation/projects will also be assigned an Implementation Manager to take care of any technical work (for example, integrations).
We are able to provide onsite or remote training, and there is extensive user documentation, a user community, and user support available at: https://ht2ltd.zendesk.com/
|Other documentation formats||Online Help Centre (Publicly Accessible)|
|End-of-contract data extraction||Clients are able to extract their data via CSV, end users are able to use the Open Badge functionality to export progress data in a standardised format,|
Organisations are able to extract their data via CSV if they choose to. All data is then deleted.
If an organisation requested something different, this could be costed and charged.
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||Users access the same system via their mobile browser. All functionality is available and the display is optimised for smaller device screen size.|
|What users can and can't do using the API||An API is available for users to access some of our features. We have clients doing this, but the majority of our users access our platform.|
|API documentation formats||HTML|
|API sandbox or test environment||No|
|Description of customisation||
Organisations customise their Curatr LXP instance during set up. Branding, images, colours, settings, reporting etc. can all be customised by the organisation.
Organisations use the software to create their own courses - this is done by the organisation's administrators, with support from our Customer Success Manager as required.
Further customisations are available to 'Pro' customers, including custom homepage, SSO, their own analytics tool, a bespoke recommendation engine.
|Independence of resources||All systems are monitored and have the ability to autoscale services based on demand.|
|Service usage metrics||Yes|
|Metrics types||Total users numbers (based on a limit per organisation)|
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Security Clearance (SC)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Managed by a third party|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||‘IT Health Check’ performed by a CHECK service provider|
|Protecting data at rest||Physical access control, complying with SSAE-16 / ISAE 3402|
|Data sanitisation process||Yes|
|Data sanitisation type||
|Equipment disposal approach||A third-party destruction service|
Data importing and exporting
|Data export approach||Organisations are able to export their data via CSV, individual users can use the Open Badge functionality to export their progress via an open standard format.|
|Data export formats||CSV|
|Data import formats||CSV|
|Data protection between buyer and supplier networks||TLS (version 1.2 or above)|
|Data protection within supplier network||TLS (version 1.2 or above)|
Availability and resilience
|Guaranteed availability||HT2 guarantees that the Service will be available to the Partner for not less than 99.5% of each calendar month (where a calendar month is considered to be 730 hours), excluding known maintenance windows and scheduled downtime. Where the service must be taken offline for maintenance, HT2 will endeavour to give the Partner at least five working days notice. In certain circumstances, such as in the event of a security concern, it may be necessary to take the service offline at less notice. Where possible, maintenance will be performed outside of core business hours, either at evenings or weekends. Service downtime during these windows will always be kept to an absolute minimum; typical maintenance windows last around 15 minutes. HT2 will notify the Partners named representative of all maintenance windows and schedules.|
|Approach to resilience||At every stage all services are built with redundancy in mind. Whether it be load balancing application servers, or replica/slave database setups. We also ensure that where we have multiple instances of hardware for failover that they exist across different physical zones.|
|Outage reporting||We contact clients via email, to either the business lead client side, or a listed contact for emergency outage.|
Identity and authentication
|User authentication needed||Yes|
|User authentication||Username or password|
|Access restrictions in management interfaces and support channels||Our stance is one of ‘least privileges’ with personnel being granted only the minimum data access required to perform their role on a given task. These processes govern our operating processes, from the physical security of the buildings in which we work, to the security practices we follow in writing and deploying applications.|
|Access restriction testing frequency||At least once a year|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users contact the support team to get audit information|
|How long user audit data is stored for||User-defined|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||User-defined|
|How long system logs are stored for||User-defined|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||British Assessment Bureau|
|ISO/IEC 27001 accreditation date||02/09/2013 (first), 08/04/2019 (latest re-issue)|
|What the ISO/IEC 27001 doesn’t cover||
S9.4.4 Use of Privileged utility programs
We do not use Privileged utility programs that might be capable of overriding system and application controls as such there is no process in place to restrict or control such system.
s10.1.1 and s10.1.1 We apply encryption externally according to the needs of our customers. However it is felt inappropriate to do the same internally as the ability to use data is central to many of the tasks we undertake internally.
s11.1 Data is stored on our third party cloud providers with extensive security provisions in place. As a result of this and a policy of not storing special personally identifiable information locally on clients our offices do not have a physical security perimeter other than lockable, controlled entrance.
s14.2.7 Supervision of outsourced system development - this is not considered required since we do not outsource such development.
s14.3.1 - Test data selection. Our clients select test data to test system integration and setup. As a result we do not have a policy around test data selection.
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||Privacy Shield|
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||As part of our ISO27001 we defined our Information Security Management systems policy which is appended to this application. Our Data Security Officer and ISO manager reports directly to the Chairman of the Board of Directors.|
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||
The Senior Management Team of HT2 control any potential changes, this is then delegated to a responsible person as a “project manager”.
He or she will conduct a “research background” to determine the feasibility of the changes with regards to:-
Any potential consequences
Integration of the quality management system
The availability of resources
The allocation or reallocation of responsibilities and authorities
This then forms part of the Management Review together with including within the internal audit schedule.
All code is published through version control and goes through both peer code reviews and then QA
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||
We commission annual penetration testing by NCC Group Trust and develop our solution following OWASP guidelines.
Critical security patches applied as soon as possible as part of managed hosting agreements. Minor patches are applied as part of regular update patterns, which are typically applied once per month.
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||
We manage potential compromises by exception. We get system notifications for unusual traffic etc. from our third party provider. AWS employs an IDS at the perimeter of its network with 24/7 active monitoring. In addition we deploy New Relic monitoring tools at our application layer. This is monitored by HT2 staff.
We monitor both the servers and the endpoints of all applications. When a failure is found a case is automatically generated and the appropriate team members are alerted. Depending on the severity of the situation this is escalated and work would begin to rectify the problem.
|Incident management type||Supplier-defined controls|
|Incident management approach||Incidents are defined as part of our Business Continuity and Disaster Recovery Plan that is being tested at least once a year. We further have a Data loss prevention strategy that outlines our approach to a Data incidents. Our Data Security Officer will contact customers of a (potential) data loss. The reports are given in writing via email.|
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||No|
|Price||£5.25 to £60.00 per user per year|
|Discount for educational organisations||Yes|
|Free trial available||No|