HT2 Limited

Curatr Learning Experience Platform (LXP)

Curatr LXP is an award-winning learning platform that allows you to provide content recommendations, activity recommendations and courses to your employees that are intelligently recommended, gamified and social. Make use of your existing content, curate content from around the web or use the thousands of curated items included for free.


  • Easy Curation: Use our free content, existing content or curate.
  • Social Learning: Learners contribute to discussions about learning resources.
  • User Contributions: Learners can upload files and embed external resources.
  • Smart recommendations: AI-driven, personal recommendations for learners.
  • Easy for you: Easy administration and clear reporting.
  • Customisation: Scope for personalised branding, images and terminology.
  • Unlimited access to our Support Team and Help Centre.
  • For Pro customers: Social Intelligence Dashboard (Machine Learning analysis)
  • For Pro customers: Customised recommendation system.
  • For Pro customers: SSO, Custom Homepage, Learning Locker included.


  • Save time and money with easy curation
  • Improve Results; Engaged users, twice as likely to recall training
  • Improve Engagement with discussions, contributions and knowledge sharing
  • Power your existing or free content with our recommendation engine
  • Deliver scalable learning easily and intuitively
  • Reduce administration with smart, automatic recommendation
  • Turn your existing content into a modern, user-friendly, intelligent experience


£5.25 to £60.00 per user per year

  • Education pricing available

Service documents


G-Cloud 11

Service ID

2 2 4 8 4 5 9 8 2 7 7 9 7 0 0


HT2 Limited

Alan Betts


Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
System requirements
  • Curatr LXP will work on all modern browsers and systems
  • A connection speed of 20Mbps is recommended for some content

User support

Email or online ticketing support
Email or online ticketing
Support response times
HT2’s SLA is based upon working hours of 9.00am - 5.00pm (BST), Monday to Friday in the UK, excluding public holidays.

The Customer may log new support queries using HT2’s automated email helpdesk system at:

We respond within 4 hours, within 1 hours for Priority 1 issues.

(Priority 1 = An incident that impairs the Customer’s ability to maintain Service operation causing a severe loss of Service. There is no acceptable workaround for the Customer).
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Onsite support
Support levels
Support and hosting are included in the licence fees.

The Customer may log new support queries using HT2’s automated email Helpdesk system at:
Alternatively, the Customer may contact the HT2 Account Manager.

We also have a dedicated Customer Success Manager to help companies get started, and as needed throughout the contract. Where technical integration in required, an Implementation Manager will also be assigned to the client.
Support available to third parties

Onboarding and offboarding

Getting started
Customers are generally able to start using Curatr LXP without any help, but we make Customer Success Manager available to any organisation starting with us to provide training, support and best practice guidance as required.

Larger organisation/projects will also be assigned an Implementation Manager to take care of any technical work (for example, integrations).

We are able to provide onsite or remote training, and there is extensive user documentation, a user community, and user support available at:
Service documentation
Documentation formats
Other documentation formats
Online Help Centre (Publicly Accessible)
End-of-contract data extraction
Clients are able to extract their data via CSV, end users are able to use the Open Badge functionality to export progress data in a standardised format,
End-of-contract process
Organisations are able to extract their data via CSV if they choose to. All data is then deleted.

If an organisation requested something different, this could be costed and charged.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Users access the same system via their mobile browser. All functionality is available and the display is optimised for smaller device screen size.
Service interface
What users can and can't do using the API
An API is available for users to access some of our features. We have clients doing this, but the majority of our users access our platform.
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
Organisations customise their Curatr LXP instance during set up. Branding, images, colours, settings, reporting etc. can all be customised by the organisation.

Organisations use the software to create their own courses - this is done by the organisation's administrators, with support from our Customer Success Manager as required.

Further customisations are available to 'Pro' customers, including custom homepage, SSO, their own analytics tool, a bespoke recommendation engine.


Independence of resources
All systems are monitored and have the ability to autoscale services based on demand.


Service usage metrics
Metrics types
Total users numbers (based on a limit per organisation)
Reporting types
  • API access
  • Real-time dashboards


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Organisations are able to export their data via CSV, individual users can use the Open Badge functionality to export their progress via an open standard format.
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
HT2 guarantees that the Service will be available to the Partner for not less than 99.5% of each calendar month (where a calendar month is considered to be 730 hours), excluding known maintenance windows and scheduled downtime. Where the service must be taken offline for maintenance, HT2 will endeavour to give the Partner at least five working days notice. In certain circumstances, such as in the event of a security concern, it may be necessary to take the service offline at less notice. Where possible, maintenance will be performed outside of core business hours, either at evenings or weekends. Service downtime during these windows will always be kept to an absolute minimum; typical maintenance windows last around 15 minutes. HT2 will notify the Partners named representative of all maintenance windows and schedules.
Approach to resilience
At every stage all services are built with redundancy in mind. Whether it be load balancing application servers, or replica/slave database setups. We also ensure that where we have multiple instances of hardware for failover that they exist across different physical zones.
Outage reporting
We contact clients via email, to either the business lead client side, or a listed contact for emergency outage.

Identity and authentication

User authentication needed
User authentication
Username or password
Access restrictions in management interfaces and support channels
Our stance is one of ‘least privileges’ with personnel being granted only the minimum data access required to perform their role on a given task. These processes govern our operating processes, from the physical security of the buildings in which we work, to the security practices we follow in writing and deploying applications.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
British Assessment Bureau
ISO/IEC 27001 accreditation date
02/09/2013 (first), 08/04/2019 (latest re-issue)
What the ISO/IEC 27001 doesn’t cover
S9.4.4 Use of Privileged utility programs
We do not use Privileged utility programs that might be capable of overriding system and application controls as such there is no process in place to restrict or control such system.

s10.1.1 and s10.1.1 We apply encryption externally according to the needs of our customers. However it is felt inappropriate to do the same internally as the ability to use data is central to many of the tasks we undertake internally.

s11.1 Data is stored on our third party cloud providers with extensive security provisions in place. As a result of this and a policy of not storing special personally identifiable information locally on clients our offices do not have a physical security perimeter other than lockable, controlled entrance.

s14.2.7 Supervision of outsourced system development - this is not considered required since we do not outsource such development.

s14.3.1 - Test data selection. Our clients select test data to test system integration and setup. As a result we do not have a policy around test data selection.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Privacy Shield

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
As part of our ISO27001 we defined our Information Security Management systems policy which is appended to this application. Our Data Security Officer and ISO manager reports directly to the Chairman of the Board of Directors.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
The Senior Management Team of HT2 control any potential changes, this is then delegated to a responsible person as a “project manager”.

He or she will conduct a “research background” to determine the feasibility of the changes with regards to:-

Any potential consequences
Integration of the quality management system
The availability of resources
The allocation or reallocation of responsibilities and authorities
Technical Skills

This then forms part of the Management Review together with including within the internal audit schedule.

All code is published through version control and goes through both peer code reviews and then QA
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We commission annual penetration testing by NCC Group Trust and develop our solution following OWASP guidelines.
Critical security patches applied as soon as possible as part of managed hosting agreements. Minor patches are applied as part of regular update patterns, which are typically applied once per month.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
We manage potential compromises by exception. We get system notifications for unusual traffic etc. from our third party provider. AWS employs an IDS at the perimeter of its network with 24/7 active monitoring. In addition we deploy New Relic monitoring tools at our application layer. This is monitored by HT2 staff.

We monitor both the servers and the endpoints of all applications. When a failure is found a case is automatically generated and the appropriate team members are alerted. Depending on the severity of the situation this is escalated and work would begin to rectify the problem.
Incident management type
Supplier-defined controls
Incident management approach
Incidents are defined as part of our Business Continuity and Disaster Recovery Plan that is being tested at least once a year. We further have a Data loss prevention strategy that outlines our approach to a Data incidents. Our Data Security Officer will contact customers of a (potential) data loss. The reports are given in writing via email.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£5.25 to £60.00 per user per year
Discount for educational organisations
Free trial available

Service documents

Return to top ↑