Think Learning

Totara Performance (Talent Management Platform)

Totara Performance is a functionally rich, responsive talent and performance platform. Combines appraisal, 9-box grids, e-Forms, 360 feedback, talent pipelines, pay progression, revalidation and CPD; Seamless upgrade options to Totara Learn, and Totara’s TXP Enterprise extensions (Totara Learn TXP, Totara Perform, and Totara Engage). Healthcare, NHS, Government specialist experience.


  • Complete talent, appraisal and learning management system
  • Personal development plans and targeted training
  • Competency and goal management
  • Positional and organisational hierarchies
  • Performance compliance tracking and management
  • Custom report builder and business intelligence (BI) dashboards
  • Performance management with appraisals and 360 feedback
  • Automated links to HR/payroll systems, with single sign-on
  • eForms, ePortfolio, CPD recording and revalidation system
  • 9-box talent management grid visualisation, succession planning


  • Personalised performance management with audiences and dashboards
  • Interactive and responsive design for desktop, tablet and smartphone
  • Interoperability and APIs with external systems and single sign-on (SSO)
  • Engage the workforce through flexible, integrated career conversations
  • Provide managers with real time data to manage their teams
  • Reduce cost of delivering development and appraisal
  • Enhance pre-hire access and Induction processes
  • Notification engine, and triggers for intelligent routing
  • Calculated fields, form branching, multi-actor interactions
  • Integrated eForms capability


£9,575 to £79,515 an instance a year

  • Education pricing available
  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

2 7 1 0 4 7 3 3 6 5 3 0 8 7 3


Think Learning Shaun Wilde
Telephone: 01273 025078

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Totara Learn LMS (Learning Management System), Totara Engage LXP (Learning Experience Platform)
Cloud deployment model
  • Public cloud
  • Private cloud
Service constraints
Planned downtime for scheduled updates/upgrades, pre-agreed with clients for maximum convenience/efficiency, and minimum disruption to end-users.
System requirements
  • PC or Mac: Windows 7+, Mac OS X 10.5+
  • Client-side Java Script required for administration pages
  • Tablet or Smartphone: Android, iOS, Windows

User support

Email or online ticketing support
Email or online ticketing
Support response times
Our standard response time within UK business hours: - Critical: 1 hour - High: 4 hours - Medium: 8 hours - Low: 16 hours
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Standard online 2nd and 3rd line support (£80-£100/hr) = within the support contract. Following our well-tested process of raising support calls on our online helpdesk portal, Site administrators will be able to track calls and review response times (compliant with our SLA). Support is accessed through an online ticketing system and support services can be online, via email, by telephone and optionally on-site (@ £750/day). Optional online 1st line support (£60/hr).
Support available to third parties

Onboarding and offboarding

Getting started
Prior to go live, system administrators are trained onsite and/or offsite via webinars. After go live, system administrators have access to online training and certification, and an online user documentation portal. In addition, system administrators have ongoing support via the Think Learning Helpdesk, and via optional onsite support from the Client Services team.
Service documentation
Documentation formats
End-of-contract data extraction
If you move from a Totara service with us, to a service with another Totara partner, we will provide you with a copy of all user data so that your new partner can migrate your data to your new service. We will not provide copies of bespoke Totara code developments because each Totara partner is responsible for their own Totara code, and code created by our clients is for use by our client community only. We can provide additional help in migration, either using remaining support budget or for an additional support fee. We purge all client data from servers and all historic backups.
End-of-contract process
The off-boarding process is included in the price of the contract (provide client/new supplier with all data, purge client data at agreed timescale), any additional actions would be at additional cost.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Totara is written in-line with industry web standards including XHTML, HTML5, and ECMAScript 5.1 (commonly referred to as JavaScript). Totara Learn displays in the latest browsers that support these standards. We aim to ensure that the product is equally usable both on desktop and mobile devices. Areas such as navigation, expandable/collapsible sections, and actions should all work with both desktop and mobile controls. There are also responsive themes provided with Totara that will re-flow for smaller resolutions to give the best possible user experience.
Service interface
What users can and can't do using the API
AMF, REST, SOAP and XML-RPC can be utilised within Totara and implemented on request by the technical team to integrate external systems such as payroll and HR systems. Where LMS features are included, SCORM, AICC and xAPI can be utilised for elearning and set by the user within external authoring technologies.
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
Totara has high configurability built into the system administration menu and this includes the user interface colours, language, navigation and layout. Totara is a permissions-based system so anyone with the appropriate level of permission can make the customisations. Customisation is at the site level, and at the workflow level when designing performance processes such as appraisal reviews. There is a report builder where the appropriate users can customise reports and dashboards.


Independence of resources
Totara is hosted on scalable cloud servers that are monitored 24/7 using performance monitoring software


Service usage metrics
Metrics types
The report source for service metrics is called 'Site Logs' for site-wide user activity logging. This system logging gives administrators the ability to see which pages a learner has accessed, time/date they accessed, the IP address, and site actions (view, add, update, delete). These logs can be displayed on a page or downloaded in text, ODS, Excel. We also provide free site activity tracking reports (from a web analytics application) to provide rich data around in-page time spent, bounces, geographical access and device/browser intelligence.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Totara Performance is GDPR compliant and has the ability for an individual user to export all data linked to them. The format of each item of exported data is equivalent to its storage method in the application's database (e.g. appraisal names/completion dates, or numerical values that represent status). Totara Perform also provides capabilities for export in the application (e.g. Report Builder). This approach can be useful for an individual wanting, for example, to take their completion data (reviews, competencies) with them to a new employer.
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats
Data import formats
  • CSV
  • Other
Other data import formats
External database

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
We work to make your System available for use over the internet 24 hours per day, 7 days per week. We commit to no more than 0.1% of the year of unscheduled downtime (total inaccessibility to your Totara site), with service credits if we don’t meet this commitment (based on additional free weeks of hosting/maintenance service). Planned maintenance is excluded from the calculation. At least 5 working days of notice will be provided for any maintenance taking place between 5pm and 8am. At least 10 working days of notice will be provided, for any maintenance taking place between 8am and 5pm (or as agreed with clients). Your Totara site will be monitored via health checks at the server and application layers.
Approach to resilience
We provide clients with access to high performance, secure, entirely UK-based platform services (with ISO27001, ISO9001, ISO27017 certification). Global Switch 2, a tier 3 data centre in London, and 100% network uptime guarantees. Includes a hot spare blade, so that in the event of a blade failure, a fresh blade is provided and restored. Daily backups are provided and stored on a separate SAN located on a separate physical location. NSX Firewalls are provisioned in a High Availability (HA) pair and are fully managed. The DDoS defence system is based on detection/diversion/verification/forwarding, and inspections are performed in real time, including the provision of IDS server monitoring for any malicious activity.
Outage reporting
We report outages through Think Learning Helpdesk notifications, email alerts, and by phone, as relevant.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
Totara utilises role-based access control for named system administrators and managers. The individuals, Totara system administration and management roles, and specific configuration access are specified and agreed as part of the implementation. The named system administrators also have access to technical support via the Think Learning Helpdesk. This is routinely audited, as part of ISO27001 accreditation.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Between 6 months and 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
Between 6 months and 12 months
How long system logs are stored for
Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO Quality Services Ltd.
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Our data centre partners have separate ISO27001 certification for the UK data centre. Certificate available on request.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Cyber Essentials

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Cyber Essentials
Information security policies and processes
Information Security Management System policies and processes, certificated and audited bi-annually by ISO Quality Services Ltd. Audit reports available on request. The Information Security Manager is a board level Director. Our Cyber Security and Information Security policies are communicated to, and signed by, all Think Learning employees. Staff training around GDPR is a key element of our onboarding process. We have regular audits of the controls listed above in terms of ensuring that all devices used by staff are fully compliant. All staff are updated at internal company meetings about ongoing cyber and information security requirements of personal devices and internal systems. As consultants, they can also advise on the Infosec capabilities of Totara. Think Learning also has an ICO registered Data Protection Officer (DPO).

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Code is managed by the Technical Services team utilising GitHub. System configuration and change management is managed initially by the System Implementation) team and then the Client Services team once live. System configuration and change management is documented in SharePoint using a versioned functional and non-functional requirements spreadsheet.

All changes and upgrades are tested within a client specific development environment to ensure functionality and security before moving to the live environment.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Vulnerability management is a control within our Information Security Management System (12.6.1). Where vulnerabilities are identified, system asset lists are examined to assess the impact of the vulnerabilities on the security of the system. Where a software update is deemed necessary, then the change control process is initiated.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Totara is monitored 24/7 at the application layer via health checks and performance monitoring. In the event of a compromise the technical team are alerted by text to resolve the issue within the stated SLA.
Incident management type
Supplier-defined controls
Incident management approach
Users report incidents via the Think Learning Helpdesk, which triggers the internal incident management process, involving Classification and initial support; Investigation and analysis; Resolution recording, closure and reporting via the Helpdesk.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£9,575 to £79,515 an instance a year
Discount for educational organisations
Free trial available
Description of free trial
The free trial site enables you to explore Totara functionality and try out features such as appraisals, and compliance reports. Contact for access. Site configuration and data is refreshed periodically.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.