Convivio

Convivio Document Store

Convivio Document Store provides a private and secure web service for an organisation to store, manage, browse, search, share and retrieve significant documents such as reports. It provides fine-grained permissions control, and a high level of intelligence in augmenting metadata to enable find-ability.

Features

  • Cloud-hosted as standard, with option for on-premise
  • Designed with government, for government
  • Highly user friendly design and workflow
  • Artificial Intelligence reviews documents to augment metadata
  • Powerful search helps locate documents
  • Option to share catalogue listings with other UK gov depts
  • Secure environment (SaaS version suitable for OFFICIAL)
  • Hands-on helpful support, with extensive launch support & training
  • Built on open source tools, works with open standards
  • Your data stays in your own instance of the system

Benefits

  • Save money by reusing work rather than recommissioning
  • Save time by reducing manual work in storing documents
  • Flexible options for collaboration put you in control
  • Well-defined workflows reduce the chances of mistakes
  • Save manual work adding metadata with natural language processing
  • Optionally share document catalogues to/from other depts

Pricing

£50000 to £450000 per instance per year

Service documents

G-Cloud 11

274155190520980

Convivio

Steve Parks

020 3875 3438

hello@weareconvivio.com

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints The system is designed for storing, managing and retrieving completed significant documents such as research reports etc, and not for the earlier process of writing or editing documents. The system is designed to operate as a secure web-based service, not as a shared drive.
System requirements Linux, PHP, Apache/Nginx, MySQL/MariaDB stack

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Within 4 hours, during office hours.
User can manage status and priority of support tickets No
Phone support No
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard WCAG 2.1 AA or EN 301 549
Web chat accessibility testing We use a 3rd party web chat tool selected for its compliance with accessibility standards. We haven't conducted our own separate testing.
Onsite support Yes, at extra cost
Support levels During the launch period we provide extra support at a level agreed with the customer. Our daily rate for onsite support is £900/day.
We provide a technical account manager.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started We work with clients to develop an inception to launch path that will work for them and their teams. This can include configuration, customisation, design and branding, training, and on site support. We provide documentation, including short video tutorials.
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction We can either provide an arrangement to transfer the entire instance, including the software platform (which is built with open source tools), or data can be exported from the platform either via API or export in a range of formats.
End-of-contract process We provide 3 person/days of hands on support to transition away from our service free-of-charge. If you'd like us to provide more help, including training new providers, assisting with migrations etc, this is available at our normal day rate.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The service is designed to be highly user friendly on a mobile device in terms of searching for and managing documents. However, due to device restrictions, document upload will not work on some mobile devices.
API Yes
What users can and can't do using the API Initially the secure API can be used for ingesting new documents, obtaining a catalogue listing, searching the catalogue. Further features are planned.
API documentation Yes
API documentation formats Open API (also known as Swagger)
API sandbox or test environment Yes
Customisation available Yes
Description of customisation We work with clients to customise the service in terms of:
- look and feel, to match branding
- configuration, to enable/disable features
- permissions and workflow, to match client needs

We can also be commissioned to develop new functionality for the service for particular clients.

Scaling

Scaling
Independence of resources We provide each client with an independent instance of the service.

Analytics

Analytics
Service usage metrics Yes
Metrics types We provide data on the usage of your instance of the document store - number of users, documents etc. We also provide granular analytics on usage and reuse of documents, citations, and provide authors with data on their overall impact through their documents.
Reporting types Real-time dashboards

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
Data sanitisation process No
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Either via the API, or by exporting in a range of formats. The documents themselves can be exported in their original format and any formats they have been transcoded to. The metadata can be exported in CSV or JSON formats.
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats JSON
Data import formats
  • CSV
  • ODF
  • Other
Other data import formats
  • PDF
  • MS Word

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability The document store isn't seen as a mission-critical application, and so (unless agreed otherwise with customers) there is an SLA for 99% availability. Upgrades to this are available.
Approach to resilience Our service is deployed on AWS with automated deployment and configuration of services. This allows us to respond rapidly to issues and in many cases mitigates them before they become apparent.
Outage reporting We provide a support dashboard for clients providing details of current status. This is augmented by email alerts.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels Clients have their own instance of the service so we are able to configure access restrictions to suit each client. Usually the main restriction is that access is locked down to a particular IP range, in addition to having authenticated user accounts with defined permissions.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Our security policies and processes are detailed and kept up to date in our 'cookbook' our public intranet: https://cookbook.weareconvivio.com/business-operation-recipe/security-policy

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Proposed changes are evaluated when they begin to be developed. Automated tests are written (unit and behavioural tests), and with each change that is committed the full suite of tests is automatically run. Each code change is peer reviewed, and then has a final review by the tech lead before it can be pushed to staging for acceptance testing.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Our service is built ontop of open source tools so we start by monitoring declared vulnerabilities in upstream projects. As soon as these are released we evaluate them in order to assess the need to patch the service and determine a priority. We also monitor server and application logs, and system monitoring, to identify potential threats or vulnerabilities to be addressed.
Protective monitoring type Supplier-defined controls
Protective monitoring approach We monitor server and application logs, and system monitoring tools, to identify unusual activity that may indicate a potential compromise. Where necessary this is escalated to the tech lead. Response varies from blocking specific users or IP ranges, to temporarily suspending the service to allow investigation and additional protective measures. During this whole process we alert and involve the client.
Incident management type Supplier-defined controls
Incident management approach As each client receives their own independent instance of the service, we work with them to define incident management processes to fit in with their business needs. These can include blocking specific users or IP ranges or, at the other end of the scale, opening up access to other IP ranges where a client's building has become unavailable due to an incident. Users report incidents through email or an online ticket system. Updates are tracked in the ticket. For P1 incidents a full report is provided in writing within 7 days.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £50000 to £450000 per instance per year
Discount for educational organisations No
Free trial available No

Service documents

pdf document: Pricing document pdf document: Skills Framework for the Information Age rate card pdf document: Service definition document pdf document: Terms and conditions
Service documents
Return to top ↑